{ "id": "2d6b561c-ff54-4bbf-9619-0e383de2c55e", "created_at": "2026-04-06T00:16:02.367344Z", "updated_at": "2026-04-10T03:25:06.237873Z", "deleted_at": null, "sha1_hash": "ec5d2a8a442603df2fbb1f7cb398e84af6bba999", "title": "Gift Card Fraud Ecosystem Shifts, What Paxful’s Closing Means for Business Email Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 687477, "plain_text": "Gift Card Fraud Ecosystem Shifts, What Paxful’s Closing Means\r\nfor Business Email Compromise\r\nArchived: 2026-04-05 13:17:44 UTC\r\nBy: Ronnie Tokazowski\r\nWhen it comes to laundering funds for Business Email Compromise (BEC) attacks, gift cards have been an\r\neffective method for scammers for quite some time. While traditional wire transfers can easily be tracked and\r\ntaken down due to anti-money laundering laws, gift cards can be sold at a loss and converted to cryptocurrencies\r\nthrough platforms such as Paxful. Scammers across the world have used and abused this platform to for years, and\r\nit appears that Paxful’s (soon to be Noones) corrupted past is starting to catch up with them. With mountains of\r\nlawsuits, problems with United States regulators, and former employees coming forward about the corruption\r\nwithin the company, it’s going to be an interesting couple months to see how the gift card fraud ecosystem shakes\r\nout. Here’s what’s going on.\r\nHow Gift Cards and BEC are Related\r\nAs an industry, we have known the links between BEC and gift card scams since 2015. Scammers pretend to be\r\nthe CEO asking for an “urgent task” or “errand” to be run, asking the employee to run this “task” while providing\r\nupdates. Additionally, scammers directly text or ask for phone numbers via email to correspond with victims over\r\nSMS. The pivot comes as a way to directly engage with the victim while moving correspondences out of email.\r\nIn a multi-part study, we actively engaged with BEC actors and gave them $500 in gift cards. Through this study\r\nwe determined that scammers are able to steal, sell, launder, and transmit gift cards to other actors in less than 24\r\nhours. We know BEC actors such as Scattered Canary used Paxful to launder their gift cards, with Scattered\r\nCanary receiving 132 gift cards from their victims.\r\nWith that being said, gift cards are NOT unique to BEC scams by any means. We know tech support victims are\r\noften socially engineered to purchase a gift card for payment. Scammers have faked family abductions to facilitate\r\nreceiving gift cards in payment, fake celebrities have requested gift cards, and romance scam victims have sent\r\nmoney in the form of gift cards. This isn't an exhaustive list, however gift cards have become a primary cash out\r\nmethod for many scammers.\r\nNow Let’s Talk about Paxful\r\nAccording to reports Paxful receives around a 1% cut of transactions that cross the platform. In 2018 and 2019\r\nPaxful’s officially declared profits were $5.47 and $3.63 million dollars, per internal emails. For comparison in\r\n2019, Paxful reported $1.9 billion worth of trading. While we know some of these profits came directly from gift\r\ncard scammers and other types of laundering activities, the origins of Paxful as an alternative currency goes back\r\nmuch further. In 2015, a website called Backpage became synonymous with sex ads, with the headquarters being\r\nraided and shut down in 2018. The founder was charged with a 93-count federal indictment from the FBI.\r\nhttps://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nPage 1 of 5\n\nWhat does Paxful and a 93-count federal indictment from Texas have in common? To facilitate payments, Paxful\r\nopenly marketed on Facebook that they were willing to accept payments for Backpage. In addition, they had\r\ncustom URL’s and guides on how to make payments through Backpage.\r\nFor just how far Paxful went with the Backpage integration, they actively provided support and information via\r\ntheir Twitter account to members who were having trouble.\r\nhttps://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nPage 2 of 5\n\nWhile Ray Youssef, aka Ray Savant has been extremely proud of the humble beginnings of Paxful, there is no\r\ndenying that Paxful has directly profited from crimes which have been listed in federal indictments.\r\nBitcoin, Nigeria, and Paxful – A Double Edged Sword\r\nThere is no doubt that Ray and his team have done amazing things for people in Nigeria. Paxful has helped build\r\nschools, given those in Nigeria a second chance where few opportunities exist, and in some senses has done a very\r\ngood thing for many of the people on the ground.\r\nHowever, in the same breath, we have seen an explosion of scammers flocking to the platform where U.S.\r\nregulators have tried to tighten the platform for fraud. Paxful was responsible for $400 million in trades in Nigeria\r\nin 2022 which is great for the legit users, however many Yahoo Boys use these platforms to offload their ill-gotten\r\ngift cards from BEC and romance scams. We may never know the full extent of how much Paxful profited until\r\nevery FBI field office, local Police Departments, and state law enforcement agency share the victim stories and\r\npictures of stolen gift cards for Paxful to parse through. However, with the recent news that Paxful is closing this\r\nmay never come to fruition.\r\nSo, Gift Card Scams are Dead Since Paxful Doesn’t Exist, Right? Noones Users\r\nSuccessfully Login with Paxful Credentials\r\nWhile reports of Paxful have been riddled with lawsuits, litigations, and conspiracy theories that the exit has been\r\nplanned for 18 months, the reality of the situation is that Paxful is soon to be no more. But there’s another\r\nplatform called Noones that has absolutely no links to Paxful...right?\r\nIf “copied user database to allow the same username and passwords to work in the new platform” was on your\r\nBingo card, you would be right.\r\nhttps://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nPage 3 of 5\n\nAnd with users being able to have balances reflected in the new platform, there is some mitigation, migration,\r\ndatabase copy / pasting that’s happened between the Paxful and Noones platform. And given the current litigations\r\nthis is pretty shady to say the least.\r\nSo, What’s Going to Happen to Gift Card Fraud?\r\nWith everyone making the migration to Noones, it’s pretty clear that regular users and scammers are going to\r\nmake the migration. In addition, Noones will become an even better safe haven for those who are looking to\r\nbypass U.S. sanctions because the platform will not allow accounts from the U.S. So much so that U.S. accounts\r\nare blocked per Noones policies.\r\nhttps://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nPage 4 of 5\n\nAs scammers move and pivot, it will be up to Ray and the providers behind Noones to ensure that they aren’t\r\nfacilitating and benefiting from crime. Because as it stands the founders are either completely oblivious or witting\r\nparticipants...and for the hundreds of thousands of romance victims out there who have been socially engineered\r\nto send gift cards to scammers, this isn’t a good thing.  \r\nSource: https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nhttps://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/" ], "report_names": [ "gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise" ], "threat_actors": [ { "id": "cd06319e-56b8-4d0c-9c8b-de96a2d7c9df", "created_at": "2023-10-03T02:00:08.486231Z", "updated_at": "2026-04-10T02:00:03.373331Z", "deleted_at": null, "main_name": "Scattered Canary", "aliases": [], "source_name": "MISPGALAXY:Scattered Canary", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434562, "ts_updated_at": 1775791506, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec5d2a8a442603df2fbb1f7cb398e84af6bba999.pdf", "text": "https://archive.orkl.eu/ec5d2a8a442603df2fbb1f7cb398e84af6bba999.txt", "img": "https://archive.orkl.eu/ec5d2a8a442603df2fbb1f7cb398e84af6bba999.jpg" } }