So far, I’ve covered the basics of AI-based fraud protection systems – their weaknesses and how to bypass their detection methods. But let’s face it – sometimes you’re just rolling the dice. Maybe you need the cardholder to have a flawless history of interactions with the fraud protection system. Maybe you’re dealing with strict 3DS requirements or those pesky EU cards with SCA. Or maybe the fraud protection system is all too familiar with your device fingerprint after a few days and a few transactions.
In these cases, the resources required to maintain a working method multiply faster than your profits. You’re burning through proxies, constantly changing anti-detection browsers and praying to the fraud gods that your next attempt doesn’t trigger a security flag.
What if I told you there was a better way? This is a two-part guide that will change the way you approach carding forever. In Part 1, we’ll get behind the scenes — accessing these anti-fraud systems to understand exactly why your cards are being declined and how to evaluate your transactions. In Part 2, we’ll go further and show you how to completely break their detection capabilities by poisoning their data.
Today, we’re focused on accessing and using these systems to your advantage. It’s not just about understanding how they work — it’s about using their own tools to check your cards before you burn them when you get hit.
Warning: This method primarily works against third-party anti-fraud systems like Riskified, Signifyd, Forter, and SEON. If you’re going against built-in fraud protection processors like Stripe Radar or Adyen Risk Engine, the effectiveness drops significantly, since they have direct access to payment data and transaction patterns that third-party systems can’t see.
AI-powered antifraud and data
Let’s be clear: these AI-powered anti-fraud systems aren’t just fancy algorithms that check whether your IP address matches your billing address. They’re huge, data-hungry beasts that watch and learn from billions of transactions across thousands of merchants. Every time someone enters their card at any merchant that uses their service, that transaction becomes another data point in their massive neural network.
Think about it: When you try to card something on a site using a fraud protection system, the AI doesn’t just look at your current transaction. It checks to see if that card has ever been used by ANY of their merchant partners. Every legitimate transaction builds trust, every chargeback leaves an indelible mark on their database.
That’s why sometimes your perfect setup still fails — that flawless card with a high balance you’re trying to use? Maybe it caused a chargeback at some random dropshipping store three months ago. Or maybe the real cardholder only makes small purchases under $100, and suddenly you’re trying to buy a $2,000 laptop. AI sees these patterns and remembers. Forever.
The data they collect is insane — device fingerprints, behavioral patterns, transaction amounts, time between purchases, typical merchant categories… But at the core of their decision making is one simple question: “Does this transaction match the historical pattern we’ve seen with this card across our entire network?”
This is why reusing the same card is suicide. Even if you change everything else, you’ll create a profile in their database that screams “I’m a fraud.” Every failed attempt is another red flag associated with that card number and your device fingerprint.
These fraud systems intentionally keep you in the dark by never telling you the real reason your transaction failed. They won’t say, “Declined: This card has had 17 failed attempts on our network in the last week” — they’ll just hit you with this generic nonsense. That’s what makes them black box systems — you can’t see inside their decision-making process.
But that’s why gaining access to these systems is so damn important. No more guessing why your Booking.com transaction was declined — you’ll have the same tools they use to make those decisions. You’ll see exactly what set them off, whether it’s suspicious device patterns, unusual spending behavior, or a three-month-old chargeback that’s still haunting the card. And in Part 2, we’ll take that knowledge and use it to poison their data — injecting our own patterns and behaviors until these systems have no choice but to approve our transactions. Think of it as reprogramming their AI from the inside out.
Getting Behind Enemy
Lines Getting behind these fraud prevention systems is the biggest headache you’ll ever face. Once you do, you’ll be pretty confident in your safety.
First, you need to understand that these "enterprise-grade" systems are used by companies that are so desperate for growth that their sales teams would probably sign a potato if it had a store. Each vendor has its own level of security, and knowing which ones to target can save you weeks of wasted effort.
Control Panel URLs:
SEON is your entry-level bitch. These providers are so hungry for business that they will let anyone with a half-decent website and a credit card sign up. No video calls, no intensive verification – just basic business verification that any semi-competent scammer can bypass. Perfect for dipping your toes in the water. The only problem is that no big enough site uses SEON.
