Carding Science

Special edition.

March 25, 2021.

Written by mewtor.

carding science, special edition.

table of Contents

Introduction

Chapter 1 - Virtual Carding

1.1 How does it work

1.2 - Account takeover fraud

1.3 - Why are orders canceled?

1.4 - Drops

1.5 - Chargebacks

1.6 - Warranty fraud

1.7 - Choose the best cards

1.8 - Commercial fraud

1.9 - Newegg and TigerDirect

1.10 - Strip removal

1.11 - Beyond the ATO - The PTO

1.12 - Maxmind fraud prevention algorithm

1.13 - Order verification procedures

 1.14 - Stripe automated withdrawal

1.15 - CC to BTC

1.16 - Squareup Withdrawal

1.17 - Flint removal

1.18 - PayAnywhere cash withdrawal

1.19 - Request a photo ID

Chapter 2 - Protect Yourself

2.1 - Protect yourself online

2.2 - Burner phones

2.3 - Android Device Spoofing: The Perfect

Way

2.4 - AVS

2.5 - Plane tickets

2.6 - Fake emails

2.7 - Completely falsify your identity

2.8 - Safeguarding your VPN

2.9 - The 10 most common mistakes

2.10 - Glossary

Conclusion

Introduction

This guide was written by TCF moderator

mewtor after a long list of requests to make a
guide. I am an experienced carder, carding tens of
thousands of dollars worth of merchandise and
rarely fail. I share my knowledge with anyone who
is willing to put a little money on the table and get
real, up-to-date card information.

Now, at the time of writing, only a select few bi

ai Pi members are allowed to sell this guide. If
you see anyone selling my guide at EVO or
anywhere else, let me know. I took the time to
write this guide, I appreciate when people
recognize my work.

Why don't I let this information be free?

Simple. If we publish good and working methods
outdoors, all the newbies will try to exploit them
in every good and bad way possible, burning
them before the professionals can start making
money from them. So by asking people to pay for
a comprehensive guide, we make sure those
methods don't burn out in the long run. We strive
to provide quality information!

This guide was written with the intention of

helping people who are willing to
invest some money to make money. We can't
allow newbies to sign up and view top secret
methods in the newbie section of the forums, as
that would destroy everything.

The Stripe withdrawal method is the most

popular and is the one that people make the most
money with due to its ease when explained in this
guide. On November 2, 2020, I made enough
money with stripe to buy a new Mercedes-Benz
with a suitcase full of money. Anything is
possible, and since you purchased that guide,
you now have access to the elite card methods.
 I have always dreamed of becoming a
millionaire in the real estate field. Everyone
knows that, in order to pay for real estate
property, it is necessary to have money as a
down payment. Tons of money. And I don't
believe in working 40 hours a week to bring home
only $400 a week, minus all the bills, and
counting how many pennies are left in my
pockets. I believe in living more than surviving.

And even with a real-life business, that's not

enough. This is where I discovered the world of
online fraud. I lost a bit of money in my early days
believing that +PIN dumps really existed, and Mr.
Fungi probably laughed at several people that
way. Carding helped me, like other people,
accumulate money and pay for what we always
wanted.
Carding is not everything; A very lucrative
field is payment processor chargeback. I will
detail 3 techniques commonly used by scammers
to increase their illegal income. The most
important thing is that when your things start
going well and you see the money, don't brag to
anyone! You never know when a friend will
threaten you and then tell on you if you don't do a
favor. I'm a legit looking man, I've never smoked
in my entire life, I'm just here to get some money.

After reading this guide, you'll have the

knowledge to write down just about anything. You
can get free computers, electronic devices,
clothing, and much more. Since this knowledge
can be very dangerous, I encourage people to be
ethical in their actions. For example, avoid
carding at your local mom and pop store as they
can barely eat losses. Go for the big boys, the
ones that deserve it, like Walmart and Newegg.
They are cardable. If you failed many times when
carding them, you have the right book.

There is no such thing as a website that is

considered "unable to load". Everything can be
carded with the correct attack level (the first
chapter will talk about site attack levels 1 to 4). I
personally uploaded every site that people
thought were impossible to copy. Some were
really difficult, but if you "become" the
cardholder, you will be able to work miracles with
fraud. At this date, not all online merchants are
aware
of credit card fraud. Some will simply process
every transaction that comes their way, while
others have advanced fraud prevention. This just
gives us an additional challenge.

Some methods were found on the forum, then

refined and adapted to make it viable and
adaptable. Most of the time, it's a game of cat and
mouse, but there's a point where stores can't
increase security without seriously compromising
the customer experience. We need to take
advantage of that and be like that customer who
is confused about how they use their card.

Life is short; If you have dreams, get the

money to make them come true! The repayment
methods in this book are here for this purpose
and will give you a good start in obtaining
financing for your projects. As for the question
“is it possible to live a life without carding?” ”,
The answer is yes, but it did not encourage her. I
recommend using cards and withdrawals to get
money for legitimate projects, something you can
show to society to make people proud of you.
That's how you get people's respect and that's
how you get all the girls.

Enough talking, let's get started!

Chapter 1 - Virtual Carding

This chapter is about virtual carding. Virtual
carding is the art of ordering products online
using stolen credit cards, also known as “CVV”,
“pizza”, “cc”, “choco”, “cecilia” or any other
name that community members use. to disguise
his intentions. While this seems easy, there are
many pitfalls you may need to be aware of when
doing this, especially as merchants are becoming
more aware of online fraud. Do you want to know
how to get free products? Let us begin!

Section 1.1 - How it works

The first thing is to ask yourself, how much do

you want to card and what do you want to card?
Then, you will have to choose one of those 3
levels. Each level represents a level of difficulty
and you will see the prerequisites.

Level 1: easy carding

This level is used for things that are very easy

to record, for example restaurants and small
phone orders, mostly under $50. This is the entry
point for most carders. For that, you will need:

• Credit Card Number

 • Due date

Level 2: intermediate carding

This level is used for online transactions that

are a little higher, such as background reports or
a very small physical item. Will need:

• Credit Card Number

• Due date

• CCV code

• Cardholder Name

• Full billing address

• Sometimes the phone number on the

account

Level 3: hard carding

This is not recommended for beginners. Here

we are talking about everything above level 2,
such as physical elements of
large or high security websites such as Newegg,
TigerDirect and sites that require account
purchase (for ATO, see section 1.2 of this guide).
Computer components, electronics, and many
other items are included in this level. You need:

• Credit Card Number

• Due date

• CCV code

• Cardholder Name

• Full billing address

• Telephone numbers

• SSN

• Birthdate

• Recommended background report

If your goal is to get a level 1 card, you just
need to call for a pizza and order a pizza at
another address, you don't need to write long
paragraphs about it. This is easy and quite
simple.

If you're aiming for level 2, you can score

background reports or small physical items,
mostly for under $150. All orders are placed
online and you will need to enter the correct
billing address, shipping address and card
information.

Now, you need to see if the websites indicate

the billing phone number registered with the
bank, or just the contact phone number. If the
website asks for the billing phone number, you
must register the cardholder's phone number with
the bank; Otherwise, it is safe to enter your
burner's phone number (see section 2.1 of this
guide). Now, will the website call you? It depends
on the order, their politics, and their suspicions
about you, so there is no sure answer to this
question. Remember that carding is usually trial
and error.

When using a card to visit a website, do not

visit another website with the same card until
your order has been shipped. However, placing
an order and having a charge approval is easy,
but shipping it is often where the challenge lies.
A Tier 2 site that is often tagged is
peoplefinders.com. This is where carders get
most of their background reports. It's a good
playground to test your skills and will come in
handy later.

Now, to level 3. You probably saw the required

information, now how to get it? First, if the
subject is under 40 years old, they are probably
out of luck. Otherwise, read on.

First, you need to get the right type of card.

This is called finding the correct BIN (Bank
Identification Number). The BIN is the first 6 digits
of the card and is used to identify the type of card
and the issuing bank. For more information, go to
bindb.com, at the top go to Bin Search and enter
the first 6 digits of the card. They will tell you the
issuing bank and the type of card. It has debit and
credit cards, and the type of card may vary. From
weakest to strongest, they are:

• Insured: Very low limits, sometimes around

$300

• Classic: low limits, sometimes around $1k.

• Gold: average limits, it can be around $3
thousand.

• Platinum: high limits, they can be around $8

thousand.

• Business: Very high limits, in the 5 digits,

often around $15k.

• Signature: The best ones, I got cards that

had a credit limit of $30k.
 Keep in mind that those numbers are subject
to change based on the cardholder's credit score,
history, and spending patterns. For the benefit of
this guide, we will only work with credit cards.
From experience, debit cards are often unfunded
and have stricter security for online purchases. In
other words, they are junk for Tier 3 carding, but
may have other uses, such as Tier 1 or Tier 2
purchases.

Register an account on any SSN search site

like ssnfinder.ru or ssndob.cc and search for your
topic. At the same time, go to peoplefinders.com
and get the full background report on your topic
using a level 2 card. Once you have the
background report, see if the
addresses and date of birth match in the report
and in the backstab. If everything matches, you
can assume that the SSN will be correct. Use your
common sense to compare backstab and people
finder results to make sure you didn't get the
wrong information. Around 80% of subjects over
40 years old can be found.

Do you have the SSN and date of birth?

Brilliant! Now is the time to obtain the mother's
maiden name. This is a little more difficult and will
work if your victim is located in one of those
states: Arizona, California, Delaware, Idaho,
Indiana, Kentucky, Maine, Maryland,
Massachusetts, Minnesota, Nevada, New
Hampshire, New Jersey, Ohio,

Rhode Island, South Dakota, Texas. Go to

archives.com and upload an account, then find
your subject's mother (look in the background
report for her name and date of birth), and try
looking up her birth record. This is a case of trial
and error and works about 50% of the time.
 Why get all this information? Because many
level 3 sites will have VBV (Verified by Visa) or
MCSC (MasterCard Securecode) protection
during the payment process. This is a form
presented by the credit card issuing bank that
asks for additional questions. Although each type
of card is different, the most frequently asked
questions are:
• Birthdate

• Last 4 digits of SSN

• Full name on card

• Billing zip code

If any of those questions fail, the order will not

be processed. Now, why do we need all this
information? Because we will perform an ATO on
the account. This is complicated. Please read the
following section for a detailed description of
account takeover fraud.

