Threat Actor Auctioning WordPress Admin Access to Spanish E-Commerce Site With REDSYS Payment Gateway and ~1,200 Monthly Card Orders

Summary

A threat actor identified as bobby_killa is auctioning full WordPress administrator access to an unnamed Spanish e-commerce website integrated with REDSYS, Spain's dominant payment gateway, starting at $1,000 with a blitz price of $3,000. The site processes approximately 1,150–1,200 card transactions monthly, making it a high-value target for payment fraud, skimming, and cardholder data theft. The access includes full CMS control, payment system visibility, and customer order records, enabling attackers to inject payment skimmers, redirect transactions, or modify checkout pages.

Full text

Dark Web Informer - Cyber Threat Intelligence Threat Actor Auctioning WordPress Admin Access to Spanish E-Commerce Site With REDSYS Payment Gateway and ~1,200 Monthly Card Orders March 31, 2026 - 5:27:39 PM UTC Spain E-Commerce Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-31 17:27:39 UTC Threat Actor bobby_killa Victim Spanish E-Commerce Site Industry E-Commerce Category Initial Access (Auction) Access Type WordPress Full Admin Payment Gateway REDSYS Monthly Orders ~1,150 - 1,200 Starting Bid $1,000 Bid Step $100 Blitz Price $3,000 Auction Duration 12 Hours PPP Incident Overview A threat actor going by bobby_killa is auctioning full WordPress admin access to an unnamed Spanish e-commerce website that processes payments through REDSYS, Spain's dominant card payment processing system used by the vast majority of Spanish banks and online retailers. The listing is posted in the auctions section of a Russian-language forum and includes specific monthly order volumes, making this a financially motivated access sale rather than a data breach. The listing details the following: Access Level: Full WordPress administrator with complete CMS control over the site. Log Access: Available but described as "not public," suggesting the logs are accessible through the admin panel but not exposed externally. Payment System: REDSYS redirect, meaning the site processes card payments through Spain's national payment infrastructure. This is the key value of the listing for financially motivated buyers. Transaction Volume: January saw approximately 1,200 card orders, February approximately 1,150, and March approximately 1,200, showing consistent monthly payment volume. The primary risk here is payment fraud. A buyer with WordPress admin access to a site processing ~1,200 monthly REDSYS card transactions could inject payment skimmers, redirect payment flows, modify checkout pages, access stored customer and order data, or use the site's legitimate merchant account for fraudulent transactions. REDSYS processes the majority of card payments in Spain, so a compromised REDSYS-integrated store is a high-value target for carders and financial fraud operators. Access & Risk Categories WordPress Full Admin REDSYS Payment Gateway Card Transaction Data Customer Order Records Payment Skimmer Injection Risk Site Log Access Checkout Page Modification Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1078 Valid Accounts Full WordPress administrator credentials providing complete control over the e-commerce site, its content, plugins, themes, and user management. T1659 Content Injection WordPress admin access enables injection of payment skimmers, malicious JavaScript, or modified checkout pages to intercept card data from ~1,200 monthly transactions. T1565.002 Data Manipulation: Transmitted Data REDSYS payment redirect can be modified to intercept or duplicate card transaction data as it flows between the customer, the store, and the payment processor. T1657 Financial Theft The primary motivation for this access sale is financial fraud, using the compromised merchant's legitimate REDSYS integration to skim card data or redirect payment flows. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — payment skimmer injection
• mitre_attack — T1078
• mitre_attack — T1659
• mitre_attack — T1565.002
• mitre_attack — T1657