As you move up the difficulty ladder, you get Signifyd and Riskified. These bastards actually pretend to care who they sign up. They will want to see a legitimate looking business, they will check your email, and their sales team will actually try to talk to you. Nothing is impossible, but you better have some balls and a solid business front.
Here comes Forter, the latest boss in antifraud access. These paranoid bastards want video calls, business records checks, and enough evidence to make the FBI jealous. Unless you're planning a large-scale attack, don't waste your time. The investment just isn't worth it when you can buy logs for a fraction of the effort.
If you’re still determined to get your own access (you stubborn carder), here’s what you need to do:
Get a clean domain from Namecheap ($10-15 with privacy enabled) with a basic .com/.co TLD, then set up a Shopify test store in the electronics or fashion space — niches that pair perfectly with expensive carding. Use AI to generate your business name, product descriptions, and documents, scan images from legitimate stores, set up a professional firstname@domain email, and create a boring LinkedIn profile. The more mundane and corporate your setup looks, the better your chances of getting through verification.
But here’s the real shit most guides won’t tell you — unless you’re planning something big, just buy the logs. For a few bucks, you can get access to the dashboard of any reputable merchant. No paper trail, no monthly fees, no risk of screwing up during verification, and instant access to multiple vendors. Just make sure you buy from sellers who don’t promote burned accounts.
The whole point of this method is to be smarter than the average skid. Why build an entire fake business when you can get in through your existing access? Save that energy for what’s next – breaking into their dashboards, assessing your transactions, and basically poisoning those systems.
Assessing your OWN transactions
Now that we’ve covered gaining access to these systems, let’s talk about what’s really important – using them to validate your cards before you burn them. But first, you need to understand how these bastards actually work under the hood.
When a merchant uses the fraud protection system, they receive three possible responses for each transaction:
Along with these decisions, merchants receive a risk score from 0 to 100, and sometimes specific recommendations like “force 3DS” or “verify phone number.”
The key thing to understand is that merchants control how strictly they follow these recommendations. Some automatically reject anything with a risk score above 50, while others may manually review orders up to 80. A few desperate merchants may even approve high-risk orders just to make sales.
This flexibility in merchant settings explains why the same card may work on one site but not on another, even if they use the same fraud prevention provider. A small electronics store might approve a $500 order that Best Buy would instantly reject.
But don’t be overconfident—these systems share data. A rejected transaction at some random merchant still registers with the anti-fraud network and can ruin future attempts at all merchants using that vendor. This is why we get access to these systems first — so we can use their own AI to evaluate our transactions before we run them. Think of it as turning their own guns against them — using their risk assessment to test our setup before we burn cards on real attempts.
Using SEON (and other anti-fraud systems)
Each anti-fraud provider implements their shit differently. Signifyds API is completely different from Forters, and Riskified does its own weird stuff. But the basic concept is the same - you feed them transaction data, and they give you a risk score. Let's use SEON as an example, because they're the easiest to work with and the easiest to sign up for. Make sure you have an account on SEON.io and a working API key. Fire up your terminal and make a CURL API call to their endpoint with the details of the transaction you want to score.
API Calls
Their API will return the response:
Reading the answer
SEON's answer tells you three important things:
1. Fraud Score (0–100)
The score ranges from 0 to 100, where:
2. Rules and data points applied
The response shows which default rules were activated:
3. Offer
One of three possible actions:
The response also includes details about why each rule was triggered, allowing you to see exactly what raised the red flags. This allows you to adjust your approach to maximize success when attacking sites. In our next guide, we’ll cover how to poison these systems so they’re more likely to approve your transactions.
Remember: each fraud protection system has its own special sauce. Signifyd may place more importance on email age, while Forter may care more about device fingerprinting. The key is to learn how to read their responses and adjust your approach based on what they flag.
