May 6, 2015

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.

A PayIvy seller advertising Netflix accounts for a dollar apiece.

A PayIvy seller advertising Netflix accounts for a dollar apiece. Unlike most sites selling hacked accounts, this one takes PayPal.

Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.

There is no central index of items for sale via PayIvy per se, but this catalog of cached sales threads offers a fairly representative glimpse: License keys for Adobe and Microsoft software products, user account credentials in bulk for services like Hulu, Netflix, Spotify, DirecTV and HBO Go, as well as a raft of gaming accounts at Origin, Steam, PlayStation and XBox Live. Other indexes at archive.is and PayIvy’s page at Reddit reveal similar results.

It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it: In just five minutes of searching online, I found several PayIvy sellers who were accepting PayPal payments via PayIvy for…wait for it…hijacked PayPal accounts! The fact that PayIvy takes PayPal as payment means that buyers can purchase hacked accounts with [stolen] credit cards — or, worse yet, stolen PayPal accounts.

Jack Christin, Jr., associate general counsel at PayPal, said while the site itself is not in violation of its Acceptable Use Policies (AUP), there have been cases where PayPal has identified accounts selling goods that violate its policy and in those cases, the company has exited those merchants from its system. 

“PayPal proactively monitors sellers with PayPal accounts who use the Paylvy platform to ensure the products they are selling are in compliance with our AUP, and we take appropriate action when violations are discovered,” Christin said.

The proprietor of PayIvy (quite possibly this guy, according to many of his fellow Hackforums users) makes money off of the service by selling “premium” accounts, which apparently offer repeat sellers a way to better track and manage their sales. Appropriately enough, among his ebook offerings via PayIvy is a tutorial on how to avoid getting one’s account banned or limited by PayPal. PayIvy did not respond to requests for comment.

Sh1eld makes clear how he feels about his users selling hacked accounts to pay services via his site in this thread, where he posts about takedown requests from a company representing Netflix.

“We are not under any obligation to follow any site’s TOS [terms of service],” he wrote. “However, we will take actions regarding copyrighted content, malicious files, or child pornography.”

I wonder how this individual would feel about people selling stolen PayIvy premium accounts?

If you’re curious about the underground’s interest in and valuation of your online accounts, take a look at my primers on this subject, including The Value of a Hacked Email Account and the Value of a Hacked PC. Want pointers on how to avoid becoming the next victim? Check out my Tools for a Safer PC tutorial.

Update, 10:33 a.m. ET: PayIvy just sent the following message to all of its sellers: “Starting May 15th, PayIvy will be banning all netflix accounts. If you are still selling these accounts, we advice you to stop as your paypal account will be limited as part of PayPal AUP. You have 9 days to delete your Netflix products before we do a search and remove them ourselves.”


47 thoughts on “PayIvy Sells Your Online Accounts Via PayPal

  1. Martín Alejandro Carmona Selva

    WOW! I wouldn’t expect them to see hi-jacked PayPal accounts using PayPal…

    This, for me, it’s like using an stolen CC to buy a bunch of CCs, where the stolen one was taken from.

    Or, to put it even more simpler, it’s like buying a house and not paying anything, then selling its furniture to pay for it…

    I wonder why PayPal doesn’t “kill” those accounts more proactively…

    1. Philly

      I can think of many reasons, which I can’t post online. I stopped using PayPal years ago from actions they took or didn’t take in the name of security.

      PayPal’s business practices don’t make any sense to me, but I have my opinions and that’s just me.

  2. david

    How will you have any credibility if you don’t get the facts straight and promote interests by bending facts. You started off from a service allowing people to sell anything legal to misleading people that the service itself promotes selling people hacked accounts.

    1. BrianKrebs Post author

      Well, hello. Thanks for stating here what you would not respond to in private emails. Please tell us or show us what redeeming qualities or services your network provides.

      1. david

        You can’t tell people a service has refused to respond if you didn’t contact them in the first place. On the website, there’s a contact email in the footer.

    2. Kelvin

      But it’s true. All that’s sold on PayIvy are greyhat/blackhat ebooks which don’t even work and online accounts. There’s not much past that on Hack Forums’ and Leak Forums’ marketplaces which PayIvy advertises on.

  3. rick blaine

    Suggest cash if at all possible all the time. If a merchant does not accept cash do not accept him as a merchant. They are all scam artists. All of them by definition.

