Depop_Illustration_JoshCrumpler

Exclusive: Scammers Are Flooding Depop and Hacking Users

A VICE UK investigation reveals that fraudsters are taking over accounts to flog Nintendo Switches, Animal Crossing consoles and AirPods to unsuspecting buyers – only to disappear once payment is made.
illustrated by Josh Crumpler
May 18, 2020, 7:30am

Jessica Hamilton has been on a one-woman mission to stop Depop scammers for months now, but no-one’s been listening. It’s been like screaming into the wind.

It all started in February 2020. Jessica, who is 23 and lives in Illinois, saw someone selling a Nintendo Switch on the platform for $235. It was a good price for the sold-out games console, which usually retails at $299 in the US, and £279 in the UK, but not so outrageously low that it was obviously a scam. Hamilton messaged the seller, asking to purchase the Switch through Depop’s PayPal-linked buying platform, which offers users protection against scams. They declined: they’d only accept a direct bank transfer or through the “family and friends” option on PayPal. As the latter doesn’t charge fees, it also doesn’t offer buyer protection – once money is sent through the platform, there’s no way of recovering it.

Hamilton is a reseller herself, buying and selling video games to make money while she hunts for a marketing job. So she immediately knew that a scam was afoot. “It was a huge red flag,” she says. Whereas most people would have reported the account to Depop for fraud and moved on, Hamilton didn’t stop. She started scratching around on Depop – and found that the platform seemed to be crawling with scammers. “If you search ‘Nintendo Switch’ on the page, all you’ll find is people selling fake Nintendo Switches,” Hamilton says.

Since that day, Hamilton has been on a mission to stop scammers on Depop, and to get someone – anyone – to listen to her pleas that the teen-focussed platform has become overrun with fraudsters. She estimates that she's reported around 100 potential scams via the app itself since 8th February, including 25 cases of suspected fraud to Depop via email.

In one typical email from 28th February, Hamilton wrote: “There are new hackers on Depop… I have warned about this multiple times. I believe there has been a data breach or there is some way hackers are able to get into Depop accounts.” She received an auto-response.

When all her attempts to sound the alarm went nowhere, Hamilton turned to other routes. She began warning others on Depop Community, the biggest private Facebook group for users of the app. On 24th February, Hamilton wrote: “There’s definitely a new scam going around Depop… I’ve warned Depop but don’t think they really care.” On 24th April, she posted on Reddit: “I’ve been screaming and begging at Depop for the last 3-4 months… Depop needs to do something and they aren’t – it’s like they don’t care.”

But despite Hamilton’s best efforts, no-one has been listening to her – least of all Depop. Depop has not released a press statement, or emailed users warning of scammers operating on the app. It’s simply been business as usual.

“I don’t understand why Depop aren’t doing anything about it,” Hamilton sighs. “I know I’m not the only person reporting it.”

Depop users complaining about their accounts getting hacked on Twitter. Screengrabs: Twitter

Founded in 2011 by entrepreneur Simon Beckerman, Depop has grown to become one of the most popular reselling platforms in the world. Beloved of teens, around 90 percent of Depop’s 15 million active users are aged under 26. Users can be very young: you only need to be 13 years old and up to join. Unlike competitors, its user requirements are comparatively relaxed: users do not have to use their real name, and there is no two-factor verification, as is used by competitors such as eBay.

In a statement to VICE UK, Depop denied that there has been a broader security breach. It said that it “received all of [Jessica’s] reports of fraud and/or hacker activity and can confirm that every single report was resolved within 24 hours of receiving them” by suspending or banning the fraudulent accounts.

“It’s great that Depop is helping users get their accounts back relatively quickly,” Hamilton says, “but they are losing the trust of the people who fell for the scams, plus the victims of the scammers are not getting their money back. They’re just putting a Band-Aid over the issue – because the scammers turn around and hack another account on the very same day.”