Other Providers
Different fraud protection providers have their own unique API setups, each with their own quirks and requirements. Here’s an example of how to submit transactions to some of the major players:
Signifyd
Riskified
Forter
Here's an example of how I evaluate my card information for Signifyd before I use it on a Signifyd site. See how they approved it for $4,000? That means I can easily get an amount below $4,000 for any Signifyd site with the same information and get away with it.
If you already have access to any of these systems through self-registration or logs and need help implementing them, please comment on this thread.
What's next?
While our previous guide showed you how to bypass these AI systems from the outside, this time we've gone deeper - right into their guts. Now you understand how merchants communicate with their anti-fraud providers, how risk decisions are made, and most importantly, how to access their dashboards to check your own cards before you burn them.
But knowing how to read these systems is just the beginning. In Part 2, we’re going to completely break them. You’ll learn how to poison their training data, create robust profiles, and make their AI work for you, not against you.
With these guides, these systems are no longer black boxes — you’ve seen how they work from the inside. It’s time to make them dance to your tune.
Stay tuned for Part 2.
(c) Telegram: d0ctrine
In these cases, the resources required to maintain a working method multiply faster than your profits. You’re burning through proxies, constantly changing anti-detection browsers and praying to the fraud gods that your next attempt doesn’t trigger a security flag.
What if I told you there was a better way? This is a two-part guide that will change the way you approach carding forever. In Part 1, we’ll get behind the scenes — accessing these anti-fraud systems to understand exactly why your cards are being declined and how to evaluate your transactions. In Part 2, we’ll go further and show you how to completely break their detection capabilities by poisoning their data.
Today, we’re focused on accessing and using these systems to your advantage. It’s not just about understanding how they work — it’s about using their own tools to check your cards before you burn them when you get hit.
Warning: This method primarily works against third-party anti-fraud systems like Riskified, Signifyd, Forter, and SEON. If you’re going against built-in fraud protection processors like Stripe Radar or Adyen Risk Engine, the effectiveness drops significantly, since they have direct access to payment data and transaction patterns that third-party systems can’t see.
AI-powered antifraud and data
Let’s be clear: these AI-powered anti-fraud systems aren’t just fancy algorithms that check whether your IP address matches your billing address. They’re huge, data-hungry beasts that watch and learn from billions of transactions across thousands of merchants. Every time someone enters their card at any merchant that uses their service, that transaction becomes another data point in their massive neural network.
Think about it: When you try to card something on a site using a fraud protection system, the AI doesn’t just look at your current transaction. It checks to see if that card has ever been used by ANY of their merchant partners. Every legitimate transaction builds trust, every chargeback leaves an indelible mark on their database.
That’s why sometimes your perfect setup still fails — that flawless card with a high balance you’re trying to use? Maybe it caused a chargeback at some random dropshipping store three months ago. Or maybe the real cardholder only makes small purchases under $100, and suddenly you’re trying to buy a $2,000 laptop. AI sees these patterns and remembers. Forever.
The data they collect is insane — device fingerprints, behavioral patterns, transaction amounts, time between purchases, typical merchant categories… But at the core of their decision making is one simple question: “Does this transaction match the historical pattern we’ve seen with this card across our entire network?”
This is why reusing the same card is suicide. Even if you change everything else, you’ll create a profile in their database that screams “I’m a fraud.” Every failed attempt is another red flag associated with that card number and your device fingerprint.
These fraud systems intentionally keep you in the dark by never telling you the real reason your transaction failed. They won’t say, “Declined: This card has had 17 failed attempts on our network in the last week” — they’ll just hit you with this generic nonsense. That’s what makes them black box systems — you can’t see inside their decision-making process.
But that’s why gaining access to these systems is so damn important. No more guessing why your Booking.com transaction was declined — you’ll have the same tools they use to make those decisions. You’ll see exactly what set them off, whether it’s suspicious device patterns, unusual spending behavior, or a three-month-old chargeback that’s still haunting the card. And in Part 2, we’ll take that knowledge and use it to poison their data — injecting our own patterns and behaviors until these systems have no choice but to approve our transactions. Think of it as reprogramming their AI from the inside out.
