Dozens of Argentine users of the Payoneer virtual wallet have reportedly been hacked and their accounts emptied in the last week.
“All my money was gone,” user CundoTest wrote on a Reddit thread on Monday that, as of Saturday, had 289 replies. “I still am in shock; that [account] had my savings from two years of working.”
Other users said that they received SMSs from Payoneer with codes to verify their accounts on the nights they were emptied. Affected users have reported the attacks on platforms like X, Reddit, and Discord.
“Basilio,” a 30-year-old software industry worker who asked that his real name not be revealed, told the Herald that he noticed he was hacked when he received notifications that purchases were made with his Payoneer debit card in supermarkets in the United States while he was in Mar del Plata. He lost close to US$1,000.
He said he spent hours skyping with Payoneer representatives trying to get the money back. Other users on social media reported that Payoneer told them they would answer in “one to seven days.”
In a post on X, computer security expert and journalist Julio López pointed out that, according to a survey, all affected users used Movistar as their cellphone service provider. According to López, the security breach most likely came through Movistar via a third-party SMS gateway the company uses — an interface that allows a computer to send or receive text message transmissions between telecommunications networks.
Payoneer uses a 2-step authentication process. Users receive codes via SMS to verify their identities, which the hacker most likely intercepted by illegally accessing Movistar’s SMS gateway. The maneuver, according to López, also involved creating a phishing website from which he took the users’ email addresses.
Phishing is a social engineering attack. According to the FBI, it is the most common cybercrime in the world. It consists of deceiving people into revealing sensitive information, usually through a fake website that pretends to belong to an institution. According to López, with the email and the phone, the hacker could access their accounts.
“Basilio” said, however, that he spoke with many affected users, who said that, like him, they did not fall for any phishing websites. “I can believe that, given that we’re all people who more or less know our way around the [software] environment,” he said.
“In fact, when you work in computer systems, [our superiors give us] security courses all the time — I am convinced that more than 90% would not have fallen for something like that.”
On Thursday, Movistar said in a post on its X account that it became aware of the Payoneer hackings through social media and denied any responsibility. “Movistar is not responsible for the messages (nor the content) that third parties send by using their network,” the post said. “Nevertheless, we have taken precautions with the numbers from which some clients reported to have received those communications.”
Payoneer is a New York-based financial services company that provides online money transfer services, among others. In Argentina, it is mostly used due to the exchange rate gap by people who work for foreign companies, since it allows them to easily bring U.S. dollars without having to convert them to pesos at the official rate.
“Basilio,” for example, used Payoneer to slip under the radar of Argentina’s revenue service and get a better rate. He usually converted the money to cryptocurrency in “cuevas” — Spanish for caves, illegal exchange houses. He said that if the government charged him a tax similar to the commission he pays them, he would consider placing his dollars in a local bank account.
“In cuevas, you always end up paying a fee between 6% and 8%,” he said, noting that the exchange rate gap is close to 60%. “Whether I pay it to the cueva or the government, it’s all the same to me.”
However, he said that he is now considering switching to Wise, a UK-based foreign exchange financial technology company.