Last month right before our trip to Mexico City, I got a text message saying my PayPal account had a $11k charge and asking me if it was my authorization. I immediately replied no and verified that was a legit message from PayPal. We went onto the trip and I didn’t think of this matter in the next few days.
A week later, I noticed our checking account had a $11k withdraw from PayPal! WTF?! I called the bank immediately. They said the only thing they could do was to close my checking account and open a new one, and suggested me to contact PayPal first. Hence my month-long wrestling with PayPal began.
Before I go on to lay out my experiences with PayPal, I’ll list findings from our forensic checks of how the orders were placed without our knowledge. The result was very shocking to me.
- My checking account was charged because it was linked to my PayPal account.
- When the 11k charge happened, I got hundreds of spam emails within a few hours. Gmail blocked most of them but still more than 100 showed up in my inbox. Apparently hackers tried to overwhelm my inbox so I miss any alert emails.
- My PayPal account was linked to Wen’s eBay account before.
- Wen’s PayPal account was also linked to Wen’s eBay account, and also had 4 unauthorized charges since Aug 2023, total ~8k$. ~$4k was charged to our credit card reward points(!), which was very sneaky as reward point transactions have way less notifications and checks than usual credit card charges. The other ~$4k was charged to someone else’s card that hacker added to Wen’s PayPal.
- Wen’s eBay account was hacked and all the orders were placed there. The orders were “hided” in eBay (not sure why eBay even has such a function…) so it was harder to notice at first. Wen’s eBay account didn’t have 2FA enabled before this. So it was a weak link. At first I thought this was the “entrance” the hacker found.
- But a few days later I found Wen’s gmail was also hacked… there was a filter created in gmail to delete all emails with the words “eBay” or “PayPal”. This was why we didn’t notice any of the hack orders. Wen’s gmail apparently didn’t have 2FA enabled until Nov 2022. But she did place some order in Aug 2023 and received the emails. So the filter was created within Aug 2023, after her last legit order and before the first hack order.
- eBay support said the hacked orders were placed from our home IP.
- Wen’s Google account sessions don’t have devices or locations we don’t recognize.
- Hacker’s “entrance” was likely one of Wen’s devices that has her gmail account logged in, and/or eBay logged in.
- But at the end, I couldn’t confirm which device was hacked or how exactly the hacker took control of Wen’s accounts.
In the past few weeks I files several tickets with PayPal and had numerous calls with their support. The resolutions were really inconsistent and not transparent at all.
- For the 11k charge on my PayPal account, I filed a ticket and claimed it was an unauthorized charge. I supposed it would be an easy case, as I replied the text message immediately and told PayPal it was unauthorized when the charge happened. But I got turned around several times. The case was denied after a few days. I called support. An agent told me to change it to “item not received”. I waited more days and seller apparently provided shipping confirmations, so the case was denied again. I called the support again to reopen the ticket and I reiterated it was a hack, and the case was denied after another week… I called PayPal support again and filed a new ticket and reiterated the same information again, and it was finally refunded this time…
- I filed a ticket for the four hacked charges in Wen’s PayPal account as unauthorized access as well. To my surprise, three of them were refunded very quickly. But one smallest charge was left out and not refunded for unexplainable reason… I called PayPal support and one agent said she filed an appeal for me (essentially reopened the ticket). A few days later it came back denied again… I’ll keep argueing with PayPal support.
So in summary:
- I got ~19k back among the ~20k stolen money (including ~4k on someone else’s stolen card), not too bad…
- The hacker went away with the goods they bought. The refund I got probably came from either the seller or insurance.
- I still don’t know exactly how the accounts were hacked…
—–
Months later.. the hacker stroke again! A morning in April 2024, I woke up with several email notifications of Wen changed her PayPal password! I set up an email forwarding rule from Wen’s email to mine for any email with keyword PayPal or eBay, in a similar way as the hacker. And they stepped right in..
By examining Google account browsing history, I found the culprit was a mini gaming PC we bought from China last year, brand is MinisForum and model is HX99G. The hacker apparently controlled the PC’s browser which has Wen’s email logged in. They remotely controlled the browser to reset PayPal and eBay passwords, but I had removed all linked cards/accounts from PayPal, so they couldn’t do much.
I installed a bunch of anti-virus software to the computer. Norton found a Trojan malware camouflaged as a .NET runtime, and blocked a bunch of malicious traffic from east Europe. By examining the malware file creation time, I’m relatively sure they were installed before I bought the PC…
I wiped and reinstalled the system. A windows installation USB drive needs 8GB these days! It has been years since I installed a Windows and dealt with drivers. I learned Windows 11 didn’t let you install without Internet, but the WiFi card of this PC doesn’t have driver built in Windows, so I was stuck there for a while… and it took another hour or so for me to figure out how to install Bluetooth driver without a mouse. Fun times.