Last month right before our trip to Mexico City, I got a text message saying my PayPal account had a $11k charge and asking me if it was my authorization. I immediately replied no and verified that was a legit message from PayPal. We went onto the trip and I didn’t think of this matter in the next few days.

A week later, I noticed our checking account had a $11k withdraw from PayPal! WTF?! I called the bank immediately. They said the only thing they could do was to close my checking account and open a new one, and suggested me to contact PayPal first. Hence my month-long wrestling with PayPal began.

Before I go on to lay out my experiences with PayPal, I’ll list findings from our forensic checks of how the orders were placed without our knowledge. The result was very shocking to me.

• My checking account was charged because it was linked to my PayPal account.
• When the 11k charge happened, I got hundreds of spam emails within a few hours. Gmail blocked most of them but still more than 100 showed up in my inbox. Apparently hackers tried to overwhelm my inbox so I miss any alert emails.
• My PayPal account was linked to Wen’s eBay account before.
• Wen’s PayPal account was also linked to Wen’s eBay account, and also had 4 unauthorized charges since Aug 2023, total ~8k$. ~$4k was charged to our credit card reward points(!), which was very sneaky as reward point transactions have way less notifications and checks than usual credit card charges. The other ~$4k was charged to someone else’s card that hacker added to Wen’s PayPal.
• Wen’s eBay account was hacked and all the orders were placed there. The orders were “hided” in eBay (not sure why eBay even has such a function…) so it was harder to notice at first. Wen’s eBay account didn’t have 2FA enabled before this. So it was a weak link. At first I thought this was the “entrance” the hacker found.
• But a few days later I found Wen’s gmail was also hacked… there was a filter created in gmail to delete all emails with the words “eBay” or “PayPal”. This was why we didn’t notice any of the hack orders. Wen’s gmail apparently didn’t have 2FA enabled until Nov 2022. But she did place some order in Aug 2023 and received the emails. So the filter was created within Aug 2023, after her last legit order and before the first hack order.
• eBay support said the hacked orders were placed from our home IP.
• Wen’s Google account sessions don’t have devices or locations we don’t recognize.
• Hacker’s “entrance” was likely one of Wen’s devices that has her gmail account logged in, and/or eBay logged in.
• But at the end, I couldn’t confirm which device was hacked or how exactly the hacker took control of Wen’s accounts.

In the past few weeks I files several tickets with PayPal and had numerous calls with their support. The resolutions were really inconsistent and not transparent at all.

• For the 11k charge on my PayPal account, I filed a ticket and claimed it was an unauthorized charge. I supposed it would be an easy case, as I replied the text message immediately and told PayPal it was unauthorized when the charge happened. But I got turned around several times. The case was denied after a few days. I called support. An agent told me to change it to “item not received”. I waited more days and seller apparently provided shipping confirmations, so the case was denied again. I called the support again to reopen the ticket and I reiterated it was a hack, and the case was denied after another week… I called PayPal support again and filed a new ticket and reiterated the same information again, and it was finally refunded this time…
• I filed a ticket for the four hacked charges in Wen’s PayPal account as unauthorized access as well. To my surprise, three of them were refunded very quickly. But one smallest charge was left out and not refunded for unexplainable reason… I called PayPal support and one agent said she filed an appeal for me (essentially reopened the ticket). A few days later it came back denied again… I’ll keep argueing with PayPal support.

So in summary:

• I got ~19k back among the ~20k stolen money (including ~4k on someone else’s stolen card), not too bad…
• The hacker went away with the goods they bought. The refund I got probably came from either the seller or insurance.
• I still don’t know exactly how the accounts were hacked…

—–

Months later.. the hacker stroke again! A morning in April 2024, I woke up with several email notifications of Wen changed her PayPal password! I set up an email forwarding rule from Wen’s email to mine for any email with keyword PayPal or eBay, in a similar way as the hacker. And they stepped right in..

By examining Google account browsing history, I found the culprit was a mini gaming PC we bought from China last year, brand is MinisForum and model is HX99G. The hacker apparently controlled the PC’s browser which has Wen’s email logged in. They remotely controlled the browser to reset PayPal and eBay passwords, but I had removed all linked cards/accounts from PayPal, so they couldn’t do much.

