Ask HN: Startup getting spammed with PayPal disputes, what should we do?

Hacker News Discussion ↗

Nature of the attacks and likely motive

  • Most commenters think this is card/credential testing using stolen PayPal accounts or cards: attackers run many low-value transactions to see which accounts still work, then use or sell the “validated” ones.
  • Some suggest it might be automated chargeback abuse to harm the marketplace or its PayPal standing.
  • A minority proposes money-laundering or competitor sabotage, but others (including people with payments experience) argue the pattern fits testing/fraud, not laundering.

Perceived weaknesses of PayPal

  • PayPal is seen as offloading fraud risk to merchants and being slow or unhelpful on non-standard issues; multiple stories of arbitrary freezes, bans, and locked funds.
  • In a marketplace setup, platform-wide controls (e.g., rejecting unverified buyers) often must be configured per seller, limiting defense options.
  • However, several note PayPal remains popular with buyers for trust, convenience, and micropayment pricing; removing it can hurt conversion.

Mitigation strategies proposed

  • Account / buyer controls:
    • Reject or temporarily block unverified PayPal buyers; treat small/micro transactions with extra suspicion.
    • Add email/phone/SMS verification, or hold “risky” orders for manual review.
  • Traffic and identity controls:
    • Use browser/device fingerprinting, header/TLS fingerprints, IP reputation/proxy/VPN checks, and ASN/geo blocking (especially Tor, datacenters, cheap VPS ranges).
    • Rate limiting and velocity rules per IP/fingerprint/email; threat levels that automatically tighten rules on spikes or low approval rates.
    • CAPTCHAs/Turnstile/hCaptcha and JS challenges; some note solvers and AI make these weaker, so they should be adaptive, not the only line of defense.
    • Shadowbanning or returning “success” while not charging, to waste attacker time.
  • Operational responses:
    • “Under attack” modes that disable or heavily gate checkout, even at the cost of lost sales.
    • Extensive logging and monitoring to detect new attacks early.

Alternatives and ecosystem discussion

  • Many advise planning to migrate away from PayPal (Stripe, Adyen, local gateways, 3DS flows, open banking), but others note similar risk-averse behavior from card processors and the difficulty of replacing PayPal’s reach and user trust.
  • A long subthread debates crypto and stablecoins as an alternative; some report good results and lower fraud, while others argue volatility, regulatory risk, and unsafe adoption by unsophisticated users make them unsuitable as a general solution.