PayPal Data Leak, OnlyFake Guilty Plea & AI Password Flaws

A string of notable cybersecurity incidents marked the past week: an internal PayPal bug exposed sensitive customer data, a Ukrainian national pleaded guilty to running an AI-powered fake document platform, and researchers demonstrated that LLM-generated passwords are dangerously predictable.

Four Fraudulent Call Centers Dismantled in Dnipro

A joint operation by Ukrainian and Baltic law enforcement agencies dismantled a large-scale fraud network in Dnipro. According to Ukraine's SBU press center, the operation resulted in the arrest of the organizer and 10 associates. Over one year, the group defrauded EU citizens of at least $1.2 million. The suspects face up to 12 years in prison with asset confiscation.

The criminals operated four call centers whose operators persuaded foreign citizens to invest in "promising" crypto projects. They used a website mimicking a crypto exchange, displaying fake profit growth charts. To build trust, small real dividends were initially paid to victims, who then transferred significantly larger sums to the fraudsters' crypto wallets. Once deposits reached a certain threshold, the scammers blocked their contacts and vanished.

AI-Generated Passwords Found Vulnerable

Researchers at Irregular conducted an experiment showing that passwords generated by major language models can be cracked within hours. Three tested models — Claude, ChatGPT, and Gemini — produce passwords based on consistent patterns that attackers can exploit.

The team asked each LLM to generate 50 passwords of 16 characters including uppercase and lowercase letters, numbers, and special characters. When checked through popular password strength analyzers, these passwords scored highly because the tools don't detect generation patterns.

The results were striking: of Claude's 50 passwords, only 30 were unique — 2 were repeated and 18 were exact copies. Most shared the same first and last characters. ChatGPT and Gemini showed similar issues. When testing Google's Nano Banana Pro image model by asking it to create an image of a password on a sticky note, researchers identified Gemini's characteristic patterns.

The researchers concluded that these predictable patterns have already spread into open-source repositories, as developers widely use AI-generated passwords in production environments. Irregular recommended replacing all AI-generated passwords and switching to dedicated password managers.

Olympique Marseille Confirms Cyberattack

On February 24, French football club Olympique Marseille confirmed a cyberattack following a hacker's claim of a breach earlier in the month. According to BleepingComputer, the attacker posted a sample of allegedly stolen data on a hacking forum, claiming to have exfiltrated a database containing employee and fan information.

The club did not provide details about the incident. The hacker claimed the stolen database contains information on 400,000 individuals, including:

• Names and addresses;
• Order information;
• Email addresses;
• Mobile phone numbers.

The attacker also claimed the breach includes over 2,050 CMS Drupal accounts, among them 34 club employee accounts and 1,770 author and moderator accounts.

OnlyFake Creator Faces Up to 15 Years in Prison

Ukrainian national Yuriy Nazarenko pleaded guilty to creating and operating OnlyFake, a platform that used AI technology to generate fake identity documents. The U.S. Department of Justice reported that the service produced over 10,000 realistic forgeries — passports, driver's licenses, and Social Security cards — for the U.S. and 56 other countries.

The platform allowed customers to customize documents with specific personal details or generate them randomly. Finished forgeries appeared as digital scans or photographs of documents on a surface. Users primarily sought to bypass KYC verification procedures at banks and crypto exchanges for money laundering purposes.

In 2024, undercover FBI agents purchased fake passports and ID cards from the site. Nazarenko accepted only cryptocurrency payments and offered bulk discounts on packages of up to 1,000 documents, routing transactions through a network of anonymous wallets.

The defendant was extradited from Romania in September 2025. He faces up to 15 years in prison, with sentencing scheduled for June 26, 2026.

PayPal Discloses Data Leak Caused by Internal Bug

A software bug in PayPal Working Capital — the company's small business lending product — exposed confidential customer information. According to PayPal's disclosure, the leak began on July 1, 2025, but was not discovered until December 12. Compromised data included:

• Names and email addresses;
• Phone numbers and business addresses;
• Social Security numbers;
• Dates of birth.

PayPal stated it reverted the code change that caused the issue and blocked access to the data the day after discovery. Unauthorized transactions were detected on some affected accounts, and the company has already issued compensations to those customers.

A PayPal spokesperson said the incident affected approximately 100 customers. The company reminded users that PayPal never requests passwords or one-time codes via phone, SMS, or email.

Why This Matters

This week's incidents highlight a broad threat landscape — from targeted crypto fraud schemes to vulnerabilities in major fintech products. The OnlyFake guilty plea signals growing law enforcement pressure on services enabling KYC bypass. Meanwhile, Irregular's research challenges the increasingly common practice of using AI to generate passwords in software development, revealing systematic weaknesses that could compromise real-world systems at scale.