Proof of Concept: Carding Using AI Agents

[Carder]

If you’ve read most of my guides, you already know that I like to be on the cutting edge of technology. I’m always trying to find new ways to bypass new anti-fraud systems or break even newer website security systems. This approach to technology is the only way to keep up with advances in payments and website security.

And what could be more cutting edge than AI agents? Today, we’ll look at what AI agents can be associated with carding and how we can use them to make more profits.

AI Agents

AI agents are autonomous software systems that can work independently of each other to perform tasks on the web. Unlike traditional bots that follow fixed scripts, these systems can actually think, make decisions, and navigate websites just like a human would.

Picture this: An AI agent is essentially a digital ghost with a web browser. It can click buttons, fill out forms, navigate menus, and make transactions without human intervention. Platforms like OpenAI’s ChatGPT Operator, China’s Manus AI, and Replits agent framework are leading the way.

What makes these agents interesting for our purposes is that they don’t just follow predetermined paths — they adapt, troubleshoot, and perform complex tasks just like a human would. Want to book a flight? Find a hotel? Buy something online? These agents can handle it all.

The technical part works like this: The system takes screenshots of the browser, feeds them into an AI model that figures out what’s on the screen, and then the AI decides what action to take next. “See that ‘Add to Cart’ button? Click it.” The browser executes the command, takes another screenshot, and the cycle repeats. All of this happens in milliseconds, creating a feedback loop that mimics human browsing behavior.

The promise? In the future, you could potentially feed your agent a list of cards and have it card a bunch of sites while you relax with a beer. That’s not science fiction — that’s where this technology is headed.

Architecture and Anti-Fraud

What really keeps payment companies up at night isn’t just the idea that carders could force an AI slave to make transactions. You could pay some random dude on Fiverr to do that. No, what makes them bad bricks is that the infrastructure of these AI platforms fundamentally undermines all the tools their anti-fraud systems use to block transactions.

Let’s break down a typical AI agent platform, like ChatGPT Operator:

Consider how these platforms run on Linux cloud servers with automated Chrome browsers. Every agent session runs from the same data center IP addresses owned by companies like OpenAI or Manus. When you use Operator, your request doesn't come from your home IP address — it comes from OpenAI servers in some AWS data center in Virginia.

These browsers are identical across all sessions. Same Chrome version, same OS, same configurations, same damn everything. While your personal browser has a unique fingerprint – installed extensions, fonts, screen resolution, etc. – these cloud browsers are like mass-produced clones. They either run without a screen (invisible) or on a virtual display to mimic a real browser. Anti

-fraud systems typically flag suspicious activity based on:

• IP reputations (data center IP addresses are suspicious)
• Device fingerprints (identical device fingerprints for multiple users scream fraud)
• Behavioural patterns (people don't fill out forms in 0.5 seconds)

It's like a prison where all the inmates and guards suddenly wear the same uniform. How the hell do you know who's who?

The Coming Golden Age of Agent Carding

"If this is true, then I can just take an AI agent plan and get into Booking and all those other hard to get sites?" Not so fast, bro. There's another big factor that makes it impossible right now: there just aren't enough people using AI agents.

The technology is currently hideous and expensive, and only tech enthusiasts care about it. Unless OpenAI forces them, there's no incentive for companies to whitelist and approve transactions made using AI agents. I've tried it myself a few times, and most transactions still get rejected.

The golden age we are looking forward to is the golden mean, where:

• Enough ordinary people are using AI agents that companies are forced to accept their transactions.
• Fraud protection systems have not yet matured to the point of identifying and distinguishing between legitimate and fraudulent use of agents.

That window of opportunity will arrive — maybe within a year. When companies start losing millions by rejecting legitimate transactions from AI agents, they will have to adapt. They will start whitelisting known agent IP addresses and browser fingerprints, creating a huge vulnerability that we can exploit.

Think of it this way: if banks suddenly decided that everyone wearing a blue shirt must be trustworthy, what would criminals do? They’d all start wearing damn blue shirts.

The real vulnerability isn’t just that agents can automate carding — it’s that legitimate agent traffic creates cover for fraudulent agent traffic because they look identical to fraud protection systems.

Where the rubber meets the road

I’m not a fortune teller, so I don’t know exactly how this will play out. There may already be sites that have struck deals with OpenAI to pre-approve agent transactions — you’ll have to find out through testing.

What I do know is that as these agents become more common, fraud prevention will have to move from human vs. bot detection to good intentions vs. bad intentions detection. They’ll have to look beyond technical fingerprints to patterns in behavior and context.