Hamilton isn’t the only user who’s noticed hacking on the platform. VICE UK spoke to nine users who were hacked or the victim of hackers on Depop. Based on their testimony and early reports of hacking on the Depop Community Facebook group, it appears that scammers first emerged on the app at the end of 2019, although their efforts seem to have intensified in recent months – perhaps because the coronavirus lockdown keeps teenagers at home, browsing for items online.

Most scammers seem to follow the same MO: they hack a legitimate Depop user’s account without the original user realising; usually, the person being hacked is a young woman with positive seller reviews who hasn’t used their account for a while. The hackers then list high-value, in-demand items using photos they’ve stolen from other listings. According to the users I interviewed, Nintendo Switches, Apple AirPods, and Animal Crossing games are the most commonly-scammed items.

Depop confirmed to VICE UK that it has seen an “an increase in scams related to consumer tech products, such as AirPods, Nintendo Switches, iPhones”, but stressed that the majority were conducted via “out-of-app” payment methods that are “explicitly prohibited on Depop and against our rules”.

To avoid suspicion, the hacker updates the seller’s other listings, so that the bogus listing is buried down their page. To prevent users simply purchasing the fake item through Depop’s PayPal-linked technology, which offers buyer protection against fraudsters, scammers will leave a note in the listing asking for potential buyers to contact them before purchasing. When buyers message the hacked account, the scammer will offer to sell the item through PayPal family and friends, or direct bank transfer. In messages viewed by VICE, the hacker will approximate the lexicon of a teen girl – putting “x”s after messages, or using words such as “babe” and “hun” – seemingly in order to avoid suspicion.

Usually, the fact that the hacked account has multiple genuine reviews will be enough to reassure nervous buyers. But if they are still cautious about sending money outside the app, hackers will sometimes say that their PayPal has been blocked due to their own account being hacked by Depop scammers – a useful meta-lie – and offer to accept half bank transfer in advance and half on delivery of the item to put buyers at ease. The buyer sends them the money – only for the scammer to block them, delete the listing and disappear with their money. Hamilton believes the scammers are European: they tend to use the word “mum” rather than “mom” in messages, and adopt other European affectations such as ending messages with the letter “x”.

The earliest reference VICE UK found on Depop Community to this particular scam is from December 2019. By February, the scam appeared widespread, and it’s still ongoing to this day: searching the platform for Nintendo Switch and AirPods, I could see scammers hacking accounts in real time: burying scam listings in long-dormant accounts, and updating item descriptions to read “message before buying”.

In the course of writing this article, I messaged 13 Depop users offering Nintendo Switches and AirPods for low prices. Of the eight who responded, three asked for me to pay for the item using bank transfer or PayPal family and friends, refusing any other form of payment. In another instance, I messaged a scammer as the account’s owner realised she was being hacked. “Hi sorry my account has been hacked and I’m not actually selling these,” the account owner responded to my inquiry about some AirPods.

The effect of watching these scammers in action was like watching a snake digest a small animal it has recently swallowed. Externally, everything appears in order, but if you look closely, you can see the shuddering traces of a struggle beneath the skin.

Hackers on Depop taunting users they've scammed and hacked. Photos: courtesy of users

Being a victim of Depop scammers can be a frightening and unnerving experience, particularly as so many Depop users are barely in their teens. Dumfries student Luna Patterson’s 13-year-old brother Bryce was scammed out of £150 after someone hacked a legitimate account and tricked him into sending money through PayPal family and friends for a non-existent Nintendo Switch.

“They blocked him and sent him taunting messages,” Patterson sighs. “He spent ages saving up [for a Switch].” Patterson forwards me the messages: in them, the hacker taunts both Bryce and the account’s owner. “Fuck you bitches and ezi £100 pussios [sic],” the hacker writes, followed by the sunglasses emoji. The account’s real user sends a panicked, apologetic follow up to Bryce: “hi i did not send that I don’t know what’s happening I changed my password and everything… I’m emailing depop about this right now.”