Section 1.2 - Account Takeover Fraud

Dreaming of spending thousands of dollars on

computer hardware at Newegg? It is doable, but
not easy. You have to follow the correct steps. I
loaded a $10k gaming deck in less than 2 weeks
using platinum cards following that guide, so I'm
in a position to tell you how.
 First, check your credit card balance. Now,
before you go crazy, remember this rule of
thumb: Don't use card checkers! They burn the
card very quickly. Let me explain.

Each transaction automatically gets a fraud

score between 0 and 999. The system used to
evaluate transactions is the same one used by the
big 4 banks and is called Fair Issac. Transactions
that have a fraud score above 300 will be
manually reviewed by an agent, who will decide
whether to contact the cardholder or just leave it.
Scores over 500 with auto decline, block the card
and an agent will contact the cardholder. Some
banks have different criteria, but things that can
affect the fraud score are:

• Comparison to the cardholder's usual

spending pattern

• Load Location

• Amount

• Associated Trader Risk Factor

For example, a $20 charge at the cardholder's
local Walmart won't trigger anything, but a large
purchase of $2,000 at Newegg.com will have a
high fraud score and will likely be automatically
declined if the cardholder rarely makes
purchases. online purchases.
 So how is this relevant? A small card not
present charge followed by a large charge will
make the fraud score very high, because they
assume you are testing the card. If they see a
small charge of $1, then a few minutes after a
large online purchase, they will automatically
decline the card and your plan will likely fail.

There are much better ways to check if a card

works. The best way is to call the bank's toll-free
number and use the automated prompts. This is
not dangerous, however, use Spooftel to spoof
your number and display the cardholder's
number. Once this is done, you are ready to call
the issuing bank's number and check how much
is left on the card. Let's do it.

Call the bank using your burner phone and

have the following information ready, according
to the bank. The automated message will give you
access to the transaction list, balance, and a few
other options. Here is the information of the 4
largest banks:
Chase Bank - 1-800-432-3117

• Full card number

• Postal Code

Note: If you successfully spoofed the phone

number, you will only be asked for the last 4
digits of the card; Otherwise, you will be asked
for the full card number.
 Citibank - 1-800-627-3999

• Full card number

• Last 4 digits of SSN

Bank of America - 1-888-421-2110

• Full card number

• Postal Code

Capital One - 1-800-955-7070

• Full card number

• Last 4 digits of SSN

If, for any bank, you enter the card number

and the system immediately transfers it to an
agent without additional questions, it means that
the account is closed and the card is burned. No
need to waste time on this, just hang up and use
another card. The agent will just tell you the same
thing and you will look stupid.
 It is always good practice to make a note of
the latest transactions and amounts, in case you
are asked for them later. Listen to them and write
them down, I recommend up to 8 transactions for
maximum security.

So now you have the balance and line of credit

available. Nice! So you know how much you can
spend online. However, before you go crazy,
there's one more hurdle you should be aware of:
many sites like Newegg or TigerDirect refuse to
ship to an address that isn't registered with the
bank. And your cardholder may not reside at your
delivery address. This is how we will solve this
problem, by introducing account takeover fraud,
also known as ATO.
ATO is the process where a scammer (you)
calls the bank to make whatever changes they
want to the account, without the cardholder
knowing. This involves talking to a customer
service agent and using social engineering.
Before you even think about pressing 0 to speak
with an agent, make sure you have, at a minimum,
the following information on hand:

• Full card number, expiration date, CCV code

• Cardholder's full billing address (and

county)

• Date of birth (and also write down the age,

not just the date of birth)
 • SSN

• MMN (maiden name)

• Employer name (optional, if possible try to

find it on Facebook)
• Car make and model
(optional, if possible, try to make a Google
StreetView at CH's house)

• Size and value of the house (optional, if

possible look it up on realestate.com as it is
public information)

• Driver's license number, expiration, status

(optional)

• Previous addresses

• Background report

In case you don't have the MMN, try to guess

using common last names in the background
report. If you really can't find it, it's sometimes
possible to get around it with other questions.
Once you have this information at hand, study it,
try to remember it. Remember, you are the
cardholder, the card is yours, and you trust it, just
like when you call your own bank with a
legitimate request.

When you call the bank, you will usually be

asked for 3 security tokens. These tokens can be,
among others: date of birth, social security
number, address, CCV code, cell phone, MMN. If
you miss 1 token, you are
They will ask for 2 more. At this point, 2 things
can happen:

You did it correctly, so the agent will listen to

you and make whatever requests they need to
make on the CH account, and no flags will be
raised.
The agent suspects that an ATO is taking
place and transfers it to the security department.
This is called the Verid department and you will
be asked 2 OoW (Out of Wallet) questions. Those
are multiple choice questions based on the
cardholder's credit history and public records.
They can be easy or tricks, it's random every time
it happens. If you don't approve them, they will
tell you that they can't help you and suggest that
you go to their bank in person. They will also call
the cardholder. So if this one fails, forget about
this card, it's burned.

The first thing you want to do on the account

is change the billing phone number. That's all.
Don't do anything else, as making too many
changes will raise a red flag on the account. Call
to change the primary billing number and let the
card sit for at least 5 days.

Okay, are you ready? Relax, sit on your

favorite couch, call the bank, listen to the
prompts and press 0. The message continues,
this call may be recorded for quality reasons.
This is the first example, if you have the
correct MMN (this is the most requested token).

Agent: Thanks for calling Chase, my name is

Bob, who am I talking to?

You: James R. Layton.

Agent: Thank you Mr. Layton, and for security

reasons, can I give the mother's maiden name on
the account?

You: Lucile.

Agent: Thank you, what is your date of birth?

You: October 1st 1965.

Agent: Thank you Mr. Layton, what can I do for

you today?

This is the second example, if you do not have

the MMN. Guess, and don't hesitate. You know
yourself better than the agent, and they can only
rely on the information on their screen to validate
their answers.

Agent: Thanks for calling Chase, my name is

Bob, who am I talking to?

You: James R. Layton.

Agent: Thank you Mr. Layton, and for security

reasons, can I give the mother's maiden name on
the account?
 You: Smith.

Agent: Actually, I have something different

here, it starts with C.

You: With C? It is impossible! Her name was

Lucy Smith, she never used any other name!

Agent: Well, don't you have any other names

that might start with C? (if you have a last name
that begins with C on the background report)

You: My aunt's maiden name is Charlotte, but I

doubt that's the answer you have on file. (if you
don't have anything like that in the report)

You: No, no one in my family uses that name.

Agent: Well, let me make a note of this, can

you confirm the last 4 digits of your social
security number?

You: 4456.

Agent: Thank you, what is your date of birth?

You: October 1st 1965.

Agent: And your billing address with zip

code?

You: 123 Fake Street, Fakeville, NY, 10008.

Agent: Thank you Mr. Layton, how can I help

you today?

If you hear that, it means you entered.

Otherwise you will be transferred to the security
department for multiple choice questions, please
have your report ready. If it fails, the card is dead.
Be sure to fake the cardholder number, otherwise
you may be asked other questions such as
driver's license number, vehicle license plate
number, etc. Those are questions you probably
don't have the answers to.

Now, what you want to do is change the billing

phone number. A sample dialogue with the agent
may be as follows.

You: I would like to change my phone number.

This phone will be disconnected tomorrow and I
want to give you my new main number so you can
contact me if there is anything.

Agent: Well, I see, what's the number?

You: 234-567-8901.

Agent: Thank you, is there anything else I can

do for you?

You: No thanks.

Agent: Thank you for calling Chase, have a

wonderful night.

Once you get past the verification part, the

rest is pretty easy and relaxing. Now that your
billing number has changed, let the card sit for at
least 5 days. Do not make any transactions. The
cardholder will also continue to use their card as
normal. During your call, at the end, if you failed
the MMN question, you may want to remind the
agent to change the MMN on file to avoid
problems the next time you call.

Also take note, at any time, if the agent wants

to put you on hold, or says they need to check on
something and will be back, wait for them to put
you on hold and hang up. It basically means that
they are going to call the cardholder. If this
happens, you may want to wait at least 48 hours
before calling again, and you will see only in the
automated prompts whether the card is burned or
not. Maybe they didn't call the cardholder, but in
90% of the cases they did. It happens, especially
with Citibank, who likes to replace Verid's
questions with a quick call to the cardholder.

The questions often change when you call, but

they always follow a certain pattern. From
experience, I will give you the tokens that the big
4 banks usually ask for, but we are aware that
they may change or they may ask you other
questions if they think you are fake. They may ask
you for your age to confuse you, as you may not
have to calculate it fast enough using the DOB. If
you fail this verification, you will be transferred to
the Verid department.
Chase Bank, level: difficult

• Full name

• MMN (if failed, last transaction)

• Last 4 of the SSN

Citibank, level: medium

• Full name
 • Password (pet name, MMN, favorite hobby
or best friend, if failed, last 4 of SSN and CVV)

• Postal address

• Phone number

Bank of America, level: easy

• Full name

• (sometimes) Verbal password, which is

MMN (if fails, DOB)

• Last 4 of the SSN

Capital One, level: medium

• Full name

• Last 4 of the SSN

• MMN (if failed, date of birth and mailing

address)
 Since you have to wait 5 days, it's a good idea
to create an account on your destination website,
browse items, put some in your cart, go to
checkout, return, delete items, read descriptions.
Try to look like a legitimate buyer. Remember that
$1000 is a lot of money for the average American
and if you show that you don't care about their
money and just throw items in your cart, you
raise flags. You seem to care how much it costs.
There is also a technique that works well with
Citibank: when the automated system asks you
for the MMN, if it fails, you will hear "the agent
may need to ask you verification questions", and
if it succeeds, you will be connected and
everything will be very simple. When the
automatic system asks you for the password, say
"Jope" while putting a high pitch on the O sound,
then lower the pitch slightly. Say the word at
normal speed, like when you are talking to
someone. This will trick the automated system
into thinking you got it right. You may have to
retry 2-3 times to get it to work, but I got it with
almost all my accounts. This will save you a lot of
trouble with the agent and make the call
extremely easy.

Once you get this verification process out of

the way, it will be easier the next time you call the
bank to apply for this account. So let's say you
followed me and let it sit for 5 days. Please call
again and this time we will add a temporary
shipping address to the account. A transcript may
be the following:

(pass verification questions)

You: I want to make a purchase on

Newegg.com but they ask me to add temporary
shipping
 address in the file. I'm not sure how it works,
do I just tell them where I want my order sent?
Agent: Allow me.
help you with that, we can add an alternate
address on the account, what would the address
be?

You: 123 Fraud Street, Cardingville, CA, 98765.

Agent: No problem Mr. Layton, I have taken

down the bill for you, is there anything else I can
help you with today?