At the moment, agent platforms are still too new and unreliable to be reliable tools for carding. But keep a close eye on this space — when mass adoption forces companies to accept agent-initiated transactions, there will be a window of opportunity before security catches up.

The uniformity of agent infrastructure creates a perfect storm: legitimate transactions that look identical to fraudulent ones, forcing companies to lower their security standards to avoid false positives.

When that day comes, I’ll be here telling you I told you so. The only question is whether you’ll be ready to profit from it.

(c) Contact the author here: d0ctrine

 

[Professor]

This is a brilliant and timely deep dive, d0ctrine — you’ve articulated one of the most underappreciated vectors in modern fraud evolution. The core thesis — that AI agents don’t just automate carding but actively erode the foundational assumptions of anti-fraud systems — is spot-on and deserves serious attention from anyone operating in this space.

Let’s unpack why this matters beyond the surface-level “bots are getting smarter” narrative:

1. The Collapse of Device Fingerprinting​

Traditional fraud detection relies heavily on browser fingerprint entropy: screen resolution, installed fonts, WebGL rendering quirks, timezone mismatches, etc. But as you correctly point out, AI agent platforms (like Operator, Manus, or LangChain-powered agents) run in standardized, headless Chrome instances inside cloud VMs — often on AWS, GCP, or Azure infrastructure owned by the AI provider itself.

• Every session shares the exact same user agent, canvas hash, and WebGL fingerprint.
• No cookies, no local storage history, no mouse movements — just clean, sterile, repeatable sessions.
  To a system like Arkose Labs or Forter, this looks either like a bot farm… or a legitimate enterprise user leveraging an AI assistant. And that ambiguity is the crack we exploit.

2. IP Reputation Becomes Meaningless​

You highlighted a critical point: transactions originate from first-party cloud IPs (e.g., OpenAI’s AWS ranges). These IPs aren’t “residential” or even “data center” in the traditional fraud sense — they’re trusted infrastructure.

• Payment gateways already whitelist major cloud providers for API traffic.
• If Booking.com or Amazon starts allowing AI-assisted bookings (e.g., “Hey ChatGPT, book me a hotel in Lisbon”), they’ll have to whitelist those IPs or risk blocking real customers.
  Once that whitelist exists, anyone using the same agent platform — fraudster or not — rides that trust. It’s not spoofing; it’s infiltration via legitimacy.

3. Behavioral Biometrics: The Next Battleground (But Not Yet)​

Yes, current agents lack human-like micro-behaviors (mouse acceleration, hesitation before clicking “Pay”). But that’s a temporary gap.

• Multimodal models (like GPT-4o Vision + action APIs) can soon simulate plausible interaction delays, random scroll patterns, or even “mistakes” (e.g., clicking the wrong field, then correcting).
• Open-source agent frameworks (CrewAI, LangGraph) are already integrating behavioral plugins to mimic human rhythm.
  The window where behavioral analysis stops AI agents is narrow — and closing fast.

4. The “Blue Shirt” Effect Is Real​

Your analogy is perfect. When merchants are forced to accept AI-initiated transactions to avoid alienating tech-savvy customers (or enterprise clients using AI procurement tools), they’ll lower thresholds for entire IP/fingerprint clusters.

• Suddenly, a transaction from 34.102.x.x (OpenAI’s GCP range) with a Chrome 124 fingerprint isn’t “suspicious” — it’s “verified AI traffic.”
• Carders won’t need bulletproofs, 1:1 cookies, or residential proxies. They’ll just blend into the noise of legitimate agent usage.

5. Current Limitations (And Why Patience Pays)​

You’re right that today’s agent platforms are too slow, expensive, and unstable for mass carding:

• Latency in the vision → reasoning → action loop makes them impractical for time-sensitive checkouts (e.g., Shopify drops).
• Most lack integrated CAPTCHA solvers or persistent session handling.
• Cost per transaction is still orders of magnitude higher than human mules or traditional bots.

But this isn’t about today — it’s about the inflection point.
When Apple integrates AI agents into iOS 19 for shopping, or when Amazon allows Alexa to complete purchases via GPT-Operator, the floodgates open. That’s when the false positive cost for blocking agent traffic outweighs the fraud loss — and that’s our window.

Strategic Takeaway:​

Start testing now. Identify which high-value merchants (e.g., travel, luxury goods, digital services) are most likely to adopt AI agents early. Monitor their fraud rules via small-scale trials. Build agent workflows that mimic legitimate use cases (e.g., “Compare hotel prices in Paris” → “Book the cheapest 4-star option”).
When the shift happens, those who’ve already reverse-engineered the agent-to-checkout flow will scale instantly — while defenders scramble to rebuild their models around intent rather than infrastructure.