Josh Lee, a 20-year-old student from Oxfordshire, was duped into sending a Depop scammer £150 for a Nintendo Switch in late April. “I’m kind of kicking myself,” he admits. “I don’t know why I trusted her, but it felt genuine.” The seller claimed to be a mother selling a Switch her children didn’t want. She was friendly and chatty, and the account had good reviews. After Lee queried when his Switch would be arriving, the account disappeared.

It’s not just those being tricked out of their money who suffer. Original account users have disrupted scams as they’re happening, warning buyers not to purchase items and telling them their account has been hacked. Inevitably, hackers respond angrily to these disruptions.

Sophia*, a 30-year-old marketing manager from Sheffield whose name we have withheld at her request, was in bed one Saturday morning in late April when she received an unusual message on Instagram. It was someone asking if Sophia was legitimately selling an iPhone 11 on Depop for £200. Sophia rarely uses Depop – her account had been hacked. “I saw the listing and thought, ‘Oh crap,’” she says.

Reading through her messages, Sophia realised that the scammer had tricked people into sending money directly to their bank account for the phone. “They were talking like a stereotypical girl on the internet,” Sophia says. “Using ‘hun’ a lot, and sending heart emojis.’” She reported the scam to Depop and to Starling, the scammer’s bank. She posted a listing on her Depop profile telling people that she had been hacked, and warning them to look out for scammers. Then Sophia closed Depop, changed her password, and went back to enjoying her weekend in lockdown, thinking it was all over. She was wrong.

“Saturday evening comes around,” Sophia says, “and my friend messages me and says, ‘Have you seen your Depop?’” Her stomach flipped. The hacker had gone into Sophia's private user information and copied and pasted her full name and her home address into a public listing. In the caption, the hacker had written: “House for sale! Watch what I get delivered to it.” Sophia was terrified. “I panicked,” she says. “It was 10 PM. I thought, am I going to get a brick through my window?”

She emailed Depop asking them to delete her account permanently — users can’t delete it themselves – and then spent a sleepless night tossing and turning, frightened the hacker would come good on his threat. It was five days before Depop responded and deleted her account.

Because Depop does not automatically log out of every device when a password has been changed, users can become locked in tussles for control over their account with scammers: the legitimate user changes the password, only for the scammer to reset it, and a back-and-forth ensues. VICE UK viewed one conversation in which a Depop user pleaded with a scammer to give him access back to his account. “Can you change the email address back to mine?” the user pleaded. “Absolutely not, I’m a cunt,” the scammer responded.

Screengrabs of the threats and abuse that Hamilton receives on Depop. Photos: Jessica Hamilton

Hamilton has also been abused and threatened by scammers on the app. When Hamilton warned one user that their account had been hacked, the scammer responded “fuck off you donkey” to her. A second scammer told her to back off after seeing her warning other users about hacking on the app: “always sticking your big nose in where it’s not wanted cunt… I see you on every post fuck off”. A third scammer sent a menacing message, promising to hack Hamilton’s personal Depop account. “I’ll use your account soon when I’m ready I’ll wait till your sleeping and rape your PayPal account too with so many g&s [money] you will get fully limited when I’m done with you I promise, I’ve had enough of you for real,” they wrote.

Hamilton immediately changed her Depop password – at which point the scammer wrote, “Jesus Christ you change your Depop password a lot… didn’t know we had you on edge this much.” She is unsure whether or not her account was hacked. “How else would they know I was changing my password?” Hamilton tells me. “They messaged me the minute I changed my password.”

I ask Hamilton whether she’s frightened for her wellbeing: the scammers know who she is, and they’re pissed off at her. “I was at the beginning,” she says. “I’m not so much now.”

What exactly is going on here? VICE UK asked leading threat intelligence analyst Liv Rowley of cyber-security experts Blueliv to investigate. She found evidence that hacked Depop accounts had been sold on Empire Market, one of the biggest darknet marketplaces. How were these accounts obtained? “They likely gained access to these accounts via credential stuffing,” Rowley explains. “Credential stuffing is when cybercriminals obtain lists that have information about compromised usernames or emails, and their corresponding passwords. They then use tools to automatically check whether those username and password combinations can log into other locations.”

