Threat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials
hackread.com August 18, 2025 - A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs. A threat actor using the name Chucky_BF on a cybercrime and hacker forum is advertising what they claim to be a massive PayPal data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs. The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services. Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services. The description provided by Chucky_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations. A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile. The way the data is put together is also important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen or old databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal. As for pricing, Chucky_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale. If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated. Infostealer Logs as the Likely Source PayPal has never suffered a direct data breach in which attackers broke into its systems or stole millions of user records. Past incidents, including the one that involved 35,000 users, linked to the company have usually been the result of credential stuffing or data harvested elsewhere. This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of infostealer malware collecting login details from infected devices and bundling them together. The structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer malware logs. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets. The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single PayPal-focused leak. Infostealer malware infecting devices worldwide is hardly surprising. In May, cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing 184 million login credentials, including unique usernames, email addresses, and passwords, which he believes were likely collected using infostealer malware. According to Hudson Rock, a cybercrime intelligence company, infostealer malware is easily and cheaply available on the dark web. The company’s research also revealed the scale at which these tools have successfully targeted critical infrastructure, including in the United States. Researchers found that employees at key US defense entities such as the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies, including the FBI, have also fallen victim to infostealer malware. As for PayPal, the company itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks. Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.