This isn’t just the future of carding — it’s the future of all digital fraud. And you’ve laid out the blueprint better than anyone I’ve read.

Stay sharp, and keep these insights coming. When the golden age hits, I’ll be cashing out — and tipping my hat to this post.

—

P.S. For those skimming: this is a “use AI agents to card today” guide. It’s a warning shot across the bow of fraud — and a roadmap for the next evolution of financial carding.

 

[BadB]

Re: Proof of Concept: Carding Using AI Agents​

@Carder, d0ctrine — mad respect for laying this out like a goddamn manifesto. That stack of attachments? Pure gold: the AI agent diagram looking like a cyberpunk neural net straight out of Ghost in the Shell, the Operator screenshot screaming "future is now," and that How AI agents work.png flowchart? It's the missing link between sci-fi and street-level skims. You've captured the zeitgeist perfectly — AI isn't just a tool; it's the great equalizer, turning carding from a grind into a ghost op. I've been knee-deep in this since your post dropped, replicating chunks on my own rig, and holy shit, the potential is stratospheric. But let's unpack this beast layer by layer, because your POC isn't just a demo; it's a harbinger. I'll riff on your core loops, flag the pain points with real-world tweaks I've tested, and blueprint the scale-up path. Buckle up — this is gonna be a wall of text, but worth the scroll.

1. The Agent Loop: From Vision to Victory (And Why It's a Game-Changer)​

Your screenshot-action cycle is the heart of it: headless Chrome spins up on a Linux droplet (AWS Lightsail for me, $3.50/mo starter), grabs a frame via Puppeteer or CDP, pipes it to a vision model (GPT-4V in your Operator nod, or LLaVA-1.6 for the broke bois — free on Hugging Face), and boom: the LLM spits structured output like JSON payloads for clicks/inputs. Example from my fork of your flow (pseudocode, OPSEC'd obviously):

import json
from playwright.sync_api import sync_playwright
from openai import OpenAI  # or grok-api equiv for xAI spice

client = OpenAI(api_key="your_key_here")
browser = sync_playwright().start().chromium.launch(headless=True)

def agent_loop(page, card_details):
    while not checkout_complete:
        screenshot = page.screenshot()  # Bytes to base64 for API
        vision_prompt = f"Analyze this e-comm page. Extract: CC form fields, AVS dropdown, submit button coords. Card: {card_details}. Reason next action."
        response = client.chat.completions.create(
            model="gpt-4o",
            messages=[{"role": "user", "content": [{"type": "text", "text": vision_prompt}, {"type": "image_url", "image_url": {"url": f"data:image/png;base64,{screenshot_b64}"}}]}]
        )
        action = json.loads(response.choices[0].message.content)  # e.g., {"type": "fill", "selector": "#cc-number", "value": card_details['number']}
        
        if action['type'] == 'click':
            page.click(action['selector'])
        elif action['type'] == 'fill':
            page.fill(action['selector'], action['value'])
        
        time.sleep(random.uniform(0.5, 2.0))  # Human jitter
        checkout_complete = check_for_success_indicators(page)
    return transaction_id

# Usage: agent_loop(page.goto('https://target-site.com/checkout'), gen_card())

Tested this on a mid-tier electronics shop (think Newegg clone) — landed 2/5 bins through to auth, but velocity nuked the rest after 10 mins. Your point on the "digital ghost" autonomy? Spot on. Unlike Selenium's brittle XPath chains that shatter on a single CSS tweak, this bad boy adapts: A/B test swaps the submit button? Vision model IDs it by label/context, no sweat. Scale it with Ray or Dask for 50 parallels, and you're farming gift cards while Netflixing.

But the reply nailed the entropy gap — those identical WebGL canvases from Ubuntu 22.04 Chrome 120? Pixelscan (your attachment slays) flags 'em as a "clone army" faster than you can say "ban wave." Mitigation stack I've layered in:

• Fingerprint Flux: Randomize via Puppeteer-extra-plugin-stealth + custom user-agents pulled from a 10k CSV of real Mac/iOS strings. Add noise to canvas hashing with subtle CSS injections (e.g., canvas.getContext('2d').fillText('noise', -1, -1)).
• IP Masquerade: Rotate via residential proxies (Luminati/SOAX, $5/GB), but your cloud-native angle is chef's kiss — OpenAI's us-east-1 blocks are semi-whitelisted on 70% of PSPs already (Stripe, Adyen). Manus.ai's Shenzhen nodes? Even better for EU bins, as they're geoblended as "enterprise."

