01-08-25, 03:25 AM
Hi all! I am new on your forum and copy my topic from another forum.
Today I want to tell you a story that happened quite recently. I bypassed 2fa in the grid of banks with a total capitalization of about 50B (there were about 20 of them). It was one of the first successes, so probably that's why you can read this now. I want to share my failure so that everyone understands how not to do it with such success. Enjoy reading.
And so, I started by finding valid log passes from the public, studied the source code of the site and began to try to bypass it. I used the most basic tool - Burp Suite. The key task was to get Done from the site and Success from the security system.
![[Image: 1944684005_goodresponse.png.206c1ed1d585...c551d1.png]](https://forum.exploit.in/uploads/monthly_2025_03/1944684005_goodresponse.png.206c1ed1d585f4710cac39ffb3c551d1.png)
I managed to do this very easily, just by going through the challenge type value.
![[Image: sources.png.363936ce8ff77c0bd9847238bee01dc4.png]](https://forum.exploit.in/uploads/monthly_2025_03/sources.png.363936ce8ff77c0bd9847238bee01dc4.png)
Sending the CheckSyncResult as the current test, voila. I'm shocked, I think I've become rich. (haha)
![[Image: bypass.png.b1d8710d8960eb256ddb15c8e1bce0fa.png]](https://forum.exploit.in/uploads/monthly_2025_03/bypass.png.b1d8710d8960eb256ddb15c8e1bce0fa.png)
One word made it possible to log in to any account only by username...
![[Image: accountexample.jpg.269824b78b8d86924ec462ad90a4c0ee.jpg]](https://forum.exploit.in/uploads/monthly_2025_03/accountexample.jpg.269824b78b8d86924ec462ad90a4c0ee.jpg)
The next stage was the withdrawal of funds. There were a lot of accounts, but in banks, the numbers on the account don't really mean much. I had to register exchanges for the same name and withdraw funds with a hold per week. This is a problem
![[Image: cashout.jpg.e3a9a2017644ff4e4d232190b4bcf1d7.jpg]](https://forum.exploit.in/uploads/monthly_2025_03/cashout.jpg.e3a9a2017644ff4e4d232190b4bcf1d7.jpg)
I chose the most inactive accounts with the largest balance and put 10 pieces for withdrawal. Every day was like a snowball of money. But unfortunately, the hole was fixed a month later, I could not even output a figure with 6 zeros.
After this situation, almost holding a ticket to a new life, I learned a few lessons for myself:
1) If you have found success, do not rush. This is a very important moment in life, you should think about every step you take. With all participants in the case, once again approve or discuss the terms of cooperation, and then the exact plan of action.
2) In my case, I should not have immediately looked at the accounts and rather tried to withdraw money from them, I needed to open a market and sell "shovels".
3) If you could do it, then you definitely shouldn't do a routine. Tell the method to trusted people who can do the monotonous work for you.
4) If you are not busy with routine, you can allow yourself to reveal the potential of your vulnerability completely, and not run headlong after the "gold".
Having spoken out, I felt better. I wonder what you think about this, as well as if you want new stories or have any questions, I am open to all :)
Today I want to tell you a story that happened quite recently. I bypassed 2fa in the grid of banks with a total capitalization of about 50B (there were about 20 of them). It was one of the first successes, so probably that's why you can read this now. I want to share my failure so that everyone understands how not to do it with such success. Enjoy reading.
And so, I started by finding valid log passes from the public, studied the source code of the site and began to try to bypass it. I used the most basic tool - Burp Suite. The key task was to get Done from the site and Success from the security system.
I managed to do this very easily, just by going through the challenge type value.
Sending the CheckSyncResult as the current test, voila. I'm shocked, I think I've become rich. (haha)
One word made it possible to log in to any account only by username...
The next stage was the withdrawal of funds. There were a lot of accounts, but in banks, the numbers on the account don't really mean much. I had to register exchanges for the same name and withdraw funds with a hold per week. This is a problem
I chose the most inactive accounts with the largest balance and put 10 pieces for withdrawal. Every day was like a snowball of money. But unfortunately, the hole was fixed a month later, I could not even output a figure with 6 zeros.
After this situation, almost holding a ticket to a new life, I learned a few lessons for myself:
1) If you have found success, do not rush. This is a very important moment in life, you should think about every step you take. With all participants in the case, once again approve or discuss the terms of cooperation, and then the exact plan of action.
2) In my case, I should not have immediately looked at the accounts and rather tried to withdraw money from them, I needed to open a market and sell "shovels".
3) If you could do it, then you definitely shouldn't do a routine. Tell the method to trusted people who can do the monotonous work for you.
4) If you are not busy with routine, you can allow yourself to reveal the potential of your vulnerability completely, and not run headlong after the "gold".
Having spoken out, I felt better. I wonder what you think about this, as well as if you want new stories or have any questions, I am open to all :)