I installed a bunch of anti-virus software to the computer. Norton found a Trojan malware camouflaged as a .NET runtime, and blocked a bunch of malicious traffic from east Europe. By examining the malware file creation time, I’m relatively sure they were installed before I bought the PC…

I wiped and reinstalled the system. A windows installation USB drive needs 8GB these days! It has been years since I installed a Windows and dealt with drivers. I learned Windows 11 didn’t let you install without Internet, but the WiFi card of this PC doesn’t have driver built in Windows, so I was stuck there for a while… and it took another hour or so for me to figure out how to install Bluetooth driver without a mouse. Fun times.

上周二（Nov 14）在办公室正开着会，手机接二连三的收到短信。一看之下吃了一惊，我刚离开不久的B司大裁员了。说是要裁1/4的员工。最让我震惊的是Flux的人全都被裁了。Flux的产品虽然近半年来确实没几个客户在用，但是有一个大客户在做集成。一下子把人全都裁掉看起来是要砍掉这个产品的势头，不知道如何跟那个客户公司交代。但我又听说这事并没有通知到那个客户那里，唯一一个和客户直接对接的人没有被裁，难道要上演一番空城计？无论怎样，不再是我的问题了，哈哈。

一年前业界开始纷纷裁员的时候，我的想法是比较中立的。从员工角度来说，毫无准备就被裁掉往往会直接开始谴责公司。但从公司角度来说，生存和盈利能力毕竟是根本。顺风顺水的时候可以说善待员工自然就会带来收入，但到了困难的时候裁员收缩规模可能确实是必要的生存手段。队伍一团和气最后做不下去的公司多了去了，往往到了没钱的时候和气也维持不下去。

但这次听说B司的裁员的时候我的心态还是自然自动的站到了雇员这一边。首先年底节前裁员实在是很不地道，美国很多IT公司都是感恩节圣诞节放两周假，加上headcount到年底常常用得差不多了，这段时间找工作难上加难。再者B司给的severance居然只有两三周，少到发指。作为一个总部在欧洲的公司，欧洲那边裁员是要提前几个月通知，于是最后遣散费给少点也就罢了，毕竟要养员工几个月；美国这边裁员速度是按美国风格当天遣散，遣散费却是按欧洲风格只给这么一点。我真的是觉得这公司如果不挂掉的话是可以被放上黑名单了。被收购之后我还给他们招了十来个人，实在有点对不起这些被招进来的同事。

周四本来B司纽约办公室的几个人还约了一个happy hour，于是临时变成了after-shock rant session。大家一番推测到底这事发生之前谁知道谁不知道，感觉知道的人还是比较少的，一两周之前还在各种开会讨论计划什么的。干活的人基本上都不知道。但某高层，aka.我前老板，很明显是知道的，还来纽约组织会议，就有些过假了。比较让我惊讶的一点是他在跟Flux的eng lead裁员talk的时候说裁整个Flux是他自己的决定，我有种不知道他这是要背锅还是要忏悔的感觉。

我现司虽然在招人，但对大部分岗位只限在纽约招，于是也捞不了什么前司的人，有点遗憾。

对这次被裁的人来说，我觉得脱离B司这个环境也不失为一件好事。希望他们都找到更适合的事情做吧。

我想了一阵这个裁员和Flux最近纷纷走人的因果关系。从八月到十月Flux的几个骨干依次离职，Product VP，Customer Service VP，我，Yue。我的猜测是B司裁员这个事情在我走之前就决定了，今年的数字一直不太好看，裁员这种事从计划到施行也差不多需要至少两个月。但我有点怀疑这一番走人导致了具体裁的人倾向了Flux这边。Anyway，焉知非福。

新公司正式开张之前自然是要去玩一下的，毕竟接下来几个月可能会很忙。这次的主要目的地是德州最西边的Guadalupe Mountains国家公园，一方面是想找个温暖干燥的地方睡睡帐篷走走空无一人的山路，重温一下和EBC完全相反的爬山体验；另一方面也是为了在我的国家公园访问列表上喜加一。

In the early days of Flux, I often sent a link to our tech stack to candidates. In my mind, a big draw of working at a startup is the freedom to assemble a tech stack from the beginning, experiment with it, and learn from the experiences. Now is my time to say goodbye to the stack and write some thoughts.

Background: Flux is an HR Tech startup with six engineers for the first three years, acquired by Beamery in 2021, and grew to 16 engineers in 2022. The product consists of a web application and a recommender system (matching engine).