Texas man gets 5 years in prison for massive PayPal credentials scam

Stolen credentials are frequently bought and sold on the 'dark web'

An Austin man was sentenced to five years in prison on Thursday for buying credentials for 38,000 compromised PayPal accounts then using those credentials to steal money from the accounts' owners, the Department of Justice announced. 

Marcos Ponce, 37, was ordered to pay $1.4 million in restitution to the victims after pleading guilty to conspiracy to commit wire fraud last October. 

The scheme started as early as November 2015, when Ponce and his co-conspirators started buying stolen credentials on an illegal online marketplace. 


"Ponce and his co-conspirators developed social engineering techniques in order to trick unwitting third parties into accepting money transfers from the compromised PayPal accounts, and then transferring the money into accounts controlled by members of the conspiracy," the Department of Justice explained. 


An Austin man was sentenced to five years in prison for buying credentials for 38,000 compromised PayPal accounts then defrauding users.  (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images / Getty Images)

Cybercriminals frequently buy and sell stolen credentials on the "dark web," a section of the internet that is off-limits to search engines and requires specific software like a Tor Browser to access. 

There are currently billions of stolen credentials on dark web marketplaces, many of which are usernames and passwords for everything from bank accounts to music streaming services, according to a 2020 report by the digital risk firm Digital Shadows. 


The average account goes for $15.43 on the dark web, but accounts associated with financial institutions can go for as high as $500, according to Digital Shadows. 

"Today’s sentencing sends a message that the FBI will pursue cybercriminals across the globe," Assistant Director in Charge of the FBI’s Washington Field Office Steven M. D’Antuono said in a statement. "Hiding behind a computer does not mean you can stay anonymous or out of reach of law enforcement."