A threat actor named Chucky_BF is selling a massive data dump on a hacker forum, allegedly containing over 15.8 million PayPal logins, complete with email and plaintext password pairs. The data, which may be from infostealer malware logs, also includes specific PayPal URLs, making it a valuable tool for criminals.
A threat actor going by the name Chucky_BF is reportedly advertising a large PayPal data dump on a cybercrime forum. The cache, labeled “Global PayPal Credential Dump 2025,” claims to contain more than 15.8 million records of email and plaintext passwords. This significant data dump, at 1.1GB, is a collection of breached data from one system and is frequently associated with illegal activity after a data breach. The seller claims the data comes from various email providers and users globally. The leak’s severity lies not only in its size but also in the quality of the data, which includes URLs directly linked to PayPal services.
The nature of the data suggests it may have been collected using infostealer malware. This is a type of malicious software that infiltrates a computer system to secretly collect sensitive information, like login credentials, financial details, and browser history. The seller’s mention of specific endpoints like /signin, /signup, and /connect provides further evidence. This kind of detail is often found in logs from infostealers, which capture a user’s activity, including the URLs they visit while logging into a service. This structured data makes it easier for criminals to automate attacks, such as credential stuffing.
The data set is being marketed as a “goldmine for cybercriminals.” The records contain raw email, password, and URL combinations, which are ideal for automated attacks. The presence of URLs for sign-in and sign-up pages suggests the data could be used in credential stuffing attacks, where stolen login information from one breach is used to try and access a victim’s accounts on other websites. Because many users reuse passwords across multiple services, a single compromised password can grant a hacker access to multiple accounts. The data can also facilitate phishing schemes, a type of social engineering attack where bad actors masquerade as legitimate companies to trick people into revealing sensitive information.
A closer examination of the sample data provided by Chucky_BF revealed Gmail addresses paired with passwords and linked to PayPal’s login pages. This confirms that the data is structured to link specific credentials to PayPal. Additionally, some records showed the same account details used in both web and mobile versions of PayPal, highlighting the breadth of the compromised data. While the seller claims many of the passwords are strong, they also admit that many are reused, meaning that individuals who use the same password on other websites could be at risk. This underscores the importance of using unique passwords for all online accounts.
Chucky_BF is asking for $750 for the entire 1.1GB data dump, a price point in line with similar credential dumps on cybercrime markets. If the claims are true, this would be one of the largest PayPal-focused leaks in recent years, affecting millions of users across various email providers. The sale of such a large dataset poses a significant threat to global PayPal users, as it could lead to widespread credential stuffing, phishing campaigns, and other fraudulent activities. This incident serves as a stark reminder of the continuous threat of infostealer malware and the need for robust online security practices like using a password manager to generate and store unique passwords for every account.
Reference:
