IMPORTANT: Cash App and Venmo payment methods have been blocked due to chargeback activity

In response to recent reports of fraudulent chargeback activity, Bisq co-founders have broadcast network-wide alert messages blocking both Cash App and Venmo payment methods from further use.

What happened?

We have investigated the chargeback reports described in the link above, and confirmed that they are valid.

One or more chargeback scammers have been operating on the Bisq Network using the following onion addresses:

  • trvbnoqv7vikaghm.onion:9999
  • jinspb4cs57j3o7g.onion:9999
  • 4id77pz3wqbc5yrn.onion:9999

And using the following aliases:

  • Venmo username Sylvester-Harrington (using onion address trvbnoqv7vikaghm, dispute case on May, 2.)
  • Venmo username Rhoanne-De-Guzman (using onion address jinspb4cs57j3o7g)
  • Venmo username Carl-Aliff (using onion address trvbnoqv7vikaghm, dispute case on April, 29.)
  • Venmo username Amy-Abbott-4 (using onion address trvbnoqv7vikaghm)
  • Cash App cashtag $ssl0319 (using onion address 4id77pz3wqbc5yrn)
  • Cash App cashtag $gjohnson527 (using onion address trvbnoqv7vikaghm)
  • Cash App cashtag $Edbr18 (using onion address 4id77pz3wqbc5yrn, dispute case on May, 8.)

Update (I add here newly reported usernames related to the known scammers):

  • Venmo username Patrick-Hinojosa-2 (using onion address 4id77pz3wqbc5yrn, trade on May, 1.)

Thus far, there have been 5 successful chargebacks, 3 via Venmo for $1200 USD and 2 via Cash App for $650.
The scammer(s) got blocked by their onion addresses and user names so they cannot continue with their current accounts anymore.

In all cases, the scammers have been the BTC buyer, and have completed payment via Cash App or Venmo to the BTC seller (the victim), and have then initiated a chargeback after the Bisq trade is completed, resulting in the scammer walking away with both the BTC that was traded and the cash that was used to purchase it.

In order to minimize further risk of these chargebacks, we have blocked all Cash App and Venmo activity indefinitely and possibly permanently.

What you need to do

Check to see if you’re at risk

If you have ever sold BTC via Bisq and received payment via Cash App or Venmo, you should check to see whether any of your buyers have had one of the onion addresses or usernames listed above. If you have completed trades with these users, you may still be at risk of a chargeback.

To check your history, do the following:

  • Go to Portfolio->History
  • Click on the trade ID link for each trade in your history
  • Examine the trade details window that pops up for the following:
    1. Is this a Cash App or Venmo trade? If not, move on to the next trade.
    2. Does the Trading peer's onion address field match one of the onion addresses above?
    3. Does the BTC buyer payment details field contain one of the usernames listed above?
    4. If the answer to questions (2) or (3) was yes, then you may be at risk. Please send a screenshot of the trade details screen and the full text of the JSON contract for the trade to manfred@bitsquare.io. (You can get the text of the JSON contract by clicking the View contract in JSON format button at the bottom of the trade details window).

If you are at risk

You should do everything in your power to minimize the chances of a chargeback taking place against your Cash App or Venmo account. This may include reaching out to Cash App or Venmo support to let them know that you are a potential victim of a chargeback scammer, and it may also include clearing out your Cash App and Venmo account balances to your backing bank accounts as soon as possible.

If there are Cash App and Venmo users out there who know effective strategies for making chargebacks more difficult or impossible, please add a comment here sharing that information with other users. Thank you.

If you have open Cash App or Venmo trades

You will not be able to complete them due to the payment methods being blocked. You will need to take your trade to arbitration, either by waiting for the trading window to expire or (better) by pressing CMD+O with the trade in question selected. This will immediately send your trade to arbitration, where your arbitrator will work with both parties to determine how to proceed.

Where we go from here

At this point, it is unlikely that we will re-enable Cash App or Venmo payment methods unless we can discover some way to provide better protection against these chargeback scams.
One idea we’ve had is to extend the trading window for these payment methods, and enhance the Bisq UI with a “two-phase” trade settlement process in which the first phase is the buyer’s payment showing up in the seller’s Cash App or Venmo account, and the second phase is the seller transferring those funds to their Cash App or Venmo account’s backing bank account. This idea is predicated on the assumption that it is more difficult or even impossible for Cash App / Venmo to initiate a chargeback if all funds have been moved to the backing bank account. The problem is that we do not actually know if this is the case. If you have expertise in how and when chargebacks can happen from payment processors like Cash App and Venmo to backing bank accounts, please share your knowledge with us. You can comment here directly on this thread (preferred), or you can email manfred@bitsquare.io or PM @ManfredKarrer.

Once the Bisq DAO is in place we will have new possibilities to secure the trade and that might give us the opportunity to support such high-risk payment-processors again. More about that once the DAO is getting completed.

4 Likes

This idea is predicated on the assumption that it is more difficult or even impossible for Cash App / Venmo to initiate a chargeback if all funds have been moved to the backing bank account. The problem is that we do not actually know if this is the case. If you have expertise in how and when chargebacks can happen from payment processors like Cash App and Venmo to backing bank accounts, please share your knowledge with us.