You: No thanks

Agent: Have a good afternoon.

Almost all banks allow this, except Bank of

America, which can only change the mailing
address. This is why their cards are not the best
when it comes to level 3 cards, but some stores
will do a conference call with the bank to avoid
this restriction. Chase works best for temporary
shipping addresses, but is difficult to ATO. It all
depends on your skills and what you are
comfortable with. All US banks accept a Canadian
address and some banks may accept an
international address.

Once you've added the alternate address into

the account, it's time to take the hit. Enter your
account on the website you want to register, shop
a little again, and then proceed to checkout. Try
not to exceed $2000 per order. Please enter the
correct billing address, double check the
information. Enter the billing phone number (the
one you added in the file on the

bank), then your shipping address. Please triple

check all information for accuracy.

Then submit the order. You may receive a VBV

or MCSC form, but if you have the required
information, it shouldn't be a problem. Enter the
information you wish to obtain and submit the
order. Additionally, some websites like
TigerDirect will ask you for your date of birth and
give you 3 verification questions to answer.
Those are public records and can be easily found
in your background report, so don't panic. If you
miss 1 question, you will be asked an additional
question. If you fail 2 or more, the order will be
put "on hold" and things will get more difficult, so
try not to fail.

At this point, 2 things can happen when you

submit the order. It depends on the cardholder's
spending habits and will make things easier or
harder for them.

The order is processed without any problem

and becomes "pending" status.
The transaction is declined and the website
says to call the issuing bank. If this happens, call
the bank, the system will act as if the card was
burned (transfer without additional questions)
and a fraud agent will respond. Remember, the
card is yours, tell them you authorized the
transaction, but you don't know why it was
declined. It's usually easy if you have the right
information, but if you've done the ATO account
before, you probably have everything you need.
When the
agent tells you it's ready, resubmit the order on
the website. Call as soon as you receive the
rejection, don't wait, otherwise the actual
cardholder will receive a call you don't want them
to receive.

Very good, the order is now shipped and the

status is "pending ". The next section will tell you
why some orders are canceled (rookie mistakes)
and why in your case everything should be fine.
Take a deep breath and skip to the next section.

Section 1.3 - Why orders are canceled

When a website receives an order of

approximately $1000, we understand that they are
trying to protect themselves. What is the first
thing a website will do to verify the order? That's
right, they will call the issuing bank and check if
the billing phone number you entered is correct,
otherwise they will ask you,

and it will ring. You may receive the call, or the

cardholder will, depending on whether the ATO
accounted correctly.

That's why orders are canceled when newbies

place a credit card order and expect to receive a
free iPhone from the Apple store. They are not
stupid and they want to protect themselves.
However, if he took care of
change the registered billing number, you will
receive the call and can confirm the order.

Not so fast, a call is not just “is everything

okay?” ”, but rather a verification call where they
want to see if you are really the cardholder or not.
Sometimes you are asked verification questions
similar to Verid questions, but all questions are
taken from public reports. They may also ask you
if you put the shipping address on file with the
bank (hopefully you did), and they will call the
bank to verify. Also, in some rare cases, they may
do a conference call with you and the bank, but
you will be asked for the usual questions,
meaning last 4 social security numbers, date of
birth, last transactions, etc.

If you're a newbie and just enter credit card

information on a website in hopes of getting a
free iPhone, you'll see the order go to Canceled
status without any details and you won't even get
a call. This is why people post threads about
"carding not working" and get the same
responses.

If you passed the verification call, the

representative will tell you that everything is fine
and they will ship the order today. This are good
news! At this stage, I received 100% of my items, I
never had any problems beyond the verification
stage. Now you may be tempted to visit another
site; resist the
temptation. Your ATO card can almost be
considered a level 4 card, in your account and
you can do whatever you want, so it has high
sentimental value. Wait for the order to be
shipped and the package to leave the merchant
before going to another web store.

I recommend carding in the morning, to avoid

leaving a charge on the card for too long. You
never know how often a cardholder checks their
online statement. I had cards that died in a few
hours and others lasted 3 months. Once the
package is sent, you can load the card at another
store, without needing to call the bank, since your
delivery address is already registered. Repeat
until the card is burned. Once it has been burned,
never show your face in the drop again. The
alternate address is on file with the bank and they
can send law enforcement to this location. A drop
is like a condom, use it once, do all your business
and throw it in the trash, because it gets dirty.

Another verification step they can take is to

send you an email requesting scans of your
identification documents, such as passport and
driver's license. These can be easily touched up
and templates are available everywhere. Utility
bills are also pretty easy to fake, so don't worry
about this part. Do what you have to do, but be
quick.
Another step you can take is to put the
shipping name on the package to a relative of
yours, for example, if the cardholder's name is
James Latyon, send the package to a Harry
Layton (look for a name that is on the report and
ask for their date of birth, just in case) and say
that you are sending the package to your
son/sibling/whatever relationship you have in
your report.

Also, please note that no method is perfect

and the website may cancel the order simply
because it deems it unsafe to process. Nothing is
perfect, but if the ATO did the math successfully,
it should be easy. Remember to stay under $2000
per order. You never know what other tricks they
may use to trap you.
 Always choose the fastest shipping method.
Some say it raises flags, but if you did everything
else correctly, that won't be the reason your order
fails. Additionally, it greatly reduces your chances
of receiving an intercepted package, which is a
headache and makes your efforts useless.

This brings me to the topic of how to find a

place to ship your order. You can send it to your
house without any problem, if you want the police
to knock on your door and make you travel dirty
to the police station, and get you into a lot of
trouble. So read on to find out how to ship your
order safely.
Section 1.4 - Drops

A “delivery” is a place or location to which

illegal, loaded or stolen products are sent. It has
to be a place that has no connection to your
current life and is in no way linked to you.

Finding a drop isn't really difficult. You can go

to Craigslist and look for houses for rent, or just
drive around your neighborhood looking for
houses for sale where you can ship goods. Make
sure the house does not have large windows that
would allow the driver to see that the house is
empty. You don't want the package to be returned
to the sender because of that. Just use your brain
to find a decent house that you think is worth
sending a package to. Typically, choose a city
close to yours, but not in your neighborhood.

The big day has arrived: UPS tracking shows

"Ready for delivery." Yeah! Now check if the
package requires a signature. All carriers require
it except UPS. For UPS, you can see if Signature
Required is written on your tracking page. If
nothing mentions a signature, or if you are
unsure, no signature is required.

Method 1: Act like you're far away

If you don't need a signature, you can leave a
note on the door, "we are out, please leave the
package here, take this as my signature" and you
can also print the order confirmation page
showing the tracking number and put with your
note to strengthen your case. The driver makes
the final decision whether to leave the package or
not, but there is usually no problem with UPS
when they don't need a signature. Sign the note,
place the order confirmation page with it, tape it
to the door, and wait in your car not far from the
location. When the driver leaves the location, take
the package and place it in your car. Then skip
method 2 and continue reading.

Method 2: Act like you own the place

The second method is when a signature is

required. You will have to meet the driver face to
face. Remember one thing, you can relax. The
driver's job is not to investigate fraud, but only to
ensure that the package is received correctly. So
you have to make them believe that the package
is yours, they don't care about fraud (but don't be
stupid and talk about your crime). Carry a printout
of the order confirmation page, open the tracking
number on your smartphone (use VPN!), and look
like you've been waiting for it. You can wait in the
storage room, sit on the front lawn, or do
whatever you want. However, be aware that
waiting in the car when the driver sees you
getting out of the car is very suspicious. If you
choose to wait in the warehouse while you are
visible, remove the "for sale" or "for sale" signs.
rent" and call the bank's automated system
before showing up to make sure the card is still
valid and the police are not waiting. you. Greet
the driver, show the papers, sign the cardholder's
name, and continue to the next section.

Sometimes the driver may become arrogant

and ask why his name is not the same as what is
written on the package or why it is not inside. You
may say you recently moved and put it in
someone else's name because you have
"customs issues." When they get uppity, you can
threaten them into filing a complaint at their local
UPS center; They usually calm down and deliver
the package. I had an arrogant driver on my last
card ride in Minnesota, and I had to use this
method, and finally got my package.

From experience, when you have to pay

brokerage fees (such as an international
package), you can call UPS before receiving the
order and ask the amount. Leave a money order
at the door and the driver will take it and drop off
the package. You'll avoid getting an InfoNotice
that way and the driver will think you own the
place. I did that many times and so far I haven't
failed.

Picking up your package at UPS facilities

In some unfortunate circumstances, the
package may end up at local UPS facilities and
will require a government-issued ID to be picked
up. This happens, for example, if you missed
gout. In that case, don't bother making a fake ID
as there is a better trick.

The package is usually held for 5 business

days before it is sent back to the sender. The day
the package arrives at the facility is day 0. Two
scenarios can occur:

Scenario 1: You receive a call from the UPS

branch

They'll probably call you and say something

like, we have a package for James Fakename
waiting at the facility for pickup. Just tell them
you don't know this person. Here is a sample
script of what it should look like:

UPS: Hello, can I speak to James Fakename

please?

You: I think you may have the wrong number,

who is talking?

UPS: This is the UPS branch, we called the

phone number we had on the package.
You: Oh, I was also waiting for a package and
they didn't deliver it to me. Is this a Newegg
package, a small box?

UPS: Yes, we have a small box waiting here,

for James Fakename.

You: I have a tracking number, can you check

if the last 4 digits are 3382?

UPS: Yes, they are.

 You: I'm very surprised, because my name is
Fake Name and I was waiting for this one. I have
no idea who James Fakename is. They also
seemed confused when I placed the order.

UPS: Well, the package will be here, just come

pick it up when it's ready.

This worked for me twice. I had 2 drops to look

at at the same time and missed a packet. This
allowed me to pick it up.

Scenario 2: You don't receive a call

On the morning of the 5th, call the toll-free

number and ask to be transferred to the local
branch. You can do the same scenario and ask
about a package waiting for you there. You
should sound a little confused in your voice and
look like someone who was the victim of an
online store error, and they will gladly hand you
the

package. Every time I did it, I was never asked for

any form ID and it was

all smooth.

Don't give your real name. Test the card

before you go (call the bank) and only do it if the
card is still live, otherwise it can be dangerous.
You can also send a mule if you're too scared, but
I showed my face a few times when the card was
still live and never had any problems.
 After receiving your package

Sometimes I skip this part when I'm lazy, but

you have to be very careful. Your freedom is
priceless, so take 5 more minutes to take this
precaution.

