Hackers Are Breaking Into and Emptying Cash App Accounts

Hackers are breaking into unsuspecting victims’ Cash App accounts, a massively popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person’s case, they said, Cash App has not reimbursed them for the stolen funds.

“It’s scary!” Liz Shelby, who said their son was a victim of the hacking, told Motherboard in an online chat. “My son saved up some cash for a small vacation with his grandma. We put it in his Cash App before he left. He called me on Aug. 9, and told me that his money was gone.”

Shelby said that after she looked at the account she found that someone else had logged into it and sent themselves the money. Shelby said she’s been emailing Cash App support, without success. 

“I’m not getting anywhere and I’m sure my son will never get his money back,” she added.

Cash App is one of the most popular payment services apps, with over 50 million downloads from the Google Play Store. Cash App also gained some infamy for large scale cash giveaways on social media. The app is owned by payment services company Block, which was formerly known as Square. Jack Dorsey runs the company.

Marvis Herring, another target, told Motherboard that hackers attempted to steal $1,400, in the form of two installments of $700. In those cases, Herring believes his bank blocked the fraudulent transactions. 

Motherboard saw many other people reporting on social media that their Cash App accounts had been compromised in some way.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

“The main thing I thought was weird is that I went to change my account password and there really isn't a password for Cash App accounts,” Herring added. When users sign up to Cash App, they can use either an email address or a phone number to open an account. After doing so, they receive a login code sent to either of those.  

On fraud websites, dark web marketplaces, and social media, multiple people appear to be selling login details associated with Cash App accounts. Some of these peoples’ listings specify that the logs contain the email address and password for a linked email account. Some of the listings may be scams, but those on the dark web marketplaces come from fraudsters who have received positive feedback from alleged customers, according to the review system that is common on such sites. One listing for hacked Cash App accounts said the vendor has sold that specific item multiple times.

“Our Cashapp accounts are of the highest quality and we provide them at the most competitive prices on the market today,” one listing reads. “Full Information Presented Recently Compromised.” The listing says that buyers get the hacked login credentials, the victim’s cookie file, and information such as what IP address the victim used. This sort of information can be useful to fraudsters to trick sites or apps into letting them log in as the user.

The listing claimed that the hacked Cash App accounts can include between $1,000 and $5,000 in available balance. It is common for members of the fraud ecosystem to fulfill different roles. Some focus on sourcing hacked accounts and then selling them, while others work on effectively cashing them out. 

On its website, Cash App encourages users to make sure their linked email address has two-factor authentication enabled. The app also has an extra feature called Security Lock which means that each transfer requires the user to enter a PIN.  

“Preventing fraud is critically important to Cash App. We continue to invest in and bolster fraud-fighting resources by both increasing staffing and adopting new technology. We are constantly improving systems and controls to help prevent, detect, and report bad activity on the platform,” a Cash App spokesperson told Motherboard in a statement. “For those who believe they have fallen victim to an identity-theft or account take-over scams, we encourage them to reach out to Cash App Support where we will review the account in question. If deemed fraudulent, we will take the necessary action starting with account closure and disablement of all applicable products.”

Fraudsters also appear to be offering Cash App accounts for another purpose: laundering money. Motherboard found multiple listings on a dark web marketplace offering these newly created and verified accounts. Cash App requires users to verify their identity to use some features, and this can require them providing their Social Security Number with the platform. These already verified accounts will allow fraudsters to buy Bitcoin through the Cash App without having to verify their identity, the listing suggests.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.