Here is my best guess what is going on.
Scammer sets up a fake store. When they get an order, they use a stolen credit card to ship the item to you from a legitimate retailer (Best Buy in this case, that is why you have the Best Buy receipt in the package). Scammer then pockets the original money, and word of mouth helps them get additional orders. At some point the system collapses, they take the money and run and use any credit card/PayPal info they have for their new fraud store, scam rinse and repeats.
Something like this happened to a pilot I was paired with who used a discount bulk disposable diaper internet service. The diapers he ordered and received were actually purchased with someone else’s stolen credit card. As far as he knew, he ordered diapers and they arrived as normal. A couple of months later the police showed up on his doorstep. It turned out the real account holder noticed a fraud charge on his statement, and get the police involved. It was easy to track as the statement had the legit retailer on the statement, and the retailer had this pilot's address as the receiver of the diapers bought with the stolen credit card.
The police said later his card info would probably be used to send diapers or unrelated merchandise to others. (This was a few years ago, I am fuzzy on the exact details of the story.)
First thing I would do is change any thing that you might have inadvertently given to the scammers. (PayPal password may have been intercepted by the web site, or any credit card info given to them for example.) I would also keep any info from the “discount” web site (emailed receipts, contact numbers, web addresses) in case the police knock on the door and think you committed fraud vs being a victim yourself.