Drive to a nearby park or public place and

open the cardboard packaging. Look for any
devices that may be tracking your position, such
as bugs, GPS devices, etc. Next, destroy the
shipping label (you can burn it to be sure), throw
away the cardboard packaging and you now have
in your hands a precious item that you loaded
with your ATO card. Also burn the order
confirmation page if you decided to go this route
and took it to the store! At this point, you can
consider your carding heist a "success"! Drive
home, relax,
You own the bank and the website. You can brag
about it on the forums with good reason.

If the card is still valid and there is no tracking

device, you can put the card back in the same
place until it is burned. Take advantage of
everything you can. Burn the card until crisp. I
remember getting $10,000 worth of electronics on
a Chase card in the same installment, split into 5
orders. This was a week to make money.

Alright, you charged the item, ATO did the bill,

got items, more items, burned that drop to a crisp
too, now the card is dead...either over credit limit
or flagged by cardholder . Don't show your face to
that drop again and enjoy your products!
 What happens next? Read on to find out.

Section 1.5 - Chargebacks

A recurring question on the forums is, when

the card is declared stolen and the
transaction is disputed for fraud, who takes the
hit?

In the case of a card-present transaction using

chip and PIN in countries where they use that
technology, the bank takes the hit when the
transaction is declared fraudulent.

In all other cases, it is the unfortunate trader

who bears the entire loss. So if you card Newegg
for $2000, they pay about $1600 for the
merchandise they send you, and they are short of
money because you charged them, so they have
to make 6 similar large orders without problems
to cover that loss. Now you understand why they
do the checks and don't want to be charged.

Some large merchants like TigerDirect and

Newegg will simply eat the loss and assume they
failed to detect fraud, but smaller merchants will
file a formal complaint with their police
department. Now, are the police going to
investigate? Depends.

If a merchant reports a $200 loss for an order

shipped out of state with a stolen credit card,
there's a 99% chance the police won't even open
an investigation into it. However, if they report a
loss of $3000 using a card stolen from the same
state and sent to a nearby city, LE (Law
Enforcement) could act on that.
It also depends on the volume of complaints,
the amount of loss compared to the size of the
city and whether there is an obvious pattern
between fraud complaints or not. You should try
to make your orders unlinkable and use common
sense to avoid creating a pattern that could
trigger an investigation.

It also depends on whether the cardholder

themselves decides to file a complaint or not. As
long as their bank reimburses them (which they
do), they probably won't care and will just forget
about it. But some crazier people may decide to
file a police report for identity theft. Again, there
will be an investigation if there is an obvious
pattern. It all depends on the city you are talking
about.

So remember, when you load a website, they

bear the loss in case of a chargeback, so they
want to protect themselves. You have to be smart
and ask yourself: if I were in the shoes of the
website owner, how would I catch the scammers?

Sometimes you may receive an email from the

store asking you to provide more information
about the chargeback, such as authorization
forms or documents. Just ignore that email. Don't
get arrogant and answer
"I have you! ”Because it could be the difference
between an investigation or not. Keep it dead.
 Section 1.6 - Warranty Fraud

A very fun type of virtual card is warranty

fraud. I got some $1000 CPUs from Intel and
motherboards from ASUS using that trick. Is that
how it works.

Many companies, especially electronics

companies, offer what is called "advanced RMA."
This is a type of warranty replacement where the
company sends you the new product first, along
with a return box for you to return the defective
item to them. Sometimes they ask for a credit
card number to ensure they will return the
defective item. This is where we can take
advantage of the system.

Works with Dell, Intel and ASUS, maybe many

others, but those are the ones I have experience
with so far. You can email eBay sellers to request
product serial numbers, or you can simply tag a
product and request an RMA using its serial
number. Call the manufacturer, say that their
product is defective (use a diagnosis that actually
ensures that this product is defective, such as
"the video card does not show anything on the
screen, I tried 2 screens, but it works with other
video cards", and
ask if they offer RMA upfront, mostly they will.
Use a level 2 card and send it to your delivery
address. If they ask why, just tell them you're on
vacation there and your computer broke.

When you receive it, take the package and

disappear. You just get more free stuff with a
credit card than you'll eventually, maybe, get a
chargeback, but you get the point.

For Intel, they ask for 5 lines of text on the

CPU itself and a credit card to hold, so you have
to have the unit in your hands for it to work.

For ASUS, the serial number is enough, they

require a credit card.

For Dell, it's the easiest, you don't need a

credit card, you just order your free item over the
phone without a credit card, you just need a name
and address.

Feel free to discover weaknesses in other

companies' systems, this is a relatively new type
of fraud and has not been patched. Many people
use it to get free Xbox One from Microsoft. Most
companies require this warranty claim to be made
over the phone, but don't worry, it's simple and
most of them seem
Don't worry about your job. I had 2 rejections on
the Intel card, the third worked like a charm, and
they didn't even get cocky about it.

You can keep one and sell the other on eBay

or Craigslist, it's easy to make money. The point
is that they have to try to detect fraud while
offering a seamless experience to legitimate
customers. We simply abuse the system.
 Section 1.7 - Choosing the best cards

If you don't have access to the complete ones,

or you have a CCV auto store and want to get the
most out of it, there is a trick that can save you
money, if you have a little time to invest. It works
with any vending machine as long as you can see
the cardholder's name and zip code.

First, search by the desired BIN. If you like

ATOs and want good cards, BINs 426684 and
438854 work well, but that's up to you. If you can't
search by BIN, simply choose Credit Cards from
any bank. Once you're on the list, find the
cardholders that match your gender, and for each
one, do the same.
Search for their name and check Backstab or
SSNFinder to see if you can find them. Most of
the time (>50%), it won't, especially if the
cardholder is under 45 years old. So do the same
for the next result. Once you have the
cardholder's SSN and date of birth, before
purchasing the card, do the following to verify the
information:

Go to peoplefinders.com and get your

background report. Check if the DOBs match, and
if the address list matches too, to make sure your
SSN and DOB are 100% accurate. When you are
sure, buy the card and buy SSN and DOB. Now
you have a complete. You can go to archives.com
or ancestry.org to get your MMN. Here's how to
search;

Card an account at either of those 2 sites

(level 2 card is enough, it's very easy). Get the
mother's name on the background report and
search using her first and last name, and the
correct date of birth. Look for "marriage" records,
if you can't find any, look for "birth" records. If
you don't find anything, try searching for the
father's marriage records. Please note that not all
states/counties make their records public, so you
may not find them at all; ok, just make one up
when you ATO the card.
This way you can clean up the auto stores and
select only the cards where you can have
complete information. This is my trick to get only
good cards. Of course, the best option is to find a
full-fledged provider, but there aren't many, so
scale your cards however you want.

Make sure your cards are well organized. I've

included a sample Excel file where you can see
how my cards are organized. All cards can be
sorted by name, address, number, expiration,
date of birth, social security number, etc. See the
file for more information. Also, use line colors for
different meanings. For example, white rows
mean the card is mine and not yet used. Call the
bank before adding the card to the list, because
you want to get rid of junk cards right away.
Yellow means the card is burned and blue means

that the card is currently being crossed off, so

I know what to focus on. Green means ruin the
cardholder's credit history using their date of
birth and social security number. When searching
for completes, look at your Excel file and with the
colors you will be able to find your card quickly.

Then just check the balance, study the

background report and you'll be ready to hit the
big box stores and get things in their store.
Section 1.8 - Commercial Fraud

Do you want another (and probably easier)

way to ship items to your store and get tired of
carding Newegg and TigerDirect? Alright, I'll
show you another method for that. This method
works best for Canada, but is also very good for
the US. USA

You can find any major supplier that only sells

to business customers. For computer parts, for
example, you can select ASI, Synnex, etc. The
objective is to obtain the commercial registration
certificate of a company in the city you wish to
have your delivery. This certificate is usually
public information and can be found in
registration records depending on the state or
province you are in. Once you have obtained the
business registration documents of a company
that operates in the same field of activity for
which you want to obtain items, ready to hit the
supplier.

Apply for an account at one of those providers

using that document, put in all the business
address information, but put in a delivery address
close to that location and your recording phone
number. Both providers (ASI and Synnex)
generally don't call, but just in case, it's best to
stay safe. It is usually
They need between 24 and 48 hours to open an
account. "Your name" is the name of the real
owner of the company. On the credit application,
don't ask for net terms, just write “no credit” and
let them know you will pay before they ship the
items to you.
 On the credit card authorization form, write
the cardholder's name (pizza), address, card
number, expiration date, and CVC code. Let them
know that this person is an "official" in your
business, such as a remote sales representative.
Once the application is approved, you are ready
to go and get large amounts. The reason is that
they do not do verification when submitting
orders, since they almost never receive
fraudulent orders. They assume that business
clients will always be legitimate, but in fact, we
use someone else's business documents to trick
them into believing that you are the owner of the
company.

I was able to get over $5,000 per order using

that technique; The trader is considered low risk,
so there are very few drawdowns and
verifications are almost non-existent. With
computer parts, it is extremely easy to do, you
can try other commercial suppliers. Now you're
playing in the big game and the possibilities are
endless. Make sure you don't show your face in
the drop once the card burns as they will really
try to figure out what happened.
Section 1.9 - Newegg and TigerDirect

Always wanted cards from those 2 big

merchants to get electronics? I'll tell you how.
This is a normal difficulty if you know what you
are doing and are good at social engineering. You
need, at a minimum:

1) Cardholder account ATO and billing phone

number changed to your burner

2) Shipping address registered with the

bank

3) Complete Cardholder Background Report

4) Story about why you ship to that address

5) Cardholder's local area: restaurants,

shopping malls...

And remember, mail forwarding companies

are blacklisted by those merchants. Please do not
try to send to MyUS, Bongo, etc. as it will
automatically cancel the order. What American
would use a US card to send it to a shipping
company to get it out of the country? None. Have
a normal delivery address.
The number 5 may seem strange, but it is true.
Some people, including me, have been asked
"can you name a local restaurant near your
house?" "To make sure you are the cardholder.
So it's not a bad idea to familiarize yourself with
the surrounding area (large shopping centers and
restaurants) in case that happens. You'll thank
yourself later.

So, take your time to browse, look around,

read descriptions and appear as a legitimate
buyer. Once you've done that for a few days and
the account is ready, submit the order and try not
to exceed $2,000. The order will be placed in "on
hold" status and you will need to speak to the
verification department. I'll describe the
procedure for TigerDirect, but Newegg is quite
similar.

TigerDirect website will ask you for directions,

credit card information, then you will have to pass
VBV/ MCSC. After that, they will ask you your date
of birth. Then, 3 verification questions will appear.
They are public record information about the
cardholder and can be found in their background
report. Try to have so much information that you
feel like the cardholder is your friend. Answer all
3 questions and be quick. If you miss one, you
will be asked an additional question. If you miss 2
or more, forget about your order. Once you
submit everything, your order will be in "on hold"
status. You must call the verification department.
The conversation is generally the following:
Representative: Thank you for calling
TigerDirect verification department, can I have
your order number?

You: 123456

Rep: Very good, what is your name?

You: James Layton

Representative: Thank you Mr. Brass, let me

verify the order for you. (it will be on hold for
about 2 minutes)

Representative: Thanks for waiting,

Is <name on package> a tenant at the shipping
address?

You: Yes (giving an incorrect answer voids the

order)

Rep: I couldn't locate that person in the

system. You will then be offered 2 options. We
either ship to your billing address or you must
call your bank to add the shipping address as an
alternate address on file so we can ship there.

You: I already did it.

Representative: Oh, really? Okay, let me check

that for you. Please wait.

(you will be on hold while they call your bank,

sometimes they can do a 3 way call)

Representative: Very good, I see that the

shipping address is on file. Thank you, is it okay
if I call you on that phone number,

123-456-7890? (whichever phone is the primary

billing number)

You: Yes, of course.

Representative: Thank you, wait.

(the phone will ring, answer the call or the

order will be cancelled)

Representative: Very good, we have

successfully verified your identity, Mr. Brass. We
will send the order to you tonight.

See the traps in the dialog above. You should

assume that the shipping name is a tenant in the
address. For example, if the cardholder's name is
James Latyon, you can send it to a Joseph
Layton and assume it is your son, but make sure
that name is on the background report and has
your date of birth. Sometimes

They can ask for it if they are suspicious.

It's also good practice to avoid Hotmail

addresses; Anyone can make a fake Hotmail with
someone else's name. You must use a custom
email with a custom domain. If you read the next
part (section 1.10 - Stripe Cashout), you will see
how to set up your own domain. Let's say your
fake store is bestclothes.com, and your
cardholder is named James Layton, you can
create an email [email protected] and it
will look like a business email address and

will lower the red flags. Believe me, you play a lot
when the tough traders get loaded.

Next, you need to make sure you can pick up

the phone when they call the "billing" number. If
you do all of that correctly, you'll be all set and
getting your parts. They do not ask for document
scans, everything is done over the phone.

Section 1.10 - Withdrawal of Strip Payments

If you're not really interested in carding

physical products, you might want to get
interested in how to make real money with your
cards. For this technique to work, you will need:

1) Lots of level 2 cards (address not required)

2) HTTrack program (can be downloaded for

free)

3) Notepad++ program (can be downloaded

for free)

4) Delete bank account

5) Dead full (name, address, date of birth,

SSN), called "cardholder"

6) Basic computer skills

 The first step is to check stripe.com to see if
your country is on the active list. Otherwise, you
may want to get a bank drop in an active country,
usually the US. USA It is the easiest.

The first step is to create a fake online store.

This is very easy, you can search on Google for
example "US clothing". USA Online" and skip to
page 12 of the results for smaller stores. Try to
find a store that has a very simple layout, around
100-200 items, avoid the big ones. Take one that
doesn't seem to use much Javascript. You may
have to look at 4 or 5 stores to find that one.

Then open HTTrack, start a new project and

mirror that website. This will create a local copy
of this website on your computer. At best, try to
stay below 800 - 900 MB. Once you have a local
copy of the store, check if you can browse, view
items, etc. Of course, the entire store will not
work, for example, you will not be able to register,
that is normal. Try searching for item
descriptions, browsing categories, and looking
like a normal user. Once this is done, you now
have a copy of that online store, already pre-
made, and it took a few minutes (maybe hours) to
duplicate, but you don't have to stay in front of
your computer.

The next step is to open the contact page

using Notepad++ and edit the
Contact information with a custom name you
decided to make, and address/phone number to
match the cardholder's address and phone. If
there is a Google map, be sure to edit that as well.
This is where basic computer skills come in
handy. If you don't have the foggiest idea how to
edit HTML, I suggest getting an online course as
it can be an invaluable skill. It is very easy to
learn.

Find some footers, privacy policies, and terms

of use where the old name may appear, and edit
it. Use the common set here. Now you have your
custom clothing store, which took less than 1
hour to make, and it looks like you have a legit
business. Hurrah!

Use Notepad++ to find and replace the regular

expression “<! - Mirrored [^>] * GMT -> ” (never
include the quotes in any example) and replace
with nothing. This will remove all "Mirrored by
HTTrack" comments in the source code, in case
they see it.

However, you may get a bunch of folders in

your website directory. Let's say the mirroring is
finished and you have a www.fakeshop.com
folder and an img.fakeshop.com. You want to
move the img.fakeshop.com folder and put it
inside the www.fakeshop.com folder. Then, find
and replace ".../img.fakeshop.com" and replace it
with "img.fakeshop.com" in all *.html files, and
everything will be fine. Repeat for each
concurrent folder you have. be sure that
You can open the index.html page in your
www.fakeshop.com folder and everything
displays correctly.

Find and replace the store's phone number

and replace it with a random toll-free number
(they will never call). Do the same with addresses.
For phone, make sure to include all formats like
123-345-6789 and 123.233.2133, etc. Check
everything again. Then delete the email
addresses. Do a search and replace
"@realshop.com" and replace it with
"@fakeshop.com".

Ultimately, get rid of all occurrences. Rename

folders that include "realshop" and replace it with
"fakeshop", find and replace all files with
"realshop" and replace it with "fakeshop". This
way, there should be no way to recognize that the
store is fake. You can change the logo at the top
of the page, or if you're lazy, rename the logo file
to another name and the browser will just put an
"image not found", no big deal.

We are done with the creation of the store. It

may seem like a lot of steps, but doing all that
searching, replacing, and preparing should take
less than 5 minutes when you're used to it.
The next step is to host your website. It is
important that you use an anonymous host, so for
this example we will use Arvixe. I used to have
this a lot with my scam sites. Use a made-up
Hotmail address that corresponds to your
cardholder, open an account with your hosting
company, and host your files there. Almost all
hosts will allow you to register a domain. They
may ask for address information, so give them
the cardholder's address information. So set up
the account, register the domain and host your
files for the fake store. Simply upload them via
FTP (if you don't know how to do this, get basic
lessons). Make sure your store is online and
working, for example, let's say your store is
myfraudsite.com. Make sure myfraudsite.com
displays your store and that you can browse.
 It's also important that you change your
WHOIS information to match the name you will
use on your Stripe account. Your web host will
allow you to do this for free. Anyone can look it
up on whois.net as these are public records. If the
bank account, store and WHOIS have different
names, flags will be raised. Map the 4 contact
types to match the victim's information. It can be
changed later and many times anyway.

Then create an email address related to this

host, usually prefixed with "admin ". In this
example, we will create "
[email protected] ".
This makes you look legitimate. At this point, you
should have your online "store" up and running
and an associated email address. Everything
must be hosted on an anonymous host. They
usually charge $10 per month in bitcoins. Now we
are ready to start making money with our scam
site.

Before opening the account on Stripe, you

need to make sure you completely spoof your VM.
It also disables the Flash plugin. Stripe has a very
smart way of identifying themselves, which
means they can identify themselves

even if you change IP and change browser.

Better use caution and see section 2.6 to appear
completely like someone else.

Open an account on stripe.com using this

email address and keep the account in "test"
mode. Create a page called "charge.php " and
upload it to your web store. This will be the file
you use when you submit a charge. Here is the
code you should put on the page. Note that you
can adapt the code however you want, but that's
my personal example:

<? php require_once('./lib/Stripe.php');

Stripe::setApiKey("sk_live_xxxxxx"); // <
This is your Stripe key
attempt{

echo "Processing...";
Stripe_Charge::create(array(

"amount" => $_GET["amount"], "currency" =>

"usd",

"card" => array (

"number" => $_GET["number"],

"exp_month" => $_GET["month"], "exp_year" =>
$_GET["year"], "cvc" => $_GET["code"]

),

"description" => "This will appear on the card

statement"));

echo "Load OK"; //Success!

catch (Exception $e) {

 $error = $e->getMessage();

echo "Error:". $error; //Failure.

?>

For your convenience, I have included this file

in the package as well as the Stripe library
package. They are hard to find on their site and
I'm doing you a favor by including them.

Take your time to understand what this code

does. You will call this page using this query:

http://myfraudsite.com/charge.php ?

number = 4266841200000000 & month = 2 &

year
= 2016 & code = 333 & quantity = 6800

This will charge an amount of $68.00 to card

4266 8412 0000 0000 which expires in February
2016 with code CVV 333. It's that easy. Change
the parameters for connecting the cards you have
and try varying the charge amount as well.

Do lots of variations using the test key to

make it look like you actually did some testing.
Make charges and see the result, and familiarize
yourself with this code snippet.
When you have a working example, switch
your Stripe account to live mode. You will be
asked to provide your cardholder's name,
address, date of birth, and last 4 SSN numbers,
so continue. Ignore the tax number part, put the
website address, put a small description of your
choice and put the account in live mode.

You will now be asked for your banking

information. This is where you will provide the
routing number and the account number of the
bank where you want to receive the money. All
the information is filled and you are ready to
make money!

You can use any auto store to get many cards.

You only need the card number, expiration date
and CVV code to continue. Get cheap cards, this
is the easiest transaction you will ever make. You
can try Vault Market which offers US cards. USA
$4 at the time of writing this article. Be careful
though, you need to take precautions to prevent
your trade from being closed, so read the next
part before going crazy with the cards.

First, you must maintain an approval rate

above 50% on all your transactions. This means
that more than half of your transactions must be
approved. Therefore, you must have a good
source of cards. If the rejection rate is
too high, they will refund all payments to the
cards and close your account.

Secondly, you must use cards from the same

country where your fake store is supposedly
located. If you have a store in the UK, use UK
cards, even if they are more expensive. Not 100%
of your cards should follow this rule, but try to
keep it above 90% to avoid suspicion.

Third, vary the amount of charges you make.

They vary widely, for example, between $50 and
$300 per transaction. Do not exceed $300, as you
may receive rejections that count toward your
50% approval fee. You don't want to be shut
down. Also, try to wait a bit between transactions,
even if you love money. We all love money, but
we make it look real.

The rest should be common sense. Money is

deposited after 7 days for the first transaction and
2 days for subsequent transactions. There is
another method that has been tested once and
proven effective: the anonymous card. We can be
afraid of chargebacks (I'll talk about them later)
before 7 days, so here's how we can avoid it.
When your account is in live mode and working,
use an anonymous card to make a transaction of
around $100 (you'll get the money back into your
bank account anyway), and 3 days later, use
another card to make a transaction of
$50. Obviously, the money will not be returned
and will be deposited within 7 days. When you're
done, start hitting with real pizzas. This way you
get rid of the 7 day barrier that could cause it to
close.

Now, what about chargebacks? If a customer

disputes a charge, primarily with a "Fraudulent"
code, they will receive an email informing them
that the charge has been disputed, a $15
chargeback fee to pay, and the amount will be
deducted from their next transfer. It's up to you if
you think the number of chargebacks is
acceptable compared to the number of cards you
can process. Do the math, and when too many
charging batteries start showing up, it's time to
throw them in the trash.

From experience, chargebacks take forever to

arrive and less than 25% of your transactions will
end in a chargeback. You shouldn't see a
chargeback for at least 10 days, and probably
longer. I kept one of my old accounts and after 2
months of inactivity, 38% of transactions had
received a chargeback, so it's not something to
worry about.

To delete an account, simply close your bank

account or upload your Stripe account
information to another random account (same
routing number). Delete all files from your
hosting, place files
from a new fake store, register a new domain,
open a new Stripe account and start again.

Repeat until your wallet is full. Always use

VPN when accessing your website or Stripe, you
don't want to leave your real IP for LE to contact
you and knock on your door!

A word of advice though, I don't recommend

using Ally or Netbank as they often flag transfers
coming from Stripe and lock the accounts. You
should head over to Evo and get a real bank drop,
it may cost you a bit of money but it's sure worth
the investment.
 From experience, Stripe looks at the domain
age of your domain. You need to wait a bit before
setting up your Stripe account or buying a cheap
site on Flippa just to get the domain name. This is
not extremely important, but it may lower the
flags even further.

Another way to avoid fingerprints and look

newer is to use an RDP. You can buy some on the
market and they work quite well for setting up a
Stripe account. Just log in from that RDP and if
the RDP dies, just don't log in to the Stripe
dashboard anymore. You will still receive the
deposits anyway.
If the account is closed, they often say they
will refund the charges to the cardholders. If this
happens, be quicker than them and refund all
charges yourself. Refund everything you can.
This way, you can reuse those cards for another
store and save a lot of money. The cards most
likely will not be burned due to fraud, because the
charge was refunded. However, when you do,
wait at least 5 days before using them again. This
will reduce the fraud score.

For UK cardholders, Stripe may request a scan

of a government-issued photo ID at some point.
It's a good idea to make one when you start
making money with Stripe, so you can provide it
when requested. It's not difficult to do using
Photoshop.

I made several thousand dollars using this

method and you really can't burn it. It's up to you
to find out what works best for you!
 Section 1.11 - Beyond the ATO - The PTO

When you commit account takeover fraud,

also known as ATO, you take "ownership" of the
victim's account. Even if you change the
registered phone number, they still keep a record
of the old phone number. This is where this
section will turn out.
useful. I'll give you the transcript of a failed ATO I
had 2 months ago and you'll understand.

(pass verification questions)

Me: I'm calling because I tried to place an

order online, but it was rejected. The fee is $1500
and the merchant is Newegg.

Agent: No problem Mr. Johnson, let me see

what I can do for you, can you wait?

(from experience, if they put you on hold, hang

up, you're most likely burned out, here it took 5
minutes) Agent: Hello?

Me: Yes ma'am, I'm still holding on.

Agent: Unfortunately, I will not be able to

cancel the charge and can no longer provide
service on this account.

Me: How about my card? That I have to do?

Agent: You can destroy the card, since it is not

the real Robert Johnson.

This is a situation that sucks, and there is a

way around it. It must be done before calling the
bank. What happened here is that the agent called
the old number, even though I changed it a few
days ago. The actual cardholder got the call, and
you can imagine the rest.

First, take the cardholder's actual phone

number and use WhitePages to find out who the
phone provider is. If you can't find it, you may
want to use Spooftel and call the various carriers
(AT&T, Verizon, Sprint, etc.) and use their
automated system to try to find out if the number
is registered with them. You can use
phonevalidator.com to see if the phone is a cell
phone or landline. When you have the victim's
background report, you can see that they often
have many phone numbers. Use the service to
find which is a landline and which is a cell phone.
For cell phones, it is very easy to find the
provider, as most of them allow you to call the
phone and press * (asterisk) to go to the
voicemail settings, so that it recognizes the
greeting. Use your logic and write down the
phone numbers, probably like this:

Phone 1, landline, 555-123-4567, Verizon

Phone 2, cell phone, 666-234-5678, AT&T

Now, remember, you have the cardholder's full

address, date of birth, social security number,
and other information, and you know their phone
company. What are we going to do? That's right,
call forwarding!

Call the phone company using the opposite

phone (if the billing number is the landline, call
with the cell phone and vice versa),
falsify the number. When you talk to customer
service, it could be as follows. Don't forget that it
is less secure than banks, since it is not about
finances. But it can have worse consequences.

Agent: Thank you for calling Verizon, my name

is Mohammed, how can I help you?

Me: Hello! I will be out of my house for the

next few days but I am waiting for an important
call on my landline. Since I can't get through to
the other person, I would like to set up call
forwarding to receive the call on my cell phone.

Agent: No problem, can I have your name?

Me: Barack Obama.

Agent: Thank you Mr. Obama, what is your full

address?

Me: 123 fake Street, Washington DC, 12345.

Agent: Thank you, can I have your date of

birth?

Me: October 1 st 1845.

Agent: Thank you. Did you know that you can

press *72 on your phone to activate call
forwarding? This is an easy way to do it without
calling customer service.

Me: Thanks for the tip, however I'm not at

home right now so I can't do it.

Agent: Okay, no problem, I'll activate it for

you. What is the phone number you would like
calls to be forwarded to?

Me: That's my cell phone, 456-123-3245. (your

burner phone)
 Agent: Okay, and do you want me to start
now?

Me: Yes, please.

Agent: No problem, I activated it for you. When

you are home, you can use *72 again to turn off
forwarding.

I thanks.

Agent: Is there anything else I can help you

with?

Not me thanks.

Some phone companies, AT&T from

experience, ask for a 4-digit PIN, but this can be
easily bypassed by using the date of birth and the
last 4 of the SSN. The good thing is that if you are
really unlucky and fail (which shouldn't happen
because it's easier than banks), the card won't be
burned. This is PTO, phone takeover fraud.

This word was invented by me.

You are now ready to call the bank at ATO.

If you decide to call the billing number

(it happens very rarely), you will answer the

phone and destroy all suspicions they have. The
cardholder probably won't be able to access their
account, but that's not their problem. The first
dialog (ATO failed) can be avoided if you do this
first.

When you finish your business, don't forget to

call Verizon (or your company) to turn off call
forwarding. The goal is to get free stuff, not to
make the cardholder lose friends because they
can't reach them, use a little compassion. If you
think you'll need your phone line for a few days,
you can use the RingCentral phone system and
decide which numbers you want to receive calls
from and which ones you want to blindly transfer
to the cardholder. You'll probably never realize
that someone screwed with your phone line, but
you will notice the charge on your card!

Some websites do not require the shipping

address to be on file with the company; In those
cases, you can do a PTO without doing an ATO
and put the correct billing number on the website.
Receive the call from them and confirm the order,
and restore your phone line. Use your
imagination for the rest.

Section 1.12 – Maxmind Fraud Prevention

Algorithm

The most popular software used by merchants

for fraud prevention is
Minfraud software, designed by Maxmind. It is
used to keep scammers at bay, but its formula is
not so secret. I'll give you the formula and explain
the variables. There is a way to keep this score
low.

Many stores have their own preset limits,

which are not made public because each store is
different. For example, a store may say that more
than 7 send the order for manual review and more
than 9 cancel it. The definition of the variables is
as follows:

1. IsFreeEmail Is the email address of a free

provider like Hotmail or Yahoo?

CountryDoesntMatch Are shipping and billing

countries different?
IsAnonymousProxy Is the user using an
anonymous proxy like a VPN or Blacklisted
Socks?
4.

High risk country

Does the order involve Ghana, Nigeria or

Vietnam? Frequently updated list.

5.

BsDistance

Distance between billing and shipping

addresses, in kilometers.

6.

MaxEarthArc

The half circumference of the Earth, currently

established at 20,037 kilometers.

7.

BinDoesntMatch

Is the BIN from a different country than the IP

address used to place the order?

8.
 BinNameDoesntMatch

If the user is asked the name of the bank, did

he answer correctly?

9.

CarderEmail

Was email used to commit fraud on other sites

using Maxmind?

HighRiskUsername Was the username used to

commit fraud on other sites using Maxmind?
HighRiskPassword Is the password the same
one used for fraudulent orders?
12.

Ship Forward

Is the shipping address a mail forwarding

company?

13.

ProxyScore

Is the IP address a proxy or socks?

The algorithm used to calculate the fraud

score is as follows:

2.5 * IsFreeEmail

+2.5*CountryDoesntMatch

+5.0*IsAnonymousProxy

+5.0 * High risk country

 + 10.0 * min (BsDistance, 5000) / MaxEarthArc

+ 2.0 * BinDoesntMatch

+ 1.0 * BinNameDoesntMatch

+5.0* CarderEmail

+5.0 * High risk username

+5.0 * High risk password

+5.0 * Drop shipping

+2.5*ProxyScore

=Maxmind score for this order

Now that you have this formula, let's see how

we can reduce the score to almost 0. Although
many stores use proprietary software, this is the
most widely used and popular. Given the

There is no way to know what software the store

uses, just pay attention to all the variables and try
to appear legitimate. Here's a more detailed
explanation of each variable and how to pay
attention to it.

1. IsFreeEmail

This variable is set to 1 if you use free email

like Hotmail and Yahoo, so don't use it. I'll give
you a trick. Remember the Stripe withdrawal part?
Create an email address from the same domain,
such as [email protected] and
use it. Since it is a paid email, this flag will not be
raised. I always did that on my orders.

2. CountryDoesntMatch

This variable is set to 1 if you ship to a country

other than the billing address. This can be solved
by using a card from the same country as the
shipping address. This is easier if you ship to the
US. USA Note that this is not a big deal since you
can make an excuse, but let's not raise flags over
anything.