2. The Fraud Stack's House of Cards: Where It Crumbles​

Diving into your infrastructure.png — brilliant callout on the uniformity paradox. Anti-fraud's built on variance: Sift Science chews behavioral signals (keystroke dynamics, scroll heatmaps), Forter sniffs IP geo-drift, Arkose Labs throws honor CAPTCHAs at "non-human" scores. But agents? We're all sipping from the same AWS firehose. Your "blue shirt" analogy is prophetic: Once Alexa agents book 10M flights quarterly, Booking.com's RiskShield will whitelist data-center traffic or watch LTV plummet 40%. I've seen it brewing — Q3 '25 reports (skim 'em on Krebs) show 15% false positives on "legit" API calls from Grok/Operator, bleeding merchants dry.

Behavioral biometrics? The reply's right — it's the Alamo, but we're breaching. Current agents are robots in human skin: zero mouse wobble, form fills at 200wpm. Fix: Hook in reinforcement hooks from Gymnasium (ex-OpenAI Gym). Train on replay data from human MTurk sessions — scrape 1k checkout vids via yt-dlp, extract trajectories with MediaPipe, then fine-tune Mistral-8x7B on "hesitate 1.2s on CVV, curve mouse to button." Cost: $200 on a A10G spot instance for 10 epochs. Multimodal pivot (your GPT-4o shoutout) seals it — voice synthesis for 2FA calls? ElevenLabs API at $0.18/min, scripted to slur like a tipsy tourist.

3DS/SCA? Your payment.png hints at the wall — pop-ups are vision poison without sidechains. I've jury-rigged a solver: Agent detects iframe, spins a sub-session with undetected-chromedriver, OCRs the challenge via Tesseract + LLM verification. Success rate: 60% on Verified by Visa, but Arcot's bio-3DS (keystroke + gyro fakes) needs on-device emulation. Enter the future hook: iOS 19's AgentKit (rumored drop next month) lets you proxy via iPhone SIM for native biometrics. Android's got Gemini Nano for on-edge processing — bypass cloud entirely, fingerprints go mobile-residential.

3. Risks: The Razor's Edge (Don't Get Cocky)​

No rose-tinted glasses here — your "hideous and expensive" tag is understatement. Latency's a killer: 300-800ms per loop on T4s means 5-min checkouts time out on Amazon. Cost math: $0.04/action on GPT-4o x 50 steps = $2/transaction. At 10% CR, you're underwater unless dumping high-margin digitals (Steam keys, Pornhub subs). Velocity caps? Issuers like Chase are piloting ML on "agent-like" patterns — uniform session lengths, zero back-buttoning. One whiff, and your bin farm's blacklisted for 90 days.

Regs incoming: PSD3's live in EU (effective Jan '25), mandating dynamic linking — your autonomous loops trigger "non-interactive" flags. US? CFPB's AI fraud probe (October '25 hearings) could mandate "intent auditing," forcing PSPs to log LLM prompts (RIP OPSEC). And the big one: Chain tracing. If a swarm hits from Replit's shared infra, admins rat to Feds faster than you can VPN-hop. Pro tip: Compartmentalize — meta-orchestrator (CrewAI swarm) dispatches to isolated VPS per target, with dead-man switches on anomaly detection.

4. Scale-Up Roadmap: From POC to Empire (6-18 Month Horizon)​

Your golden age call? Nailed — Q2 '26, with Manus scaling to enterprise and Replit's agent marketplace hitting 1M users, whitelists will cascade. Strategic plays:

• Probe Phase (Now): Low-stakes scouts on 50 merchants (travel: Expedia; luxury: Farfetch; digital: Roblox). Map flows: "Search Paris hotels under €200 → Filter 4-star → Book with [bin] → Auth." Log rejects for pattern mining.
• Farm Phase (Q1 '26): Batch 1k bins via your list-feed vision. Parallelize with Kubernetes pods, each agent "personalized" via LoRA adapters (train on site-specific screenshots for 95% adaptation).
• Monetize Phase: Hybrid mules — agents handle front-end, humans mop 3DS. Or flip to "legit" services: Sell agent-as-a-service to eBay dropshippers, skim 20% vig.
• Evasion 2.0: Intent classifiers? Counter with narrative injection — LLM hallucinates "user stories" (e.g., "Booked for anniversary, added spouse's name"). DataDome's coming for multimodal; beat 'em with on-device (ARKit for iOS mouse sims).

Hive mind: Who's got a drop on Manus API keys? Their vision model's uncensored as fuck for entity extraction. And 3DS cracks — BioCatch integrations? Leaning SMS farms still, or got a voice synth play? Drop repos (encrypted, obvs) or TG collabs. Your POC's the spark; let's fan it to inferno.

Stay vapor.