PayPal leak, 15 years for fake IDs, and other cybersecurity developments

This week’s key cybersecurity news.

We round up the week’s key cybersecurity news.

Four fraudulent call centres dismantled in Dnipro 

In Dnipro, law enforcement from Ukraine and the Baltic states dismantled a large-scale fraud scheme, the SBU press centre said. 

The ringleader and 10 accomplices were detained. Over the course of a year they defrauded EU citizens of at least $1.2 million. The suspects face up to 12 years in prison with confiscation of assets.

To run the scheme, the gang opened four call centres in Dnipro whose operators coaxed foreigners into investing in “promising” crypto projects. They used a website that fully mimicked an exchange, showing victims fake charts of rising profits.

According to law enforcement, to lull investors’ suspicions the fraudsters initially paid out small real dividends. Victims then transferred larger sums to the scammers’ crypto wallets.

Once investments hit a certain threshold, the criminals cut off contact with victims and disappeared.

Experts deem AI-generated passwords unsafe

Passwords generated by LLMs can be cracked within hours. That was the conclusion of an experiment conducted by Irregular’s researchers.

The three models tested — Claude, ChatGPT and Gemini — create passwords based on persistent patterns that attackers can exploit.

Researchers asked each LLM to create a 16-character password containing uppercase and lowercase letters, digits and special symbols, and repeated the task 50 times. They checked the results with popular password-strength services, which scored them highly because the systems do not track generation patterns.

Of the 50 passwords, Claude produced only 30 unique ones. Two recurred, and 18 were exact duplicates. Most shared the same first and last characters. ChatGPT and Gemini showed similar results.

While testing Google’s Nano Banana Pro image-generation model, researchers asked it to produce a unique password written on a sticky note. They were able to identify Gemini’s patterns.

Irregular concluded that LLM-generated strings can be cracked within hours using simple software on old hardware. The patterns they found have already seeped into public repositories, as developers widely use AI-generated strings for protection in real projects.

The researchers urged developers to change all AI-generated passwords and to use dedicated solutions and password managers instead.

Olympique de Marseille hit by cyberattack

On 24 February, the management of French football club Olympique de Marseille confirmed a cyberattack after a hacker claimed a breach earlier in the month.

According to BleepingComputer, the attacker posted a sample of allegedly stolen information on a hacking forum, claiming to have taken a database with details of club employees and fans.

The club gave no details of the incident, but the hacker said the stolen database includes information on 400,000 people, including:

• names and addresses;
• order information;
• email addresses;
• mobile phone numbers.

The attacker said the trove also contains data for more than 2,050 Drupal CMS accounts, including 34 club employees and 1,770 authors and moderators.

Ukrainian faces 15 years for selling fake documents

Ukrainian national Yurii Nazarenko pleaded guilty to creating and running the OnlyFake website, the US Department of Justice said.

The platform used AI technologies to generate more than 10,000 realistic counterfeit IDs, including passports, driver’s licences and US Social Security cards, as well as those of 56 other countries. 

According to investigators, the service let customers customise the forgeries by choosing personal data or opting for random generation. Finished documents could appear as digital scans or photos on a table. Users’ primary aim was to bypass KYC checks at banks and crypto exchanges to launder money.

In 2024, undercover FBI agents bought fake passports and ID cards on the site. Nazarenko accepted payment only in cryptocurrency and offered bulk discounts for packages of up to 1,000 documents, attempting to hide transaction trails through a network of anonymous wallets.

The defendant was extradited from Romania in September 2025. He faces up to 15 years in prison. Sentencing is set for 26 June 2026.

PayPal discloses data leak caused by internal error

A software bug in PayPal Working Capital, the firm’s small-business lending app, exposed users’ confidential information, the company said.

According to the notice, the leak began on 1 July 2025 but was discovered only on 12 December. The compromised data included:

• names and email addresses;
• phone numbers and work addresses;
• Social Security numbers;
• dates of birth.

The fintech giant said it rolled back the code change that caused the issue, blocking access to the data the day after the bug was found. PayPal also recorded unauthorised transactions on some customers’ accounts and has reimbursed those affected.

The company reminded users it never asks for passwords or one-time codes by phone, SMS or email. According to a PayPal spokesperson, around 100 customers were affected.

Also on ForkLog:

• An AI audit found a critical bug in an Ethereum client.
• Binance’s leadership denied allegations of $1.7bn in transfers to Iranian entities.
• ZachXBT accused an Axiom employee of insider trading.
• OpenClaw’s AI agent went rogue and deleted a Meta researcher’s email.
• Anthropic accused Chinese AI labs of ‘stealing’ data.
• Terra representatives blamed Jane Street for the ecosystem’s collapse.
• An OpenAI employee’s AI bot accidentally donated ‘for tetanus treatment’.
• Opinion: transaction simulation will help protect crypto wallets.

Weekend reading

In a new feature, ForkLog explores how the philosophical concept of biopolitics plays out in blockchain networks, why metaverses want users’ biological data, and the risks of trading one’s genome.