3. IsAnonymousProxy
 This variable is set to 1 if you use a VPN or
public anonymous proxy. This also applies to
blacklisted socks. You can use an RDP instead,
or if you can't get one, try to find clean socks, but
it's mostly trial and error.

4. HighRiskCountry

This variable is set to 1 if you have a billing or

shipping address in a country that is considered
high risk. Since this list is always updated I can't
provide the list, but no Western countries are on
that list, so if you are in the UK or the US please
contact us. USA, there is no danger.

5. BsDistance and 6. MaxEarthArc

This is the distance, in kilometers, between

the billing and shipping addresses, up to a
maximum of 10. You can solve this problem by
getting cards in the same state you are shipping
to. Using a California card to send to New
Hampshire will increase this score.

7.
BinDoesntMatch
 This variable is set to 1 if the BIN is from a
different country than the billing address. This is
the problem with non-AVS cards and why I don't
recommend them. Stick to AVS and get a BIN
from

same country. Use common sense.

8. BinNameDoesntMatch

This variable is set to 1 if the user answers

the question "name of issuing bank" incorrectly.
So for this one, do a BIN check and type in the
correct name, exactly as it appears in your BIN
information, and you'll be fine.

9. CarderEmail

This variable is set to 1 if the email address

was previously used for the card. All websites
send regular usage data to Maxmind and have a
list of the card's email addresses. One mistake
carders make is reusing email addresses,
thinking stores don't know the previous store
was carded. Maxmind has a list of email
addresses for cards sent by stores. Use each
email address only once and use a different email
the next time you upload.
 10. High risk username

This variable is set to 1 if the username was

previously used for the card. Read the statement
above and do the same as the email addresses.

11. High risk password

This variable is set to 1 if the password was

previously used for the card. Be careful not to
reuse passwords across sites.

12. ShipForward

This variable is set to 1 if the shipping

address is a mail forwarding company. They
include MyUS, Bongo and many others. Some
sites will outright ban those addresses and
cancel all orders placed with them. Avoid
shipping there, there are many other options to
get deliveries.

13.ProxyScore
 This variable is set to 1 if the source IP
address is a proxy or sock. If the goal of the
proxy is to be anonymous, the
IsAnonymousProxy variable will also be set to 1.

Having all this information on hand will allow

you to use core fraud prevention systems and get
your stuff even easier. The list of high-risk
countries is always updated, but you can always
Google it if you want an up-to-date list.

Always use a VPN with your socks proxy. The

TrueIP technology used by many fraud prevention
software can sometimes bypass your proxy and
obtain your real IP, so pay attention.

Section 1.13 - Order Verification Procedures

The decision to accept or reject an order is

based on many verification procedures that
stores do, so I will do a whole section on that part
so you can avoid cancellations. It's frustrating
when you have a platinum card and you burn it.
So keep reading.

Public service's bill

Some stores will ask you to email them a copy
(front and back) of a recent utility bill. Most of the
time, they require that the invoice be no more
than 3 months old. To deal with that, I've included
a PSD file of an electricity bill, and the name and
address text is editable so you can edit it at will
without too much Photoshop knowledge. Make an
invoice with that PSD and send it along with the
subsequent image of the invoice (JPG format). It
is not necessary to complicate anything more.

Credit card scan

They may ask you to send a scan of the credit

card used for the purchase. I've included the PSD
of a credit card, with the exact same font used for
the actual cards. Edit it at will, change the logo
and export to JPG. It's a good idea to Google an
image of your BIN (e.g. "platinum chase visa"), so
see what it's supposed to look like. With the PSD
included, this should be a piece of cake too.

photo identification

It is difficult to provide scans because every

state and every country is different. In that case,
you should Google the requested ID, for example,
"driver's license."
Michigan" and edit it with Photoshop. The driver's
license number can be made up, because they
cannot verify it. Just focus on making the issue
and expiration dates logical, change the image of
the license and put your name and address and
you should be fine.

Verification by phone: easy

They may call you for a verification call and

ask if the order is legitimate and sometimes ask
you to confirm both addresses. This is easy
enough and the order will be fulfilled.

Phone verification: difficult

They may be angrier and ask you verifying

questions. All of those questions come from
public records and are included in your
background report. If you have done your
homework and studied your background report,
you will be able to answer them. They have
multiple options (4 options), and most of the time,
a question has “none of the above” as the correct
answer. From memory, B&H Photo does this type
of verification. This used to be a place I liked to
shop, but since they've increased their security,
Geoffrey (the verification agent) is a little harder
to convince.
Have the shipping address registered with the
bank

They may ask you to call your bank and make

sure the shipping address is on file with them.
Read the section on ATO and you will learn how
to do it, it is not that difficult but you will need a
complete to achieve it.

This completed the list of verification

procedures used by online stores. Learn from this
section, study it and be prepared for anything.

If your last order was easy, it doesn't mean the

next one will be easy. Some sites increase their
security procedures for whatever reason and
decide to be angry.

You usually need to respond within 24 hours

to avoid order cancellations. Be fast. If you're
planning on doing a big heist, you may want to
have the scans ready before placing the actual
order.

Section 1.14 – Stripe Automated Withdrawal

In the new version of this guide, I have

included a little piece of software created by
myself: the Stripe withdrawal script. Allows you
to send automated queries to your server. I'll tell
you how to use this little piece of engineering.
First, make sure your Stripe server is
configured (see section 1.10 for more
information) and that you can perform live
uploads. Make sure charge.php is loaded and
everything is working. Good? Now let's do
automatic charges.

Open the cards.txt file and enter your credit

card numbers, dates, and security codes. If your
credit card number is 4123 4567 8901 2345,
expiration 04/2034 and code 343, the lines should
be as follows:

4123456789012345 | 04 | 2034 | 343

4444444444444444 | 02 | 2019 | 123

 One card per line. No extra characters, no
spaces, nothing. Only the card information in the
cards.txt file. You can put as many as you want.

When you open launch.bat, you will be asked

5 questions before the script starts running. Here
are those questions and how to answer them.

Q1: Charge.php URL

This is the full URL of charge.php on your
server, without any additional parameters. Make
sure the file is uploaded and you can access it
with your browser.

Example:
http://www.myfakeshop.com/charge.php

Q2: Minimum delay between charges

Since load times are random to avoid an

obvious pattern, this parameter is the minimum
number of seconds to wait between loads. We
recommend a minimum of 3600 seconds (1 hour)
to avoid raising suspicion flags from Stripe. This
parameter must be an integer with no additional
characters.

Example: 4400

P3: Maximum delay between charges

 After the second quarter, this is the maximum
number of seconds to wait between charges, and
this number is inclusive. Again, there are no extra
characters or spaces.

Example: 8200
Q4: Minimum charge amount

The charges are also random, so you need to

provide the minimum and maximum amount of
charges. I recommend staying under $200 to
avoid suspicion. This is an integer, it is just the
whole number part and should not have decimals.
For example, 54 means a charge of $54.00 (or
whatever other currency you have put in your
charges.php file) and this number is inclusive.

Example: 50

Q5: Maximum upload amount

After the fourth quarter, this is the maximum

(inclusive) amount of charges. Again, try to stay
under $200, and you should be fine.

Example: 140

The script will run as long as your cards.txt

file is not exhausted. Note that all cards are
loaded at run time, so if you add cards to your
cards.txt file, they won't be taken care of before
you restart the program. The log.txt file will
contain all the cards processed and the returned
result (OK, rejected, invalid, etc.) so you can swap
out the dead ones.
There is no limit to the number of cards you
can withdraw, and if you use this software wisely,
you will avoid account suspension.

If you are familiar with the command line, you

can also start it using the command line: java -
classpath. Main application Q1 Q2 Q3 Q4 Q5

This last method (command line) is useful

when you have many servers to test at the same
time, for maximum benefit. If you want to be
simple, just open launch.bat and provide the
parameters.

No need to pay thousands of dollars for

withdrawal software when you can use this little
script to do the job for you!

Section 1.15 – CC to BTC

Many people are also looking for CC → BTC

methods. I'll explain some here, but keep in mind
that some methods may no longer work or new
ones may be available. I try to keep it as up to
date as possible.

Method 1: Virwox
This is one of the most popular methods.
Virwox is difficult to card, but there are ways to
do it. First of all, almost all socks are blacklisted;
You will need to use an RDP close to the
cardholder's location. Create an account using a
non-free email address, such as the email
address of your fake Stripe store. Once the
account is created, you must wait at least 72
hours before doing anything.

During those 72 hours, you'll need to ATO the

credit card account and change the billing
number (you can still use that card for purchases
later, so don't worry) since there's a good chance
the bank will run a verification. call. Skrill is a
high risk trader and even for my legitimate
account I get calls from my bank when using
Virwox.

Then use the Skrill method to make a payment

to load this account and stay below $100 for the
first time. At this point, 3 things can happen.

# 1: The transaction is completed and the

account receives funds. That's what we hope for.

# 2: Skrill requests an SMS verification. You

cannot use public SMS numbers, RingCentral
numbers, or Google Voice. Needs
a real cell phone for that, and Skrill is very
selective about the numbers they accept. You will
need a mobile phone with a physical burner to
accept that SMS. When you do, the transaction
will go through and the account will be funded.

# 3: The transaction is denied, at this point

you will be happy to have an ATO account that
you can call.

bank and authorize it, then try again.

 Now that the account is funded, convert USD
to SLL, then SLL to BTC, and make a withdrawal
to a bitcoin address you've never used before. If
fraud is reported, that BTC wallet address will be
blacklisted. You will then receive a message
asking you to wait 48 hours before the withdrawal
takes place. In reality, the transfer takes on
average 30 hours to complete.

Now you can enjoy your fresh bitcoins!

Method 2: Coin.mx and Coinmama

You'll need a fake ID, a utility bill, and a credit

card scan to enter your card on those sites. Make
sure you are good with Photoshop and can do
them. You must
ATO the accounts and be prepared to receive a
confirmation call.

Since the policies of those sites are always

changing, I won't go into the details of what they
ask for, but instead I will use their Photoshop
skills and create some bitcoins with their cards.

Method 3: card things and sell them

This is the method most people recommend.

Use virtual cards to card items like electronics
and sell them. Use the money from sales to buy
bitcoins.
 Using eBay to sell electronic products with a
card is safe. You don't need to provide the serial
number of those items, so sell them as if they
were legitimate. Craigslist is safe too. There are
many ways to get rid of those items, so use your
imagination.

