A growing number of ecommerce sellers are reporting being targeted by a sophisticated and frustrating form of fraud abuse via PayPal. In a recent Hacker News thread, a startup founder described being bombarded with a stream of low-value purchases—each disputed within hours—made through PayPal’s Multiparty APIs on their digital marketplace. The attacks appear automated, intentional, and potentially damaging, especially for small businesses already operating on thin margins.
And they’re not alone.
This fraud pattern, commonly known as credential stuffing or card testing, is becoming more prevalent across payment platforms like PayPal and Stripe. It involves cybercriminals using stolen credit card data to make small test transactions in order to identify which credentials still work. Once validated, the working card details can be resold or used for larger fraudulent purchases elsewhere.
How the Attack Works
According to the post, the attacker:
- Uses email addresses with no online footprint, typically from the same few domains.
- Initiates payments using unverified PayPal accounts.
- Purchases low-cost digital items with slight variations to avoid detection.
- Issues disputes or chargebacks within hours.
- Changes IP addresses between each transaction to evade basic fraud filters.
The frequency and subtlety of the attacks suggest browser automation—likely using headless browsers that simulate human activity—and some knowledge of how to stay under the radar of anti-fraud tools.
Notably, these aren’t API-driven attacks. They happen through the seller’s actual payment form in a browser, making detection more difficult and bypassing common API-level protection.
Why PayPal May Not Be Helping Enough
Multiple merchants chimed in with similar stories of fraud and little help from PayPal. Because of how PayPal’s Multiparty API is structured, support agents reportedly fail to recognize that a platform operator is even connected to a transaction unless each individual seller reports it independently. This fragmented support model leads to weeks of canned responses, unresolved cases, and growing losses.
For a small startup or niche seller, the cost of chargebacks, the risk of a payment account freeze, or even reputation damage with payment providers can be devastating.
The Broader Ecommerce Problem
This isn’t just a PayPal issue. Other payment processors like Stripe have been targeted by similar tactics, especially when landing pages or checkout tools are misconfigured or lack protective measures.
As one commenter noted, the problem can escalate quickly: “It got to the point where we were almost shut off by a card company.”
Practical Steps for Retailers
To protect against this wave of dispute spam and fraud, ecommerce operators—especially those selling digital goods—should consider:
- Adding CAPTCHAs or email validation APIs like EmailListVerify to their signup and checkout flows.
- Monitoring purchase behavior in real time to flag IP churn, unverified accounts, or rapid low-value purchases.
- Proxying third-party landing pages or checkout tools to insert custom fraud protection measures.
- Blocking known malicious ASNs and data center IPs often used by botnets.
- Virtualizing infrastructure and locking down access to prevent deeper security breaches.
A Payment Platform Gap
The takeaway here is twofold. First, there’s a growing class of ecommerce fraud that blends technical automation with payment platform blind spots. Second, platforms like PayPal are not always prepared to handle these attacks at scale—especially when disputes come through indirect relationships like marketplaces.
Until that changes, the burden of protection is falling squarely on retailers themselves.
If you’re selling online—especially digital goods—it’s no longer a question of if your site will be tested. It’s when. And whether you’re ready when it happens.