    1. meh

      Most of these folks are hiding in hostile countries. How exactly do you think you would get cash to them, and more importantly why would they bother actually following through for you when they got it.

      1. Someone

        most of these ‘hackers’ (actually crackers but whatever) live in the USA and europe

  4. Joann

    brian this is nothing to do with paypal but after reading things and installing no script on fire fox have not put it on chrome yet, but it wont let me get into a site i work on for our california wildfires every day, its brush fire partyline on facebook i am a scanner transcriber and folks look to us for info on their local fires,, how do i get back onto facebook – i am not a facebook fan i am only on there to help folks with fire info .. would really like to hear from you on this,, thank you

    1. cheedo

      “Dont attack PayIvy becuz eBay brian, come on!”

      -PayIvy Admin (@gmail.com)

    2. JCitizen

      @Joann

      NoScript is a utility/plugin that you really have to play with to finally determine what scripts are friendly and some that may not.

      If you select “Allow all on page” this can get you back to square one, and then you can selectively block or unblock each script until you get functionality with as few running scripts as possible. It may seem like a pain at 1st, but you get the hang of it after a while. You could always uninstall it and try ScriptSafe in Chrome as well. It works in a similar way.

  5. B_Brodie

    The site has nice graphics and on the surface looks legit, but their contact email is “payivy (at) gmail (dot) com”.

    At least it wasn’t (at) aol (dot) com.

    Maybe we need a new top level domain: .con

    That way you’d know right away that you’re being screwed.

    1. meh

      I like that. Comcast, the credit bureaus and even the government could use some con domains.

      1. Tomi Olivia

        Eh, don’t get ME started on Concast…

      2. Naticris

        That is soo true. Specially comc… the bigest conartists of all.

  6. Andrew Conway

    Some years ago I working as a consultant at eBay, and we found someone selling a service to defraud eBay by click fraud in their affiliate network. He was selling using PayPal (owned by eBay) so we signed up for his service, got is PayPal account details, and had access to his name, address, bank account details, and complete customer list. He later ignored a cease and desist notice, so ended up doing prison time for conspiracy to commit wire fraud.

    However, investing a case like this takes a long time, especially if law enforcement is involved. I suspect that PayPal is being proactive about this, their InfoSec department is pretty militant, but it may just take a while for the hammer to fall.

    1. Jonathan Jaffe

      Mr. Conway

      > investing a case like this takes a long time,
      why does “investigating” take a long time? The approach you took of signing up, getting the details and tracing the account holder (crook) sounds like classic law enforcement sting operations. Establish the criminal act (selling stolen property sounds like a start), get warrants, arrest the miscreant, seize the site (if they are in US jurisdiction), maybe operate the site for a while to find other crooks, and this mole is whacked.

      Uh oh. Maybe THAT is why this site isn’t closed? BK – did you check to see if there is (or they will admit to you) a continuing operation?

      PayPal TOS:

      “You may not use the PayPal service for activities that:
      1) violate any law, statute, ordinance or regulation. [ pretty clear! ]

      2) relate to transactions involving …. (d) stolen goods including digital and virtual goods …

      3) relate to transactions that (a) show the personal information of third parties in violation of applicable law …

      https://www.paypal.com/us/webapps/mpp/ua/acceptableuse-full

      So, it looks like PayPal TOS is being broken in at least THREE terms. Their general counsel says it isn’t? Where is Preet Bharara?

      There has to be a better way.

      Jonathan @nc3mobi

      1. TG

        “Investigating” takes a long time if you think the case needs to be prosecutable – which is the official mission of most investigative units, public and private.

        Meeting standards for evidence – particularly federal standards – means amassing data that’s well verified, and you must also prove that any alternative theories of the case or any possible justified actions can’t possibly pertain or no prosecutor’s going to waste time on the case you developed.

        Yes, you can think of cases that make the above a total joke. And those cases are taught to investigators as Do Not Do This.

        Further, most investigative units today also serve an intelligence function. Intelligence gathering and investigation are nearly polar opposites. If you’re doing intel and spot a wrong-doer, you don’t stop them. You watch them – maybe even encourage them – to see what they do, how they do it, and who they do it with. You try to swim up stream to find the boss and develop methods to detect and stop them from doing whatever it is except when you want them to do it.

