How to Get Started: Investigating Payment Gateways Online

When investigating a website, app, or online shop, one of the key questions you may need to answer is ‘How are they making money?’ 

Investigating the financial transactions of an organisation can reveal details about its connections and funding. Furthermore, if the website or app is engaged in illicit transactions, tracing the payment gateway can help achieve accountability by identifying what sites they are using to earn money.   Bellingcat has looked into the payment processors in previous investigations on far-right merchandise, Britain’s far-right influencers, and non-consensual deepfake pornography.

Payment gateways are a technology that takes a customer’s payment information, checks it with their financial institution, verifies that the transaction is legitimate, and then completes the transaction. As explained by Forbes, online stores need a payment gateway to be able to facilitate payments. Companies including PayPal, Stripe, and Square are commonly used as a payment gateway for online purchases.

Most mainstream payment gateways (like Stripe and PayPal) prohibit their services from being used in illegal transactions including the sale of illegal drugs, the promotion of hate or racial intolerance, and non-consensual adult content. Finding evidence that someone is violating the Terms of Services of these companies – and how they are doing so- can lead to the closure of loopholes and accounts. It can also provide additional information about an organisation’s revenue streams. 

It is nearly impossible to conduct online transactions without a payment gateway. So it should be possible to find the payment gateway of an organisation earning money, even if it is not obvious at first. One resource that is extremely useful is Chrome’s built- in developer tools (other browsers also have similar tools). Below we’ll provide an overview of the tools to use and questions to ask when scrutinising payment systems. 

How are they Taking Payment?

For online transactions, you’ll typically see websites accept traditional forms of payment including credit cards, debit cards and, more recently, cryptocurrency. Since cryptocurrency is not subject to the same regulations as traditional financial systems, cryptocurrency is often used to process payments for illegal services. Since this does not need to be ‘hidden’, websites will usually disclose which currency they accept and how to transfer funds into a crypto wallet. There are other ways you can track funding through cryptocurrency, as discussed in this guide.

If none of the above apply?  Other sites that use a payment gateway will accept money directly via credit card payment,  bank transfer, or through peer-to-peer payment apps (i.e., PayPal, Cash App, Zelle). If this is the case, you should be able to identify the payment gateway being used. In the case of the peer-to-peer apps, these services may be used by businesses and not just individuals’ transactions. They also require a bank account or credit card to use them. It is helpful to view transaction options on both the mobile app and web browser, in case the options differ.  It is also worth checking the currency that payments are being taken in – if it is a US website taking payment in a foreign currency, that can also provide clues. Further, if a website is using different payment gateways depending on the currency, this can lead to additional leads in your investigation. Payment options may also change depending on what IP address you are using. In other words, setting your IP address in the UK and then changing it to the US may result in different payment gateway options.

Where are they Soliciting for Payment?

Organisations may solicit for payment via a website or a messaging app like Telegram. It is important to investigate all avenues where  payment is being requested as each method may provide different clues for your investigation. For example, for some of the AI deep fake services we investigated here we found that companies would accept different payment methods depending on how you tried to pay – via their website, via a web browser or via Telegram. Sellers may want to direct their users away from their website to more private forums such as Telegram to facilitate transactions and avoid detection.

Is the Organisation Trying to Hide How Payment is Taken?

For some sellers, using a mainstream payment gateway may  violate the terms of service of that company. To be able to use their services, these sellers may  try to hide the nature of their goods from the payment gateway company. 

A Walk Through Example

Some sites may not show their payment options without signing up first. 

This was the case with the Nudify.VIP site which offers non-consensual AI Deep Fake pornography.  

Initially, the website states that their services are free. 

“With our service you can undress any person in a photo absolutely FREE!” 

However, this is misdirection, as you are then prompted to log in or sign up. Only once you create an account do you discover that you need to pay to access the service and how much it costs.

You are then presented with an option to pay via crypto or via credit card, but it does not yet say what cards they accept or what payment gateway they use. 

Clicking through to ‘Go To Payment’ gives us a new screen that lets the user pay via credit card (ie MasterCard, Visa), a US Bank account (ie Wells Fargo, USAA), or through Cash App. 

There is no indication of the payment gateway they are using, but if we look at the URL on the checkout page, we can see that it no longer says that we are on a Nudify.VIP domain. This is a clue that users are being directed to the checkout page through another website. This method is used to hide the true source of purchases from payment gateway providers. There’s another clue  that the domain has changed- in the fine print at the bottom of the checkout page. Via the Checkout Page using either Cash App or credit card options, it discloses:

“By providing your card information, you allow aiphotos.art to charge your card for future payments in accordance with their terms.”

This is another clue that the payment gateway does not know this belongs to an AI Deep fake service Nudify.VIP.

Use Browser Developer Tools to Investigate Further

All modern browsers have some form of built-in developer tools. You can search online for your specific browser (e.g. Firefox, Chrome, Safari). If you are in Chrome, you can right-click anywhere on the screen to get a menu and an option to ‘Inspect.’ You can also use keyboard shortcuts which can vary between MacOS or Windows. For Windows, you can click CTRL + SHIFT + I and on MacOS you can click Option + Command + I on your keyboard. Any of these actions will open the developer tools which allows you to  view the code of a webpage (such as HTML, CSS, and Javascript). This should appear on the right-hand side of your screen. While developer tools are designed to check for bugs or errors in a website, you can use them in your investigation.

There should be a list of tabbed options for you to view on the top menu bar. Clicking on ‘Sources’ shows you all the resources that the website is using. 

This is a good place to start to look for any clues about what piece of code is being used in the checkout process.  In the example below, one of the listed sources on the page is titled ‘js.stripe.com.’

Googling ‘“js.stripe.com” brings up documentation from the company, Stripe.

The documentation shows that ‘js.stripe.com’ is Stripe’s JavaScript library which is the code needed to facilitate payment processing.   

This confirms that Stripe is the payment gateway being used by Nudify.VIP. In this case, Stripe was the payment gateway that facilitated transactions via credit card, US banks, and Cash App.

Using Browser Developer tools and following these simple steps, we were able to learn that Nudify.VIP created a decoy website to which they were redirecting their credit card payments to make Stripe think they were processing sales for a company called “Aiphotos.art.”

As you investigate payment gateways, you can begin to recognise the Javascript libraries used by companies. 

Rummaging around the ‘Sources’ tab via the Google Chrome Inspect tool is a useful starting point to find out details about what sources a seller or organisation is relying on to run its website and process payment.

For example, we investigated the payment gateway for a candle company, Patriot Candle Co.  At first glance at the Sources tab, it may look like they are only using WordPress related scripts. WordPress is one of the most common website building tools available. However, if you click through to expand the contents of the folders, in this case, if you click ‘wp-content’ and then click ‘plugins,’ we see a few libraries using ‘woocommerce.’ WooCommerce is WordPress’s open source payment gateway.

Some sites may have multiple payment gateways, so it is important to investigate the entire site and all the sources being used on the website. 

A Few Minutes Research, Rich Rewards

We have outlined some very simple steps that take only a few minutes of work and produce clear leads for an investigation.  In the case of Nudify.VIP, we were able to show the company had created a decoy website to which they were redirecting their credit card payments in order to make Stripe think they were processing sales for a company called “Aiphotos.art.” Stripe shut down the account, when we contacted them about it. It may take only minutes to go through this process, but it can provide important starting points for your investigation. 

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Instagram here, X here and Mastodon here.