Getting Behind Enemy
Lines Getting behind these fraud prevention systems is the biggest headache you’ll ever face. Once you do, you’ll be pretty confident in your safety.
First, you need to understand that these "enterprise-grade" systems are used by companies that are so desperate for growth that their sales teams would probably sign a potato if it had a store. Each vendor has its own level of security, and knowing which ones to target can save you weeks of wasted effort.
Control Panel URLs:
- Forter: portal.forter.com
- Signifyd: app.signifyd.com
- Riskified: app.riskified.com
- SEON: admin.seon.io
- Ravelin: dashboard.ravelin.com
SEON is your entry-level bitch. These providers are so hungry for business that they will let anyone with a half-decent website and a credit card sign up. No video calls, no intensive verification – just basic business verification that any semi-competent scammer can bypass. Perfect for dipping your toes in the water. The only problem is that no big enough site uses SEON.
As you move up the difficulty ladder, you get Signifyd and Riskified. These bastards actually pretend to care who they sign up. They will want to see a legitimate looking business, they will check your email, and their sales team will actually try to talk to you. Nothing is impossible, but you better have some balls and a solid business front.
Here comes Forter, the latest boss in antifraud access. These paranoid bastards want video calls, business records checks, and enough evidence to make the FBI jealous. Unless you're planning a large-scale attack, don't waste your time. The investment just isn't worth it when you can buy logs for a fraction of the effort.
If you’re still determined to get your own access (you stubborn carder), here’s what you need to do:
Get a clean domain from Namecheap ($10-15 with privacy enabled) with a basic .com/.co TLD, then set up a Shopify test store in the electronics or fashion space — niches that pair perfectly with expensive carding. Use AI to generate your business name, product descriptions, and documents, scan images from legitimate stores, set up a professional firstname@domain email, and create a boring LinkedIn profile. The more mundane and corporate your setup looks, the better your chances of getting through verification.
But here’s the real shit most guides won’t tell you — unless you’re planning something big, just buy the logs. For a few bucks, you can get access to the dashboard of any reputable merchant. No paper trail, no monthly fees, no risk of screwing up during verification, and instant access to multiple vendors. Just make sure you buy from sellers who don’t promote burned accounts.
The whole point of this method is to be smarter than the average skid. Why build an entire fake business when you can get in through your existing access? Save that energy for what’s next – breaking into their dashboards, assessing your transactions, and basically poisoning those systems.
Assessing your OWN transactions
Now that we’ve covered gaining access to these systems, let’s talk about what’s really important – using them to validate your cards before you burn them. But first, you need to understand how these bastards actually work under the hood.
When a merchant uses the fraud protection system, they receive three possible responses for each transaction:
- APPROVED - The transaction appears clean, process the payment
- VIEW - suspicious but not obviously a scam, requires manual review
- REJECT - a high risk transaction that should be blocked
Along with these decisions, merchants receive a risk score from 0 to 100, and sometimes specific recommendations like “force 3DS” or “verify phone number.”
The key thing to understand is that merchants control how strictly they follow these recommendations. Some automatically reject anything with a risk score above 50, while others may manually review orders up to 80. A few desperate merchants may even approve high-risk orders just to make sales.
This flexibility in merchant settings explains why the same card may work on one site but not on another, even if they use the same fraud prevention provider. A small electronics store might approve a $500 order that Best Buy would instantly reject.
But don’t be overconfident—these systems share data. A rejected transaction at some random merchant still registers with the anti-fraud network and can ruin future attempts at all merchants using that vendor. This is why we get access to these systems first — so we can use their own AI to evaluate our transactions before we run them. Think of it as turning their own guns against them — using their risk assessment to test our setup before we burn cards on real attempts.
Using SEON (and other anti-fraud systems)
Each anti-fraud provider implements their shit differently. Signifyds API is completely different from Forters, and Riskified does its own weird stuff. But the basic concept is the same - you feed them transaction data, and they give you a risk score. Let's use SEON as an example, because they're the easiest to work with and the easiest to sign up for. Make sure you have an account on SEON.io and a working API key. Fire up your terminal and make a CURL API call to their endpoint with the details of the transaction you want to score.