        If you’re doing investigation and spot a wrong-doer, you pop them before they do more wrong.

        In a mixed environment, you spend a lot of time back-and-forthing with superiors over What You Do Now? And you spend time generating a lot of documentation that, when prepared and sent one way, fosters intel gathering and, when prepared and sent another way, fosters law enforcement.

        None of that speeds up an investigation.

        1. TG

          P.S. I’m not affiliated in any way with PayPal and read their official response to Brian Krebs as, “Wuh, wait, something happened somewhere?,” not as, “Dude, we’s been going deep on this one to find Dr. Ebil.”

    2. cheedo

      right-click the ‘NoScripts’ logo in your browser and select ‘Temporarily allow all scripts (On this site)” and you should be good.

    3. Naticris

      I complained to eBay of unsolicited selling out of eBays site by sellers from China, who I purchased from using eBay and PayPal. EBay told me the sellers could get my private email information from PayPal which is in violation of customers privacy.
      I was blow away by the response from eBay.

  7. Rebecca

    Just when I thought I had seen it all!!!

  8. petepall

    Bye-bye PayPal! You are my Pal no more!

  9. Syed Rizvi

    Payivy isnt new at all. I remember seenimg him on IRCQ Chat long time ago and was selling stolen CC’s. PayPal should take action immediatelyon this account.

    1. eron

      Payivy isn’t a single user like this article is misleading people to believe. It’s a public service.

      This is what happens when journalism becomes misleading just to promote interests.

      1. Frank Haynes

        What “interests” is he promoting?

        As I see it he is promoting *my* interests and others like me.

        BTW, you misspelled Enron in your name.

      2. BrianKrebs Post author

        Eron,

        Normally, I don’t call out commenters like this, but you have now posted under three different names, including eron, kren and david — I’m guessing to provide the illusion of having a number of defenders of your service.

        Haven’t you at least got a proxy you can use so that you don’t post comments all from the same Canadian IP?

        Going forward, it’s probably best if you just use your real name, Ton. At least you were honest by using the “wbmusicboxan” email address that was cited in the dox linked to in this article.

        1. NotMe

          Ah sock puppets, they never get tired of having an hand up “there”.

          Nice article, thanks for all links, it took awhile to read it all but it is always interesting when you have comments from the subject of the article.

        2. cheedo

          He even mimics the same sentence structures. What a PR noob.

        3. Anonymous

          Let’s add ‘james’ to that list.

  10. JimV

    Brian, I don’t know how long this sort of lax behavior on PayPal’s part may have gone on (i.e., recent vs. many months or years), but do you infer a viewpoint one way or another whether there is any correlation of the failure to crack down on such criminal activity with the impending split between eBay and PayPal into completely separate business entities?

  11. james

    Krebs writes what he believes. He doesn’t even realize the fact that PayIvy has been taking actions against these sellers just like that email I received about PayIvy banning netflix accounts. Promotes actual facts with credible sources next time .

  12. mbi

    It sounds to me that PayPal is not being proactive which is not how they used to bill themselves. In the end its going to hurt their brand.

  13. Paul Barwick

    Hopefully PayPal has not taken action against PalIvy at the request of law enforcement. Can you say “Hubris”?

  14. John Dingle

    Why are you guys bothering PayIvy

    Just because someone violated PayPal TOS you gonna go after PayIvy

    which allows people to sell their things on

    1. Someone

      Exactly, he should go after eBay too.
      because eBay is FULL of people selling Netflix accounts

  15. Mike Smith

    What’s the point in posting these site links, you are only giving more attention to the site to generate even more profit. -_- just like target, home depot.

    1. Mike

      There are very few ways to make money via cyberspace. One of the best ways comes in the form of advertising (which include things that grab attention…..what better example of this is there then Facebook and Twitter?) The days of people doing things based on their heart-felt passions for technology is over. That is so dead and buried. I can see the writing on the wall for my own cyber-existance and the only way to change that is for me to change and become a twit mac cultist brainwashed into thinking that Gates is the new Elvis.

      You want to know what the point is? Check your cookies sometime.Take a look at the cloud and see the never ending line-up of Mac branded terminals as they sport their flashless flash. A big part of the idea is control (and it’s not yours).

  16. RaoulC

    How surprising.
    This site is also used by SteamStealer.com…

    /facepalm

Comments are closed.