CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS
NEW CARDING CHAT IN TELEGRAM

Carding method: Payment via PayPal

Carder

Member
PayPal is everywhere. Every major retailer, every little Shopify store, they’re all waving those blue and yellow buttons in your face. But most carders treat PayPal payment like kryptonite, and for good reason. Those smart bastards at PayPal have been beefing up their fraud prevention systems year after year, making their checkout process a goddamn nightmare.

But here’s where it gets interesting — I’ve been sitting on a method that has consistently failed PayPal for the last two years. It’s a fundamental design flaw in their system that they can’t just fix with a quick update. And today, I’m going to break it down for you, step by step.

The PayPal Payment Process

Pay with PayPal.png


Before we dive into the exploit, let's break down how the PayPal payment process actually works. There are two main paths a transaction can take:

PayPal Express Checkout (immediate payment)
  • The customer clicks the "Pay with PayPal" button
  • Redirected to PayPal for payment
  • The payment is processed immediately on the PayPal side.
  • The customer returns to the store with the transaction completed.
  • No additional confirmation required
  • Typically found on basic e-commerce sites

PayPal Standard Checkout (2-step process)
  • The customer clicks the "Pay with PayPal" button
  • Redirected to PayPal to authorize (but not process) the payment
  • Returns to the merchant's site with a PayPal token
  • Can still change shipping/billing details
  • You must click the last button "Pay Now" to complete
  • Used by large retailers for flexibility

PayPal Checkout.png


The second flow, Standard Checkout, is where our vulnerability lies. That gap between authorization and final processing? It’s our golden ticket. The two-step process creates a window of opportunity that PayPal’s fraud detection system can’t easily close without breaking legitimate functionality.

PayPal Fraud Detection

PayPal’s fraud detection is a multi-layered beast that’s been honed over decades of fighting fraud. At its core, it’s built on one important insight: shipping addresses don’t lie. While most payment processors are obsessed with browser and IP fingerprinting, PayPal knows that physical orders leave a paper trail you can’t fake. They’ve built a massive database of trusted shipping locations tied to every PayPal account and card that’s ever touched their system.

PayPal Fraud Detection.png


Think about it — what’s with that crappy $5 card you’re trying to use? Chances are, its rightful owner has ordered something through PayPal at some point in their life. PayPal already knows their home address, their work address, their mom’s house where they send Christmas presents. Every successful transaction leaves a trail in PayPal’s vast network of trusted locations. When you try to ship that 65-inch TV to some random address they’ve never seen before, alarm bells start ringing.

This obsession with shipping addresses goes beyond just individual transaction history. PayPal’s algorithms analyze shipping locations across its entire network, creating heat maps of legitimate commerce and suspicious activity. They know which zip codes have high fraud rates, which addresses are associated with drops, even which buildings tend to have unusual shipping patterns. Your seemingly innocent order goes through this laundry list of location-based risk factors before it ever gets to the payment processing stage.

PayPal Core Users Worldwide.png


But what makes PayPal fraud detection truly formidable is how it combines this shipping information with their massive trove of user data. Nearly every adult in the U.S. has interacted with PayPal at some point — whether through direct purchases, receiving payments, or simply creating an account they never used. Each of these interactions feeds into their risk models, creating a complex web of trusted relationships and verified behavior that is nearly impossible to penetrate using traditional carding methods.

Why the Bill=Ship Trick Doesn’t Work

'Why not just do bill=ship and contact the site after that?'

Good luck. Unlike regular credit card transactions, most sites won’t let you change your address once your PayPal payment goes through. And there’s a good reason for that — PayPal is essentially their fraud-free guarantee.

Think about it: When you pay with a credit card, sites subject you to fraud checks and all sorts of crap. But pay with PayPal? The stores pack and ship the next day, no questions asked. Why? Because these merchants know that PayPal’s fraud detection is god-like. They’ve seen PayPal’s track record of shutting down fraudsters, and they trust it more than their own mother.

The merchants’ logic is simple: No one is stupid enough to try to card through PayPal. The risk models are too complex, and the data set is too vast. So when they see a PayPal payment go through, they treat it like it’s blessed by the fraud-prevention gods themselves, as long as no information changes after the payment.

Switching the Shipping Address

This is where things get interesting. Remember that two-step process we talked about with PayPal's standard checkout? That gap between authorization and final processing isn't just a quirk, it's our damn hammer. To drive the point home, let's illustrate this with a random Shopify store.

PayPal Checkout Bypass.png


When dealing with a Shopify store that uses PayPal Standard Checkout, here's how we're going to screw with their system:
1. Add items to your cart and proceed to checkout
2. In the shipping information, enter the CARD HOLDER'S REAL ADDRESS
  • This is important - PayPal needs to see an address they trust.
  • Make sure it matches what PayPal has in their records for the card.
3. Click Next and on the payment page click the Pay with PayPal button
  • PayPal sees a reliable shipping address
  • Their discovery of fraud evokes warm, fuzzy feelings
  • Authorization goes smoothly and without a hitch
4. This is where the magic happens:
  • After PayPal authorization but BEFORE final confirmation
  • Shopify will allow you to "view" (unless the store uses Express Checkout, in which case it will process the transaction immediately) your order one last time
  • This is when you change this shipping address to your address.
  • PayPal has already received their blessing, they don't check anymore
5. Click the last button "Pay Now"
  • The transaction is processed via a pre-authorized PayPal token
  • Shopify Gets Updated Shipping Information
  • The parcel is sent to you, not to the cardholder.

How and Why It Works Like Magic

PayPal’s fraud detection happens during the initial authorization. Once they give it the green light, they trust the merchant to handle the rest. Sure, merchants can send them an updated shipping address, but that’s rare. And even when they do, you’ve already gone through a complex fraud check during checkout — PayPal has already done the deepest research and given you their blessing.

Any store that lets us modify an order before checkout is our golden ticket. It’s designed to allow bona fide customers to correct typos or change their address at the last minute. Instead, we’ll use it to bypass PayPal’s complex fraud checks entirely. By the time the transaction is finished processing, PayPal has already moved on to scrutinizing the next poor sap trying to run a payment (card) through their system.

Final Thoughts

So there you have it, the Holy Grail of carding method — Payment via PayPal — exposed. We’re not just throwing shit at the wall and hoping something sticks. This is a calculated, precise exploitation of a fundamental flaw in their checkout process.

Remember, this isn’t some “get rich quick” nonsense. PayPal fraud detection is still a beast.

And for heaven’s sake, keep your OPSEC in check. Mix up your drops, change your purchase amounts, and never use the same PayPal account twice.

Now go make that money — just don’t come crying to me when you screw up by cutting corners.

Disclaimer: The information provided in this article and all my articles and guides are for educational purposes only. This is an exploration of how scams work and is not intended to promote, endorse or facilitate any illegal activity. I cannot be held responsible for any actions taken based on this material or any material posted by my account. Please use this information responsibly and do not engage in any criminal activity.

(c) Telegram: d0ctrine
 
Back
Top