By: Ronnie Tokazowski
When it comes to laundering funds for Business Email Compromise (BEC) attacks, gift cards have been an effective method for scammers for quite some time. While traditional wire transfers can easily be tracked and taken down due to anti-money laundering laws, gift cards can be sold at a loss and converted to cryptocurrencies through platforms such as Paxful. Scammers across the world have used and abused this platform to for years, and it appears that Paxful’s (soon to be Noones) corrupted past is starting to catch up with them. With mountains of lawsuits, problems with United States regulators, and former employees coming forward about the corruption within the company, it’s going to be an interesting couple months to see how the gift card fraud ecosystem shakes out. Here’s what’s going on.
How Gift Cards and BEC are Related
As an industry, we have known the links between BEC and gift card scams since 2015. Scammers pretend to be the CEO asking for an “urgent task” or “errand” to be run, asking the employee to run this “task” while providing updates. Additionally, scammers directly text or ask for phone numbers via email to correspond with victims over SMS. The pivot comes as a way to directly engage with the victim while moving correspondences out of email.
In a multi-part study, we actively engaged with BEC actors and gave them $500 in gift cards. Through this study we determined that scammers are able to steal, sell, launder, and transmit gift cards to other actors in less than 24 hours. We know BEC actors such as Scattered Canary used Paxful to launder their gift cards, with Scattered Canary receiving 132 gift cards from their victims.
With that being said, gift cards are NOT unique to BEC scams by any means. We know tech support victims are often socially engineered to purchase a gift card for payment. Scammers have faked family abductions to facilitate receiving gift cards in payment, fake celebrities have requested gift cards, and romance scam victims have sent money in the form of gift cards. This isn't an exhaustive list, however gift cards have become a primary cash out method for many scammers.
Now Let’s Talk about Paxful
According to reports Paxful receives around a 1% cut of transactions that cross the platform. In 2018 and 2019 Paxful’s officially declared profits were $5.47 and $3.63 million dollars, per internal emails. For comparison in 2019, Paxful reported $1.9 billion worth of trading. While we know some of these profits came directly from gift card scammers and other types of laundering activities, the origins of Paxful as an alternative currency goes back much further. In 2015, a website called Backpage became synonymous with sex ads, with the headquarters being raided and shut down in 2018. The founder was charged with a 93-count federal indictment from the FBI.
What does Paxful and a 93-count federal indictment from Texas have in common? To facilitate payments, Paxful openly marketed on Facebook that they were willing to accept payments for Backpage. In addition, they had custom URL’s and guides on how to make payments through Backpage.
For just how far Paxful went with the Backpage integration, they actively provided support and information via their Twitter account to members who were having trouble.
While Ray Youssef, aka Ray Savant has been extremely proud of the humble beginnings of Paxful, there is no denying that Paxful has directly profited from crimes which have been listed in federal indictments.
Bitcoin, Nigeria, and Paxful – A Double Edged Sword
There is no doubt that Ray and his team have done amazing things for people in Nigeria. Paxful has helped build schools, given those in Nigeria a second chance where few opportunities exist, and in some senses has done a very good thing for many of the people on the ground.
However, in the same breath, we have seen an explosion of scammers flocking to the platform where U.S. regulators have tried to tighten the platform for fraud. Paxful was responsible for $400 million in trades in Nigeria in 2022 which is great for the legit users, however many Yahoo Boys use these platforms to offload their ill-gotten gift cards from BEC and romance scams. We may never know the full extent of how much Paxful profited until every FBI field office, local Police Departments, and state law enforcement agency share the victim stories and pictures of stolen gift cards for Paxful to parse through. However, with the recent news that Paxful is closing this may never come to fruition.
So, Gift Card Scams are Dead Since Paxful Doesn’t Exist, Right? Noones Users Successfully Login with Paxful Credentials
While reports of Paxful have been riddled with lawsuits, litigations, and conspiracy theories that the exit has been planned for 18 months, the reality of the situation is that Paxful is soon to be no more. But there’s another platform called Noones that has absolutely no links to Paxful...right?
If “copied user database to allow the same username and passwords to work in the new platform” was on your Bingo card, you would be right.
And with users being able to have balances reflected in the new platform, there is some mitigation, migration, database copy / pasting that’s happened between the Paxful and Noones platform. And given the current litigations this is pretty shady to say the least.
So, What’s Going to Happen to Gift Card Fraud?
With everyone making the migration to Noones, it’s pretty clear that regular users and scammers are going to make the migration. In addition, Noones will become an even better safe haven for those who are looking to bypass U.S. sanctions because the platform will not allow accounts from the U.S. So much so that U.S. accounts are blocked per Noones policies.
As scammers move and pivot, it will be up to Ray and the providers behind Noones to ensure that they aren’t facilitating and benefiting from crime. Because as it stands the founders are either completely oblivious or witting participants...and for the hundreds of thousands of romance victims out there who have been socially engineered to send gift cards to scammers, this isn’t a good thing.