Say you use the same email and password to log into both Depop and MyFitnessPal. If there is a MyFitnessPal data breach – as there was in 2018 – then cybercriminals could obtain your information from the MyFitnessPal data breach, run it through credential stuffing software such as SentryMBA, a tool that allows you to test email and password combinations against other platforms to see if they will also grant access, and determine that those details will allow them to access your Depop. “Credential stuffing is effective because of password reuse,” Rowley explains. “That means one compromised account has the potential to become many compromised accounts.”

Rowley found a Depop “config” for SentryMBA being shared on the deep web (a part of the internet that requires specialised access), meaning that SentryMBA had been specifically modified to make it possible to run Depop accounts through the software. “What that means,” Rowley explains, “is that conducting credential stuffing attacks against Depop would be fairly easy to do. This shared config makes targeting Depop very accessible.” The SentryMBA config was first shared on the darkweb a year ago, meaning that cybercriminals could have targeted Depop since then.

Depop told VICE UK that it was aware of Depop credentials surfacing on the darkweb in the past and was working to understand “if and how Depop accounts have been compromised and how we can take appropriate action”.

One thing is clear: Depop has been aware of scammers operating on the platform since December 2019. On December 20th, a user posted on the popular Depop Community Facebook group. “Hi guys, I really need some help someone has hacked my depop trying to sell items through friends and family.” Since that post, at least 25 Depop Community users have warned of account hacking and scamming. Two of the admins on the group are listed as Depop employees on LinkedIn, though the company told VICE UK that it does not moderate the group.

On the Facebook group, users repeatedly complain that the platform isn’t taking hacking seriously. “I have raised this concern with Depop a few times but no solid answers,” writes one user on 3rd February. “My account is being hacked right now… I have emailed Depop all the screenshots but no reply,” writes another on 2nd March. “Does anyone have any advice on what to do if your account gets hacked?” writes a third user on 9th March. “I’ve reached out to Depop help on Instagram and Twitter and sent an email to them but I have got no response?”

In addition to the posts and Hamilton’s fraud reports, dozens of users have been complaining of having their Depop accounts hacked on Twitter. On 26th March, user @hometownjess tweeted: “@depop hey a lot of accounts are getting hacked by scammers right now is there anything you guys can do to help? One of them threatened to hack my account :/.” Depop did not respond to her tweet.

Almost all of Depop’s responses have been generic. “Thank you for reporting this to us,” reads one typical response that was shared with VICE UK by a user who had been hacked. “By doing this, you are helping us make Depop a safer marketplace. We have investigated the user’s account and taken the action of removing them from the platform to protect our amazing community.”

But occasionally, Depop has publicly admitted they are aware of fraudulent behaviour on the platform. On March 13th, the @askdepop Twitter account replied to one user: “Depop has in no way had a data breach. If this had happened, we have a responsibility to communicate this to all affected users. Account takeovers happen due to weak passwords; we strongly suggest users set complex passwords and update regularly.”

Another Depop employee made a similar statement via email to Hamilton. “I highly recommend you have different passwords for online accounts,” wrote Depop employee James, “and make sure they’re super complex to avoid a security breach.” With the exception of James’ email, every other response Hamilton has received has been an auto-response.

Jessica Hamilton: "When I first joined Depop, I was one of those young kids who could have fallen for a scam like that."

“No one has been listening to me,” says Hamilton. “The thing that I don’t understand is that this isn’t benefiting anyone. Depop is losing everyone’s trust, and because the hackers are getting people to pay off the app, they’re [Depop] not even profiting from it.” I ask Hamilton why she’s been fighting so hard to get the platform to do something about scammers, when they’re clearly not listening. “I guess I just feel bad,” she says. “There’s so many young people on Depop. They’re falling for it. When I first joined Depop, I was one of those young kids who could have fallen for a scam like that.”

