#37: Billions exposed, cards bypassed, and social giants under pressure

This week, we’re looking at the long tail of infostealer breaches, a major move toward crypto-enabled eCommerce, and renewed scrutiny on social platforms still failing to meaningfully stop fraud.

Let’s get into it.

NATE'S TAKE - JUNE 24, 2025

Top Three This Week

1. 16 Billion Credentials Exposed in Record-Breaking Leak
2. Coinbase Launches Stablecoin Payments for E-commerce
3. Regulators press social giants on scam enforcement

1. 16 Billion Credentials Exposed in Record-Breaking Leak

Photo: cybernews

Cybernews researchers discovered 16 billion login credentials exposed across 30 datasets, likely compiled from infostealer malware logs. This includes URLs, usernames, passwords, cookies, and tokens tied to services like Facebook, Google, Apple, GitHub, and government sites.

Key points:

• Data is fresh - not recycled - and formatted for easy abuse.
• Many records include session tokens that can bypass 2FA.
• Attackers can now launch phishing, ATOs, and BEC with precision.
• Datasets were briefly exposed via unsecured cloud infrastructure.

This leak is a blueprint for industrial-scale exploitation. Infostealers are fueling a shift from dark forums to centralized leak drops, highlighting the need for fraud teams to track login behavior across devices, enforce MFA, and monitor for session abuse.

2. Coinbase Launches Stablecoin Payments for E-commerce

Coinbase just rolled out a new product that allows merchants to accept payments in USDC stablecoin using Coinbase Commerce, and Shopify is already on board. The move follows the recent passage of a bill that removes regulatory roadblocks for stablecoin payments, enabling merchants to bypass traditional card networks entirely.

By using stablecoins, merchants avoid card network fees, restrictions, and even protections, shifting both the economics and the risk profile of online transactions. Shopify users can now offer customers the ability to pay with stablecoins through a QR-code checkout experience.

This is a major shift in how online commerce could operate. Cutting out card networks doesn’t just reduce cost, it also removes a layer of consumer protection. Fraud teams may need to rethink how they assess trust and verify transactions in an ecosystem that no longer has chargebacks or issuer-side fraud review.

3. Regulators press social giants on scam enforcement

The UK’s Financial Conduct Authority (FCA) called out social media platforms again for failing to do enough to prevent scams. While firms like Meta, X, and TikTok have recently signed up to new voluntary agreements, regulators remain skeptical.

Fraudulent investment ads and impersonation scams are still widespread. The platforms say they're improving detection, but the FCA notes a glaring lack of transparency and accountability: “We still don’t have a clear view of how effective they are.”

This highlights a long-running frustration for fraud teams: many scams start off-platform but gain legitimacy on social. Fraudsters use paid ads, spoofed handles, and comment hijacking to build trust, and platforms still struggle to catch or report these tactics in time.

Until there's real enforcement or transparency, social platforms will continue to be one of the most efficient acquisition channels for organized fraud.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