Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.
Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.
There is no central index of items for sale via PayIvy per se, but this catalog of cached sales threads offers a fairly representative glimpse: License keys for Adobe and Microsoft software products, user account credentials in bulk for services like Hulu, Netflix, Spotify, DirecTV and HBO Go, as well as a raft of gaming accounts at Origin, Steam, PlayStation and XBox Live. Other indexes at archive.is and PayIvy’s page at Reddit reveal similar results.
It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it: In just five minutes of searching online, I found several PayIvy sellers who were accepting PayPal payments via PayIvy for…wait for it…hijacked PayPal accounts! The fact that PayIvy takes PayPal as payment means that buyers can purchase hacked accounts with [stolen] credit cards — or, worse yet, stolen PayPal accounts.
Jack Christin, Jr., associate general counsel at PayPal, said while the site itself is not in violation of its Acceptable Use Policies (AUP), there have been cases where PayPal has identified accounts selling goods that violate its policy and in those cases, the company has exited those merchants from its system.
“PayPal proactively monitors sellers with PayPal accounts who use the Paylvy platform to ensure the products they are selling are in compliance with our AUP, and we take appropriate action when violations are discovered,” Christin said.
The proprietor of PayIvy (quite possibly this guy, according to many of his fellow Hackforums users) makes money off of the service by selling “premium” accounts, which apparently offer repeat sellers a way to better track and manage their sales. Appropriately enough, among his ebook offerings via PayIvy is a tutorial on how to avoid getting one’s account banned or limited by PayPal. PayIvy did not respond to requests for comment.
Sh1eld makes clear how he feels about his users selling hacked accounts to pay services via his site in this thread, where he posts about takedown requests from a company representing Netflix.
“We are not under any obligation to follow any site’s TOS [terms of service],” he wrote. “However, we will take actions regarding copyrighted content, malicious files, or child pornography.”
I wonder how this individual would feel about people selling stolen PayIvy premium accounts?
If you’re curious about the underground’s interest in and valuation of your online accounts, take a look at my primers on this subject, including The Value of a Hacked Email Account and the Value of a Hacked PC. Want pointers on how to avoid becoming the next victim? Check out my Tools for a Safer PC tutorial.
Update, 10:33 a.m. ET: PayIvy just sent the following message to all of its sellers: “Starting May 15th, PayIvy will be banning all netflix accounts. If you are still selling these accounts, we advice you to stop as your paypal account will be limited as part of PayPal AUP. You have 9 days to delete your Netflix products before we do a search and remove them ourselves.”