Sophia also feels that Depop isn’t taking hacking seriously. “It’s really frustrating,” she says. “They clearly aren’t addressing it. It’s rife. If you search ‘Depop hacked’ on Twitter, there are multiple reports every day.” She still feels unsafe in her home – which is doubly distressing, given she’s stuck there due to the lockdown restrictions. “I live in a ground floor flat, and I’m double-checking all the doors all the time,” she says. “Them [the hackers] using my personal information has really got under my skin. Especially in the current climate, where you can’t go anywhere or leave the house.”

She doesn’t understand why Depop isn’t warning people. “Even just putting out a statement telling everyone to change their passwords would help,” Sophia says. “I know they want to make out everything’s okay, but it’s not.”

Has Depop done enough to keep its platform safe? “There are things that can be done to mitigate credential stuffing,” says Rowley. “For example, Depop could notify users about suspicious login activity, or offer and encourage two-factor authentication, if they’re not doing so already.” Depop does not offer two-factor authentication, although it does notify users about email changes. It also told VICE UK that it is “actively working” on offering “enhanced authentication efforts”.

In fact, Depop did warn users them about credential stuffing in July 2019, and required them to change their passwords. But it hasn't issued any subsequent alert since then, or warned users about account hacking or scamming, despite the fact that scammers have been operating on the app since at least December 2019 – six months after Depop’s last, and only alert.

The company told VICE: “In line with industry practice, there is no reason for us to prompt our users to change their passwords or login information unless their accounts have been compromised. If a user’s account has been compromised, we will notify users to update their Depop passwords immediately. We will also inform them when their PayPal account has been disconnected as that can lead to their account being compromised.

“There are a number of reasons why we don’t actively broadcast hacking or fraudulent behaviour taking place on our platform, but where possible we avoid communicating this information more broadly to reduce the risk of bad actors finding ways to exploit our platform.”

Lawyer Mark Woloshak, head of the dispute resolution team at Slater and Gordon, believes that Depop may have been negligent, particularly given their young teenage userbase. “You owe your users a duty of care,” he explains, “and you have a legal obligation to protect them – particularly if those people are more vulnerable, due to their age.”

Because Depop was aware that scammers were operating on the platform, but did not warn users, victims might be able to bring a claim of negligence against Depop in civil court to recover the money they lost. “It would be easy for Depop to put out an email saying, ‘Change your password, there is hacking going on,’” says Woloshak. “There’s no reason they couldn’t do that. The fact they haven’t done that could possibly lead to a class action group litigation, because Depop has failed to warn users that scammers are on the app, and breached their general duty to ensure that things aren’t being stolen.” (Depop told VICE UK that it “firmly rejects any allegation of negligence”.)

In addition, Sophia's case could constitute a breach of data protection laws. “By the very fact that these hackers published her address online, that means that Depop has failed in their GDPR obligations to keep that confidential information safe,” Woloshak says. Sophia could have grounds to complain to the Information Commissioner's Office, and possibly seek damages.

“At Depop, the safety of our community is our foremost priority, “ Depop COO Dominic Rose told VICE UK. “We take any forms of misuse and fraudulent behaviour extremely seriously and we have a zero-tolerance approach for individuals who seek to take advantage of our community. Practices such as scamming and account hacking are issues that affect all digital commerce platforms, including Depop, but we understand that this does not excuse the responsibility, duty and commitment we have to protect our users from harm.

“Not only do we consistently enforce our terms of service to proactively remove bad actors from our community; we also have a dedicated Trust & Safety department, led by our Director of Trust & Safety, which is responsible for continuously building new and improved methods of detection and protection. We have placed significant investment behind this department to upgrade the way we tackle misuse of the platform, as well as launching efforts to improve education and fraud awareness amongst our community.”

Until Depop steps up and roots out the scammers threatening and stealing from users on its platform, it looks likely that the teen-focussed app will remain a hotbed for fraud, theft and abuse. In the meantime, Hamilton is determined to continue her crusade against Depop scammers. But she’s decided to stop speaking with the scammers directly. “I’ll keep reporting scammers and warning people online,” she says. “But I probably won’t keep talking to the scammers. It’s too scary.”

@thedalstonyears