Hi folks - I’m the “lucky” seller from that linked post describing how I got robbed (multiple times) via the Venmo and Cashapp payment methods.

Wanted to share some more insights re: what happens to your money in your payment method accounts & bank accounts on the victim’s side once these chargebacks happen…

TL/DR - if your money is “in flight” (transferring to your bank account) it’ll get brought back. And even if your money makes it to your bank account, it’s still not safe and can be clawed back.

In the Venmo case, I had amassed proceeds from a few settled Bisq sell transactions - $1,200 worth total balance in my Venmo account. I wanted to cash that out back to my checking account, so I initiated a transfer. Said it’d take 2-3 days. No problem, or so I thought. Nope, The next day (before the transfer to my bank had completed), the Bisq buyer (scammer) initiated a chargeback via their bank, who then passed it on to Venmo, who then cancelled the transfer and froze my account. That’s the last I ever saw of that $1200. It never made it out of Venmo.

The CashApp case is more frustrating. I had about $300 balance in my CashApp + debit card account. The scammer initiated chargebacks for $650 worth of transactions against me. You’d think that the most they’d be able to steal back from me was $300, right? Nope. CashApp drained the balance of my account, and then went even further and pulled the remaining amount out of my checking account! Holy crap. See attached, screenshot of my checking account history. (“Sandra Lopez” is listed in my original post as one of the buyers that popped me with chargebacks.)

So right now my CashApp balance has been drained, my account appears to be frozen (I can’t add more funds, delete my bank account, etc.) and there’s apparently no way I can stop future chargebacks from reaching all the way into my checking account to claw back money. I’m waiting to hear from CashApp support team, but I’m also going to contact my bank and ask if they can block all activity from Cash / Square at least for now.

Pain in the ass. Not life-altering financially thank goodness, but certainly annoying. In the meantime, I’m mentally preparing / bracing myself for more chargebacks from the OTHER Bisq transactions I’ve done over the past 6 weeks, for all I know more are coming. Wheee!

I think this is exactly the right move.

Regarding the two-phase confirmation process, it will not significantly protect the seller since there is usually residual funds from subsequent trades that Venmo and Cash App can confiscate as a means of paying back on the charge back. I would focus on other established payment types that have a more rigorous process around chargebacks eg. Amex Serve.

Additionally, I think time is better spent on building features in the platform that would allow users/community to assess/manage/mitigate risk of similar fraud attacks eg. ability to block specific onionaddress/usernames, set thresholds for counterparty trade volumes, publishing successful trade ranges (low, medium, high) on a given account or ratios (eg. successful trades divided by total trades on given account), etc.

2 Likes

I am wondering if going to court againts both Venmo and Cashapp might be an option. They are in fact colluding with the scammer, that is far beyond violation of ToS rules. A proper legal system should protect you and bring you back the money from them. But I doubt that is the way how our reality looks like ;-(.
Maybe you can start a donation pool for legal costs and if there are more victims to make a collective law suite?
Those scammer just continue their business because such companies make it so easy for them to scam and actually supporting them…

You can block users by onion address already. But the problem is that is too cheap to create new Venmo or Cash app accounts as well as a new onion address. So that will not be much of a protection.
Reputation systems only work if creation of an identity is expensive. And then a reputation system is not working well with privacy as it based on a long term identity. Decentralized reputation is much hard if possible at all… So that is not really a solid protection but luckily we will have new tools when the Bisq DAO is out. Then people can lock up BSQ bonds long term and with that buy reputation… See https://bisq.community/t/possible-future-offline-trades

1 Like

Imho, going to court has 9/10 chances ending bad and bringing bad attention on bisq.
Those people will certainly not renounce their actual profitable system without fighting.
All those incidents are very probably also “allowed” precisely in order to hurt.
As you wrote it, bisq has to search on its side the solutions to this kind of incidents. I would expect absolutely nothing from the fiat side (bisq eats in their plate) apart bad things.

1 Like

Unfortunately I have to agree…

Unfortunately , my Venmo account is now frozen because of these scammers pending an investigation. I have done trades with both Carl and Amy before which explains why that happened to my account.

Venmo did not say why my account was frozen but mentioned I am probably violating their user agreement. Should I let Venmo know anything additional or just wait until the account is unlocked after 180 days?

1 Like

Ouch.

Charge backs can happen after weeks or months, so the two-phase settlement may not be good enough. Probably a good idea to just keep them disabled so more people don’t get burned. I hope those affected are able to dispute the charge backs and eventually get their money back.

