A threat actor is selling secrets. Big ones.
Operating under the alias Chucky_BF, the attacker has surfaced on underground forums with a staggering claim: over 15.8 million PayPal credentials for sale. The haul includes email addresses, plaintext passwords, and direct URLs to PayPal services. It’s being marketed as the “Global PayPal Credential Dump 2025.”
Hackread first reported this development.
The numbers are staggering. The dataset spans 1.1GB and covers accounts from email providers worldwide. But size isn’t everything here. What makes this leak particularly dangerous is its laser focus on PayPal infrastructure.
These aren’t just random credentials. The records include URLs pointing directly to PayPal endpoints like /signin, /signup, /connect, plus Android-specific URIs. That level of detail could make automated attacks devastatingly efficient.
A Goldmine for Cybercriminals
Chucky_BF describes this as a “goldmine for cybercriminals.” The contents? “Raw email:password:url entries across global domains.” This is perfect ammunition for credential stuffing, phishing schemes, and fraud operations.
Forum samples tell the story. Gmail addresses paired with passwords, linked directly to PayPal’s login pages. One sample shows the same account appearing in both web and mobile formats. The threat actors harvested from everywhere.
The data structure reveals careful organization. Real accounts mixed with test entries. Fake credentials alongside genuine ones. It’s the hallmark of professional data theft operations.
Password quality varies wildly. Some look strong and unique. Others are recycled across multiple platforms. That means trouble extends far beyond PayPal for users who reuse credentials.
The price tag? Seven hundred fifty dollars for the complete 1.1GB archive. Standard rates for this type of criminal merchandise.
The First Direct Breach
PayPal has never suffered a direct breach exposing millions of user records. Never. Previous incidents, including one affecting 35,000 users in 2022, typically involved credential stuffing or external data harvesting. This pattern suggests something different entirely.
The dataset likely originated from infostealer malware. These programs infect personal devices and vacuum up saved login credentials, browser data, and website activity. The stolen information gets bundled and sold in cybercrime markets.
Evidence supports this theory. The presence of PayPal-specific URLs and mobile URIs indicates worldwide harvesting from infected devices. Criminals compiled the scattered data into one PayPal-focused package.
A Reality Check
PayPal is yet to confirm the incident and the dataset’s authenticity remains unproven. It could be the Real McCoy, it could be fabricated records mixed with real ones. Or simply repackaged older leaks.
If authentic, this is one of the largest PayPal-focused exposures in recent memory. Millions of users across Gmail, Yahoo, Hotmail, and regional domains could be affected.
The incident highlights infostealer malware’s growing threat. Users who save credentials in browsers face particular risk. Weak password practices make matters worse.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.