My startup defends companies from exactly this. (www.specprotected.com)
Happy to give guidance to a fellow startup - I know you're unlikely in a position to be able to pay for a solution.
Digital goods, donations, ticketing, any sort of marketplace -- it doesn't matter your size, just having a merchant account they can transact against is enough motive for them.
Thanks, Nate. What's the best way to reach you?
I can't respond to every comment right now because we're actively dealing with it. There were more attempts this morning. Some quick replies to some of the frequent comments:
* We're on a paid Cloudflare plan. We upgraded to the ~$2500 after this started and added a lot of filtering rules and interactive challenges to some key pages. Because purchases are either browser automation or humans, this has only been somewhat effective at filtering out bad traffic.
* IP checks show a mix of proxy/VPN and not. Blocking at the IP or ASN level won't get us very far.
* PayPal's Marketplace "platform" (it's a few APIs) processes orders through each of our sellers' accounts. As a result, we can't prevent purchases from unverified accounts because that has to be done by each seller.
* Moving off of PayPal isn't possible. For a marketplace platform in the US, the only other real option is Stripe Connect, but our domain has a lot of micro-transactions and Stripe's $2 per month per active user is a nonstarter. We experimented with Stripe and users (esp casual sellers) found their onboarding so intimidating that we lost signups. We would love other options, we have great concerns about PayPal as a longterm partner.
* Blocking the domains the purchases come from is not an option. They are recognizable names used by more legitimate users than illegitimate. We are adding extra scrutiny to these checkouts but we think it's possible they'll change tactics if they know we're onto that.
* Thank you for the fingerprint suggestions. We are going to try Fingerprint Pro.
* We've been gradually increasing friction via automated challenges and blocklists. We will increase this with more invasive Captchas, especially when aspects of the sale match criteria.
* We built an "Under Attack" mode that we can enable to completely disable key areas. We are prepared to temporarily shut down all sales if need be.
* We blocked prepaid credit cards from signing up for our subscriptions. This is a separate vector and we've had a few people try this over the past year. There was at least one person who did both the PayPal fraud and a signup scam + AI content. This should cut that off.
Again, thank you to everyone for the advice. We're monitoring this post closely.