GCash User Records Allegedly Sold on Dark Web Forum, Includes eKYC Data and Linked Accounts
A large cache of data allegedly belonging to G-Xchange, Inc., the operator of GCash, has surfaced for sale on a dark web forum. The listing, posted by a user under the handle “Oversleep8351” on a dark web forum claims to contain sensitive personal information from both merchant and basic GCash users, including verified eKYC (Know Your Customer) records and linked financial accounts.
The post, titled “G-Xchange/GCash (GXCHPHM2XXX) User Infos by виверна,” was made on October 25, 2025, and advertises access to data bundles containing millions of user entries. According to the seller, the dataset includes:
• Merchant and Basic GCash user accounts
• G-Xchange/GCash account numbers
• Linked accounts, including virtual cards and bank connections
• eKYC records such as names, addresses, and employment details
The seller claims that the information spans transactions and account registrations from 2019 to October 2025, covering over 7–8 million users based on their own estimation. The eKYC records reportedly contain valid Philippine identification documents submitted by users during account verification.
In the post, Oversleep8351 stated that the files are “not organized,” meaning potential buyers would need to manually sort and query the data by account number or creation date. The seller further warned that records were “mixed together without proper organization.”
The dataset was offered in bundles of 10,000 users each, with the following pricing scheme:
• 20,000-user bundle: USD 700
• 200,000-user bundle (10 bundles): USD 500 each
• Full database (estimated 7–8 million users): USD 25,000
All payments are required through XMR (Monero), a cryptocurrency known for its privacy features. The seller claimed to only accept payments from “existing buyers” with verified code names, suggesting prior transactions had taken place with trusted clients either on the dark web or through encrypted channels.
Oversleep8351 emphasized that the data would be sold on a “first come, first served” basis and stated that no resale would be permitted to ensure “customer trust.” The post also mentioned that sample data would only be shown to existing clients for verification purposes.
If the listing is authentic, the breach could expose millions of GCash users to identity theft, phishing, and financial fraud. The inclusion of eKYC records implies that personally identifiable information (PII)—including names, addresses, and employment details—may have been compromised alongside linked account information.
The post’s mention of “valid Philippine IDs” suggests that the stolen data may include scanned or digital copies of identification cards required during the KYC process, such as driver’s licenses, passports, or UMIDs.
The post by Oversleep8351 claims that the database was bundled and ready for distribution, with data allegedly coming from GCash’s systems over the span of six years. The listing also warned buyers that the records were unfiltered and that data organization would require technical effort.
As of this report, the listing remains visible on the forum, with no indication of takedown or verification from official channels.
