Nearly 38,000 people backed the Flipper Zero pen testing tool when it launched on Kickstarter in 2020. The open-source, multi-tool device can be used to reverse engineer access to radio protocols, hardware, and systems such as TVs and garage doors.
Those tens of thousands of backers donated more than $4.8 million to the project, which has been on sale to the public since this July. And while it’s selling well, Flipper isn’t getting any of that money, thanks to PayPal.
Prior to July 7, the company was only fulfilling Kickstarter pre-orders, with no ability for non-backers to buy the product because of stock shortages. But when it went on sale to the public, people jumped.
“It was a pretty big launch as we were out of stock for a long time to that moment and many people rushed to purchase Flipper immediately after the announcement,” said Alex Kulagin, chief operating officer of Flipper Devices, the company that manufactures the Flipper Zero.
Flipper Zero proved popular, as both an educational device and one that could make mischief. The thumb drive-sized hacking device enables people to unlock cars and turn on and off TVs. Kulagin denied that the Flipper Zero is a nefarious hacking tool and said, “We don’t give any offensive tools that allow users to do bad stuff, and for sure we don’t give anything more than you can with Arduino and a couple of modules.”
Just before the mainstream launch, Flipper Devices decided to give its customers more payment options, including through PayPal. “We had some experience with PayPal to that moment, and it was OK—we charged around $100,000 during two-to-three months using its payment solution and successfully withdrew it,” Kulagin said.
The use of PayPal was a major opportunity for Flipper Devices, which enabled them to sell their product to a broader range of individuals.
It proved to be a smart decision: around two-thirds of customers chose to use PayPal to buy the Flipper Zero. Within 24 hours, $700,000 had landed in Flipper Devices’ PayPal account.
But it also backfired. The same day, PayPal put the funds on hold, citing an “unusually large increase in your sales activity.”
The freeze on Flipper’s funds shows the difficulties startup companies can face if their products or services operate on the fringes of what’s deemed acceptable under a tech giant’s rules. For the hacking community, which is often ostracized, that’s even more of a challenge.
“At the start it was soft,” Kulagin said of PayPal’s freeze. “They gave access to part of the funds (we had $26,400) and [said they would] release the rest once you provide tracking numbers [which happens automatically through Shopify integration]. We didn’t worry much at that point.”
Kulagin’s company provided tracking numbers for shipments to PayPal and the funds were released. But then they were immediately put on hold again by another compliance request.
“This time everything was on hold and we couldn’t do anything but receive the payments from customers,” Kulagin said.
Flipper Devices was then asked to provide a slew of information, including beneficiaries’ information, proof of ID, proof of address, bank statements for the company, proof of goods purchase, and proof of fulfillment for 10 random orders. “We’ve submitted everything they’ve asked,” said Kulagin, “but they kept rejecting it for different reasons. First, they didn’t like the proof of address, then proof of goods purchase, et cetera.”
Kulagin decided to pull the plug on offering a checkout by PayPal option, deciding it was more hassle than it was worth. But by this point, the cash in the account had ballooned to $1.3 million.
After some time, PayPal came back to Flipper Devices, saying that it had rejected the company’s proof of order fulfillment. Instead, it was now after proof of delivery, according to Kulagin.
By that point, eight of the 10 random orders PayPal wanted to audit were delivered successfully, but two had been held up for courier issues. A deadline of Aug. 27 was set to provide evidence of delivery, so Flipper Devices reshipped those two devices through an expensive and priority delivery option.
The deadline was met and passed with no news.
On Aug. 30, Kulagin checked his PayPal dashboard.
“I found out that our account is fully blocked, [and] money will be on hold for 180 days with no clear explanation why, only: ‘Your account’s inconsistent with our User Agreement.’ So we’ve got $1.3 million stuck in the PayPal account, with no clear way on how to get our money back.”
The impact is enormous on Flipper Devices.
“We are a consumer electronics business, so our operations are capital intensive and have long timing. Most of the time we need to place orders on components and actual production months before we have the stock to sell,” Kulagin said. “It’s especially hard since the COVID-19 [pandemic] and chip shortage has started—the lead times are much greater than usual and prices are constantly growing. With essentially two-thirds of the funds blocked, we can’t place new orders as we planned and pay for some of our current liabilities, so the block is causing significant damages to the company.”
Despite PayPal’s concern, Flipper Devices has a Flipper Zero for every order currently made and half already have been delivered. “The other half is on the way, with the tracking code and all the shipping documents to prove it,” said Kulagin.
The company went public with its frustrations last week, in an attempt to force PayPal’s hand after months of inaction. Flipper Devices still doesn’t know what exactly has happened.
“There was an email asking to provide a ‘requested spreadsheet,’ but without specifics what spreadsheet they need,” Kulagin said. “And customer support couldn’t answer that question either—every time they just said it looks weird and they don’t understand, so they will send it to the back office for a review.”
Kulagin’s frustration at PayPal is clear.
“Right now PayPal doesn’t worry about being punished for this because lawsuits are too expensive and time-consuming,” he said. “Startups just can’t afford it—and PayPal knows it. There are hundreds of companies who were in the same situation and just couldn’t do anything. There should be an affordable and fast way to enforce payment providers to follow the law.”
Lab401, an RFID and pentesting hardware company, also struggled with similar issues when it faced what the company describes as a “personalized, manually executed war of attrition against our company and shareholders” by PayPal.
PayPal first suggested to the Daily Dot that putting a block on an account was not unusual for the company and that reporting on Flipper Devices’ travails was not a story. The company, however, would not say that blocking access to $1.3 million was a typical action by the company.
A PayPal spokesperson said: “PayPal is committed to the highest levels of risk management and compliance, and our decision on account holds, limitations or other actions may be based on the management of risk, in order to protect both buyers and sellers. We understand the impact account holds may have and take this process very seriously.
It added that it was “working with the company to support the resolution.”
Flipper Devices clearly disagrees.