I generally agree with your sentiment on these points but would like to offer a couple of points for consideration:

  1. If I understand the mechanism for blocking onion addresses, it seems very rudimentary and would be difficult to utilize proactively so it would need to be enhanced to be an effective tool.
  2. Although I agree that it is to the communities benefit to allow for easy onion address renewal, we may be able to strike a balance between ability to renew and the benefit of maintaining ones “safety-rating” in the network. Along with Bisq DAO these can be utilized to manage and mitigate counterparty risks.
  3. BSQ bonds will help but I dont think it will be a bullet proof solution against fraudsters exploiting legacy banking policies with no limits on ability to chargeback (timeline and account access) as we’ve see in this incident ie. it doesn’t seem feasible to lock up funds indefinitely to prevent a chargeback which can come at any time in the future.
  4. I think it will be difficult to scale and provide consistent and responsive arbitration for all of the incidents that will arise particularly ones over longer durations utilizing the BSQ bonds as the usage grows. It seems to me the only way to counter this is more user-level-controls which allow them to proactively manage counterparty risks.

imo, a positive reputation system, but only on a willing basis, could be offered for those willling.
This could probably be done without implying touching the code.
Just on a “good/recommended practices” basis.

Yes, a positive reputation system, by definition, has clearly an impact on anonymity (just because of history),
but if it is only an option, willingly used by some, and not used by those who don’t want,
does is cause problem(s) ?

I would contact Venmo to tell them to not allow the chargeback as those are known scammers. ToS violation don’t gives them the right to help the scammer to steal your money.

Classical chargeback mitigation: never release the goods until you have cash in your hand. That means withdrawing the whole balance of any linked bank account as cash. My experience comes from LBC in Australia and obviously laws vary internationally. If you’ve not accepted any credit facility from the bank in question they will not be at liberty to raise a debt against you. They sent me vaguely threatening letters demanding I sign certain documents, which I declined to do. I responded with proof of the transaction and questions of my own, which they never answered. Eventually they gave up.

Doing a transfer of the balance to another bank might be good enough. The receiving bank has a commercial interest in resisting.

1 Like

Reputation systems can work alright for the price taker, not so well for the price maker. One downside is that most volume ends up going through a handful of dealers with huge rep. They may be trustworthy people but they become an obvious target for someone wanting to compromise or harm the system.

2 Likes

That’s probably true, because reputation would give an advantage to those who have over those who have not.
But, on the other hand, most if not every human activity ends up in the form of a paretian distribution (ie 20% of peoples assuring 80% of the activity or so).
So, given that some concentration will unavoidably happen, one could imagine accompany/adapt to this in the most profitable way for everyboby (makers and takers).
Btw, since imo this requires no coding, a reputation system may well emerge by itself.

I would not go to a full reputation based feature like LBC and others ie. voting on positive or negative experience. I would simply use standard metrics and allow takers and makers to set thresholds on the type of trades they will accept eg. ratio of completed trades versus cancelled trades, ranges for dollar volumes traded, release times, etc.

In any case I would assume we would need to limit the number of these calculated variables because of the bandwidth associated with pushing them out to the network.

1 Like

Is Zelle more/less/the same susceptibility to chargebacks as Venmo/Square? Do we know how long the chargeback window is for Square Cash and Venmo?

Also two solutions to this is to have an extremely long lockout period for the buyer’s deposit until their account reaches a certain threshold.

For example. Accounts that have less than 100 trades have a 60 day lockout. 500 trades with no disputes. 30 day lockout. 1000 trades no disputes = 0 day lockout. The numbers are totally arbitrary, I would base them off of the data you have if any about the number of successful trades going through single account. Is my solution Extreme? Yes. Necessary? Yes. That’s the price we pay for using services that are easy to exploit.

Alternatively I think the solution will be to enable a cash in mail system. Display a warning message telling both sides to follow the steps otherwise the arbitrator must default to the other party in a dispute.

  1. Film yourself placing the cash in a birthday card/congrats card. Placing it in the envelope. And taping the package shut. Then handwriting the address of the recipient and stamping it.
  2. Put tracking on the package.
  3. The receiving party has to tape opening the package in case of any shenanigans.

An interesting problem to solve is to figure out if there is a way to build a decentralized-ish system for cash in mail where the buyer and seller don’t know each other’s address.

Like, what if the Bisq arbitrators were actually attorneys. Both party’s pay an arbitrator fee which effectively makes us clients of the Bisq attorneys. That way the attorney can escrow the coins and the package and forward the mail to the appropriate party. I would pay extra for that service for sure

I believe that there is no limit on chargeback window for zelle but the process for pulling funds back is a bit more involved. The scammers will have a harder time providing proof that they were the victims. Additionally, the because banks have a more extensive onboarding process they screen the account holders and do more monitoring of the account activity to protect against fraud (its not perfect but it helps in these situations).
However, any electronic payment type including zelle is still very risky. Honestly, I think the bisq community is not fully informed based on how most traders price zelle transactions in the network (versus a cash deposit as an example).

1 Like

I did some more digging and it looks like Perfect Money is the best solution of the existing options on Bisq. According to the site all transactions are final. No chargebacks.

https://perfectmoney.is/sciv2.html

https://en.bitcoin.it/wiki/Payment_methods

edit: Ah S#@# according to this article, they don’t serve u.s. customers any more. https://www.dailydot.com/crime/perfect-money-digital-currency-money-laundering/

Man this is a tough problem to solve. Might end up just going with Coinbase to withdraw

1 Like