Checkout.com reports ransomware attack, refuses to pay, donates to cyber research

In the first week of November 2025, global payment service provider Checkout.com was targeted by the notorious cybercriminal group ShinyHunters in a digital extortion attempt. 

The breach was caused by breaching a a legacy third-party cloud storage system that the company had failed to properly decommission. This outdated system contained historical data, and the attackers exploited this oversight to access sensitive company information.

The company claims that the incident did not compromise live payment processing systems, and that merchant funds and card numbers remain secure. The breach did expose a significant volume of internal data related to the company's past operations. 

According to the company's disclosure, the types of exposed data include internal operation documents and merchant onboarding materials dating from 2020 and earlier. The company estimated that data pertaining to less than 25% of its current merchant base was affected. 

The number of individuals impacted has not been disclosed.

ShinyHunters demanded a ransom, bit Checkout.com’s Chief Technology Officer, Mariano Albera, publicly refused to pay the ransom. He apologized for the security lapse and took full responsibility but stated unequivocally, “We will not be extorted by criminals.” This stance was framed as a matter of principle, aligning with the company's core values of security and trust.

Instead of funding the attackers, Checkout.com announced it would donate the equivalent of the ransom amount to support academic research in cybersecurity. The funds were directed to Carnegie Mellon University and the University of Oxford's Cyber Security Center to aid in the fight against cybercrime. 

Checkout.com has contacted the impacted merchants and coordinating with relevant law enforcement and regulatory bodies.