Full Report
Payment processor Paddle has agreed to settle with the FTC over allegations related to tech support scams
Analysis Summary
# Incident Report: Paddle Settlement for Aiding Tech Support Scams
## Executive Summary
Payments firm Paddle agreed to pay the FTC a $5 million settlement for processing payments for tech support scammers, violating several US regulations, including the FTC Act and the Telemarketing Sales Rule. The core issue involved Paddle enabling overseas entities to process credit card payments from US consumers, often facilitating automatically renewing, undisclosed subscription charges for fraudulent tech support services. The outcome required Paddle to permanently cease processing payments for tech support telemarketers.
## Incident Details
- Discovery Date: Not explicitly stated, settlement announced around June 18, 2025.
- Incident Date: Ongoing activity leading up to the March 2024 settlement by a known client (Restoro-Reimage), implying activity predating this.
- Affected Organization: Paddle (UK-based payments firm).
- Sector: Financial Services/Payment Processing.
- Geography: US Consumers were targeted; Paddle is UK-based.
## Timeline of Events
### Initial Access
- Date/Time: Not applicable (This was a regulatory investigation into processing activities, not a network intrusion).
- Vector: Paddle allegedly opened merchant accounts for third-party entities.
- Details: Paddle acted as a "merchant of record" or "software reseller" to process card payments for tech support scammers.
### Lateral Movement
- Not applicable (This was a regulatory/financial case concerning payment facilitation, not network movement).
### Data Exfiltration/Impact
- Impact: Consumers were charged for automatically renewing subscriptions without clear disclosure. Paddle enabled overseas entities to collect payments while evading banking risk monitoring.
### Detection & Response
- Detection: Allegations brought forward by the Federal Trade Commission (FTC).
- Response Actions: Paddle agreed to a $5 million settlement with the FTC and is permanently banned from processing payments for tech support telemarketers.
## Attack Methodology
*Note: Since this is a regulatory settlement regarding enabling fraudulent business practices rather than a technical intrusion, the MTT framework is adapted.*
- **Initial Access (to payment system):** Opening merchant accounts for unrelated third-party merchants/scammers.
- **Persistence:** Allegedly enabling evasion of bank and card network risk monitoring.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Aiding overseas entities in collecting US consumer payments while shielding them from banking risk monitoring.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Charging consumers for automatic subscription renewals without clear disclosure.
- **Exfiltration:** Not applicable (Financial fraud via subscriptions).
- **Impact:** Financial harm to consumers through undisclosed recurring charges.
## Impact Assessment
- Financial: Paddle paid a $5 million settlement to the FTC. Consumers incurred costs via undisclosed, automatically renewing subscriptions.
- Data Breach: No traditional data breach reported; focus was on illegal financial transaction processing.
- Operational: Paddle faces new compliance restrictions on its business operations.
- Reputational: Significant reputational damage from association with tech support scams.
## Indicators of Compromise
*Note: No traditional technical IoCs were present in the source material.*
- **Financial/Behavioral Indicators:** Processing payments for tech support telemarketers; using "merchant of record" structure to obscure underlying third-party merchants; charging for non-disclosed auto-renewals.
## Response Actions
- **Containment:** Paddle is permanently banned from processing payments for tech support telemarketers.
- **Eradication:** Required to cease assisting tech support scammers in avoiding banking risk monitoring programs.
- **Recovery:** Paddle must deploy enhanced client screening processes for new and existing clients/advertisements.
## Lessons Learned
- The due diligence and onboarding process for third-party merchants must rigorously enforce compliance, especially for high-risk sectors like tech support services.
- Payment processors must implement strong controls to prevent masking the true beneficiary of transactions (avoiding being used as a shell).
- Failure to clearly disclose recurring subscription charges constitutes a violation of consumer protection laws.
## Recommendations
- Implement mandatory, continuous real-time monitoring of transaction descriptions and merchant profiles for services related to tech support or unsolicited software repair.
- Enhance KYC/KYB procedures to verify software resellers and "merchants of record" are not facilitating payment processing for entities evading established banking risk frameworks.
- Ensure all recurring billing mechanisms have explicit, granular consumer consent documented before processing the first renewal charge.