API Calls
Code:
$ curl https://api.seon.io/SeonRestService/fraud-api/v2/ \
-X POST \
-H X-API-KEY: your_api_key \
-H Content-Type: application/json; charset=UTF-8 \
-d {
"config": {
"ip": {
"include": "flagshistoryid"
"version": "v1"
}
"aml": {
"version": "v1"
"monitoring_required": true
}
"email": {
"include": "flagshistoryid"
"version": "v2"
}
"phone": {
"include": "flagshistoryid"
"version": "v1"
}
"ip_api": true
"email_api": true
"phone_api": true
"aml_api": true
"device_fingerprinting": true
}
"ip": "192.168.1.1"
"action_type": "purchase"
"transaction_id": "txn_123456"
"affiliate_id": "aff_78910"
"order_memo": "Test order"
"email": "[email protected]"
"email_domain": "domain.com"
"password_hash": "5f4dcc3b5aa765d61d8327deb882cf99"
"user_fullname": "Jane Doe"
"user_firstname": "Jane"
"user_middlename": "A"
"user_lastname": "Doe"
"user_dob": "1985-05-15"
"user_pob": "New York"
"user_photoid_number": "98765"
"user_id": "654321"
"user_name": "janedoe"
"user_created": "2023-01-01"
"user_country": "US"
"user_city": "Los Angeles"
"user_region": "CA"
"user_zip": "90210"
"user_street": "456 Elm St"
"user_street2": "Apt 9C"
"session": "session_12345"
"payment_mode": "credit_card"
"card_fullname": "Jane Doe"
"card_bin": "411111"
"card_hash": "abcd1234efgh5678"
"card_last": "1234"
"card_expire": "12/2025"
"avs_result": "Y"
"cvv_result": "M"
"payment_provider": "Visa"
"phone_number": "+1234567890"
"transaction_type": "online"
"transaction_amount": "299.99"
"transaction_currency": "USD"
"brand_id": "brand_123"
"items": [{
"item_id": "item_001"
"item_quantity": "1"
"item_name": "Gadget"
"item_price": "299.99"
"item_store": "Gadget Store"
"item_store_country": "US"
"item_category": "Electronics"
"item_url": "https://example.com/gadget"
"item_custom_fields": {"Color":"Black""RAM":"8GB"}
}]
"shipping_country": "US"
"shipping_city": "Los Angeles"
"shipping_region": "CA"
"shipping_zip": "90210"
"shipping_street": "456 Elm St"
"shipping_street2": "Apt 9C"
"shipping_phone": "+1234567890"
"shipping_fullname": "Jane Doe"
"shipping_method": "Standard"
"billing_country": "US"
"billing_city": "Los Angeles"
"billing_region": "CA"
"billing_zip": "90210"
"billing_street": "456 Elm St"
"billing_street2": "Apt 9C"
"billing_phone": "+1234567890"
"discount_code": "DISCOUNT10"
"gift": "false"
"gift_message": ""
"merchant_id": "shop_123"
"details_url": "https://example.com/orderdetails"
"custom_fields": {}
}
Their API will return the response:
Code:
{
"success": true
"error": {}
"data": {
"id": "67c2810c2de1"
"state": "DECLINE"
"fraud_score": 95.75
"blackbox_score": 93.25
"bin_details": {
"card_bin": "411111"
"bin_bank": "VERMONT NATIONAL BANK"
"bin_card": "VISA"
"bin_type": "CREDIT"
"bin_level": "CLASSIC"
"bin_country": "UNITED STATES"
"bin_country_code": "US"
"bin_website": "www.vermontnationalbank.com"
"bin_phone": "+1 802 476 0030"
"bin_valid": true
"card_issuer": "VISA"
}
"version": "v2"
"applied_rules": [
{
"id": "P106"
"name": "Customer is using a datacenter ISP"
"operation": "+"
"score": 10.0
}
{
"id": "P110"
"name": "IP address was found on 4 spam blacklists"
"operation": "+"
"score": 4.0
}
{
"id": "P112"
"name": "Customer is using public proxy"
"operation": "+"
"score": 10.0
}
{
"id": "E123"
"name": "Email is not similar to user full name"
"operation": "+"
"score": 1.0
}
]
"device_details": {
"os": "MacOS"
"type": "web"
"browser": "FIREFOX10"
"private": true
"platform": "MacIntel"
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0"
"device_type": "desktop"
"screen_resolution": "1600x800"
}
"ip_details": {
"ip": "192.168.1.1"
"score": 24.0
"country": "US"
"state_prov": "California"
"city": "Los Angeles"
"type": "DCH"
"tor": false
