The conflict over responsibility for digital incidents has escalated in the PVZ market: owners of Yandex Market pick-up points report hacking of partner accounts, after which large amounts of refunds occur in the system without the actual movement of goods through the point. The initiator of the public conversation was AUREK, which records a “significant number of requests” from entrepreneurs and requires a joint investigation with the site before any deductions from payments.
The mechanics of complaints look like this: an attacker gets access to the personal account and changes the order statuses by making refunds. Next, the point owner has a financial claim for the “loss”, although the boxes were not physically accepted or scanned.
As an illustrative episode, the story of entrepreneur Sergey Klopovsky is given: on December 28, 2025, according to him, the office was hacked, and in four minutes 22 refunds for 1.79 million rubles appeared in the system — among the items were car tires, household appliances and a game console.
The key issue here is the control points of the process. The return to the PVZ is usually linked to a physical action: the arrival of the goods at the point and scanning. If returns in the digital circuit “fly by" without these confirmations, the market gets a risk that hits the most vulnerable participants in the chain — partners on earth. For the PVZ, these are direct cash gaps, cabinet lockouts, deductions for offsetting, loss of working capital and an increase in operating costs for security and staff training.
The site's position sounds harsh and pragmatic at the same time: the press service points to social engineering and phishing scenarios. The statement reads: "It is important for PVZ owners, like all Internet users, to maintain security... This is not about mass hacking, these are isolated cases of fraud on the Internet."
This remark is important for the market because it sets the framework: responsibility is partially transferred to partners and their employees, who can click on the link, name the code, or transfer access.
In practice, a sustainable solution requires technical guarantees that reduce the role of the human factor. Mandatory “two-key” confirmations of any refunds and debits, strict binding of operations to devices, IP and geography, instant notifications of entry and status changes, as well as a separate investigation protocol with freezing of claims until the final withdrawal are critical for PVZ. The Association offers exactly this approach: an investigation together with the site and contacting law enforcement agencies, as well as a technical analysis of access logs and the history of actions in orders.
The situation is becoming a marker of the maturity of marketplace logistics: the wider the PVZ network, the more expensive the “holes" in the digital circuit are. This is a signal to the market that the cybersecurity of the partner account is becoming part of the operational standard, along with scanning, inventory and cash discipline.