"vpn": false
"web_proxy": false
"public_proxy": true
"spam_number": 4
}
"email_details": {
"email": "[email protected]"
"score": 2.11
"deliverable": true
"domain_details": {
"domain": "domain.com"
"registered": true
"disposable": false
"free": false
"custom": true
}
}
"calculation_time": 2327
}
}
Reading the answer
SEON's answer tells you three important things:
1. Fraud Score (0–100)
The score ranges from 0 to 100, where:
- 0-50: Low risk, probably legal
- 51–80: Moderate risk, requires attention
- 81-100: High risk, likely fraud
2. Rules and data points applied
The response shows which default rules were activated:
- email.disposable: using temporary email
- email.quality: how legit an email looks
- ip.proxy: VPN/proxy detection
- ip.datacenter: Use the IP address of the data center
- card.bin_risk: BIN risk level
- velocity.ip: too many hits from one IP address
3. Offer
One of three possible actions:
- approve
- reject
- view
The response also includes details about why each rule was triggered, allowing you to see exactly what raised the red flags. This allows you to adjust your approach to maximize success when attacking sites. In our next guide, we’ll cover how to poison these systems so they’re more likely to approve your transactions.
Remember: each fraud protection system has its own special sauce. Signifyd may place more importance on email age, while Forter may care more about device fingerprinting. The key is to learn how to read their responses and adjust your approach based on what they flag.
Other Providers
Different fraud protection providers have their own unique API setups, each with their own quirks and requirements. Here’s an example of how to submit transactions to some of the major players:
Signifyd
Code:
Production: https://api.signifyd.com/v3/orders
Sandbox: https://api.signifyd-staging.com/v3/orders
Method: POST
Headers:
- X-SIGNIFYD-API-KEY: {your_api_key}
- Content-Type: application/json
Riskified
Code:
Production: https://wh.riskified.com/api/v2/orders
Sandbox: https://sandbox.riskified.com/api/v2/orders
Method: POST
Headers:
- HMAC-SHA256: {calculated_hmac}
- X-RISKIFIED-SHOP-DOMAIN: {your_shop_domain}
- Content-Type: application/json
Forter
Code:
Production: https://api.forter.com/v2/orders/validation
Sandbox: https://api-sandbox.forter.com/v2/orders/validation
Method: POST
Headers:
- api-version: 2.36
- x-forter-siteid: {your_site_id}
- Authorization: Bearer {your_api_key}
- Content-Type: application/json
Here's an example of how I evaluate my card information for Signifyd before I use it on a Signifyd site. See how they approved it for $4,000? That means I can easily get an amount below $4,000 for any Signifyd site with the same information and get away with it.
If you already have access to any of these systems through self-registration or logs and need help implementing them, please comment on this thread.
What's next?
While our previous guide showed you how to bypass these AI systems from the outside, this time we've gone deeper - right into their guts. Now you understand how merchants communicate with their anti-fraud providers, how risk decisions are made, and most importantly, how to access their dashboards to check your own cards before you burn them.
But knowing how to read these systems is just the beginning. In Part 2, we’re going to completely break them. You’ll learn how to poison their training data, create robust profiles, and make their AI work for you, not against you.
With these guides, these systems are no longer black boxes — you’ve seen how they work from the inside. It’s time to make them dance to your tune.
Stay tuned for Part 2.
(c) Telegram: d0ctrine