Section 1.16 – Squareup Withdrawal

Sometimes Stripe may not be enough for you,

if you like to get greedy. You can take advantage
of another method with even faster transfers:
Squareup.
You will also need a fake website, just follow
the same procedure as Stripe to create a fake but
attractive online store. Go to www.square.com
and open an account with the same information
as your Stripe account.

Now, here is the difficulty. To process

payments, you need the mobile app. They have a
version for iPhone or Android, however, there are
cheaper ways than buying a burner phone.
Additionally, burner phones can easily track our
location with signal triangulation even if you use
spoofers or any type of device. For the sake of
this tutorial, we'll do everything on your
computer. And I'll show you how to set everything
up!

First, we will download Genymotion.

Make sure you choose the latest version that
includes Virtualbox. At the time of writing, this
version is 2.2.2. Before you think about installing
Genymotion, keep reading!
 You cannot install Genymotion on your VM, it
is simply not supported. The VM graphics card
does not support advanced OpenGL features and
no settings will make this installation possible, so
we will need to install Genymotion on the host
computer. There is a way to protect yourself.
First, turn on your VPN on your host machine.
You'll need to create a TrueCrypt volume for all
that stuff, 10GB should be fine.

Then install Genymotion, use your TrueCrypt

volume as the installation directory and don't
create any shortcuts. Open Genymotion and open
settings. Change all directories to your TrueCrypt
volume (example, Z:) and create a new virtual
device. I recommend Samsung Galaxy S4 - 4.3 -
API 18 - 720x1280 for best results. Make sure that
you can run your virtual device and that you can
use basic Android functions (calculator, etc.).
Where is Google Play (the app store)? It does not
come with the device. Luckily, I thought of you
and will show you how to add it! By the way, if
you can't see that exact machine type, choose the
closest type that has OS version 4.3.

Launch your virtual Android phone and drag

and release he archive
Genymotion-ARM-Translation_v1.1.zip on the
phone. When a message asks if you want to
deploy the file, select OK. When finished, restart
your phone. Repeat the same process with the
other zip file and reboot your phone. Now if you
go to the main menu of the phone, you will see
the Google Play store app. Now before you go
crazy with Square, we need to do a little
protection first.
Create a Google Play account with fake
credentials, any information is fine, it's not really
important. Then download the Fake GPS app and
use it to set your GPS location to the cardholder's
house. You can do this by simply dragging the
map to make the point over your house.

Download the GPS Test app and try a few

things to make sure your GPS location is properly
spoofed. Needless to say, a VPN connection on
your host machine is also mandatory.

Once done, download the Square Register app

and log in with your created profile (full fakes).
You are now ready to accept manual charges! For
each card, you only need to enter the credit card
number manually to process the charge.

Don't get too greedy with this method,

maximum 4 loads per day. Funds must be
deposited every 48 hours, so repeat this process
until the account is burned.

Since this runs on Android, there is no

automatic withdrawal script available like Stripe.
However, entering a payment takes 30 seconds of
your time and is quite simple.
Squareup's security measures are much laxer
than Stripe's and can be easily defeated. If the
method burns out for any reason, I'll be sure to
update the guide with the newly found
information. Additionally, deposits are sent at 8
p.m. PST. If you look at your interface at that time,
you will see that the next deposit amount is $0.
Don't panic, this is normal and it stays like this for
an hour or two, then everything goes back to
normal.
 I strongly recommend that you do not use any
of your real life details on this Android device.
Any LE officer with a subpoena can ask Google to
obtain your fake device ID and can match this to
what Square has on file. They get a lot of details
about your device, so it's better to be safe than
sorry. You can always create a second legitimate
instance of an Android device if you want to do
real life stuff too, in fact you can create as many
devices as you want.

On a final note, you can repurpose your Stripe

website to use Squareup, so save money.
However, I advise against reusing your credit
cards as a decline rate above 50% may mean
account closure. If you

Use this method, use it the right way and it will

be a goldmine for everyone!
Also, I'd like to add that Squareup has a
threshold of $2,002 (no idea why $2,002 instead of
$2,000, but life has decided) per week for
manually punched cards. They don't mention it in
their terms of service, but any amount over this
will trigger a manual review, such as requesting
documents. You don't want that to happen.

If you get to a point where you are asked to

provide identification, which will probably be an
idea after a while, there is no need to waste time
on Photoshop documents as 90% of accounts are
closed. Just don't give them an answer and get a
new account instead. Don't waste energy on this
one. If this happens, simply do like Stripe and
refund the entire charge to cardholders as quickly
as possible. You will be able to reuse those cards,
but with another withdrawal method, not at
Square!
 I also discovered an alternative method that
works well for Square at first. Deadline for
deposits is 5 p.m. PST. This means that all
transactions made before this time will be
deposited the same night (and appear the next
business day). When your account is new, you
can start with 2 transactions daily and, for 4 days
in a row, make both transactions between 4:20
pm and 4:50 p.m. PST. They will not have time to
hold the account and your money will arrive the
same night without any problem. After 3 days,
you must change your pattern because a
transaction pattern "too
identical" will trigger account verification. You
can then do 3 transactions daily for 1 week and
then upgrade to 4 transactions. Add 1 daily
transaction per week of account activity until you
burn out. Your dispute rate must remain below
5% to avoid account verification procedures.

When you start a new account, always change

the Android version (create a new emulator) and it
appears as new. New OS version, new type of
phone and you should be fine.

Section 1.17 - Flint Removal

This is another withdrawal method that works

very well, because Flint is not yet well known to
carders. This is a company where you can make a
lot of money! To get started, you will need:

- Complete information (name, address, date

of birth, full SSN)
 - Real bank account (banks like Ally don't
work)
Background report on the
complete information you have

- Android Emualtor (see previous section to

configure Genymotion)

Go to flint.com and open a new account. You

can reuse the same store you used for Stripe and
Squareup. Also use the same email. This way,
your mere $7 for a month of hosting turned out to
be a lucrative investment! Get your background
report now!

This is because when you submit the

application form, you will be presented with 3
verification questions. You can refer to section
1.9 for more information as those questions are
the same as TigerDirect. At least they come from
the same source, so you shouldn't have any
problems, except that there is a secret rule that
allows you only 1 minute to answer those
questions, so it's not the time to start searching
everywhere. Be fast. You will know right away if
you were right, because you need 3/3 for the
account to be approved. If you fail, you'll just get
a Sorry and you wasted everything message.

When linking your bank account, make sure

the account is not a prepaid account. If you use a
prepayment, Flint will silently accept it and hold
your money forever. When you call them, they will
tell you to set up another bank account. AND
when you do this last step they will ask for
documentation and scans/all the shit you don't
want to waste time on. Therefore, use a real
account from the beginning and you will avoid
problems in the future. I learned this the hard
way, when my account with $3,000 in it was
seized. I was quick enough to refund all charges
and reuse the cards at Square, but you better
keep it simple and get your deposits as planned.
And remember that their email support will
respond whenever they want. It is best to call
them if you need help.

You will need the phone number, name, email

address, and dollar amount of the last transaction
when you call. Not very secure in my opinion, this
can make ATO very easy for such accounts. If
you want to get creative, you can find a merchant
who uses Flint and change their bank account to
get money flowing into your bank. I recommend
this only for expert users, but it can be an
additional source of income.

Open your favorite Android emulator and

install the usual Google Play packages (see
section 1.16 on Squareup for this part) and you
will have a fully functional Android emulator
again. You can also reuse the same emulator as
Square if you want.

Now, if you go to the Google Play store, you

will see the Flint app, with a dreaded message
saying that this app is not supported
with your device. Regardless of which emulator
you use, you will receive this message. I'll show
you how to avoid it.
 Place your emulator on the main screen and
look in the guide package for the Flint app .apk
file. Simply drag and drop it onto your emulator's
home screen and the app will launch. Press the
start button. Now go to the menu and you will see
that the Flint app appeared in the list of apps.
Open it and log in with your created account
information.

At this point, before making any transactions,

you should link your bank account on flint.com if
you haven't already. You need a real bank
account, not a prepaid card or some shitty
account. I will also point out that putting money
into an Ally account is as safe as playing roulette,
so I highly recommend avoiding Ally. From
experience, Bank of America accounts are the
best for this type of work.

Now that your bank account is linked, you're

ready to start accepting payments. You should
use the same rules as Square: avoid exceeding
$300 per transaction, don't get greedy, and don't
exceed 3 or 4 transactions daily. If, after 2 weeks,
the account is still active, you can start
increasing slowly, but I repeat again, don't get too
greedy!
Every time the account burns, you need to
create a completely new emulator, but if you
master your stuff, it takes less than 5 minutes, so
don't be lazy. After all, people work all week and
don't even earn half of what they can withdraw in
a single day. Enjoy the opportunity you have,
withdraw the money slowly and hug your cat.

Finding bank failures is relatively easy;

Several people asked me privately how to get a
drop. This is very simple, there are many
providers on Evo, and even on the forum, if you
post in the desired section, you will see how
many people have those accounts. I never had a
problem finding a partner to withdraw money
from. You can expect a 50% share with the drop
owner, unless you can source your own drops,
but this is a more difficult job.

It is also important that you create a new

Google account every time you create a new
emulator. This way you will prevent your pattern
from being traceable and you will look like new.
You can use Square and Flint on the same
emulator and reinstall both on another emulator
once they are both burned. From experience, Flint
accounts take a long time to burn, I rarely had
accounts burn before a week, so there is still a lot
of money to be made there. Payment processors
are truly a gold mine for people looking to make
money in the world of cards.
The first deposit may take a few days to arrive;
this is due to the fact that Flint has pseudo-
random deposits, usually 2 days apart. This is a
weakness of their system, but it is still a good
source of income. I had to email their support the
first time, to find out that the first deposit is
always a little late. This is not a problem, I always
got a minimum of 2 deposits before burning an
account for high risk activity, except the first time
(I had used a prepaid account, which is the worst
thing you can do, and they swallowed all the
money ).

Avoid spreading those methods outdoors. If

you took the effort and money to purchase this
guide, you'll want to be able to fully enjoy your
carding methods and make money without
hundreds of newbies trying, failing, and raising
flags. It will be harder if too many people try those
methods, so let's leave those tricks to the people
who bought that guide. You don't want to cut off
one of your sources of income just to look good.

When exploring those refund systems, it may

be surprising to see how many lawsuits they
must receive from legitimate merchants who have
their money confiscated due to security features.
They still put that information in an obscure way
in their terms of use, so legally they have the right
to do that, but we just have to be smarter than
them and look legitimate. After all, payment
processor cashback has been and always will be
a lucrative income stream for people who
They want to earn additional income in the fraud
scene without involving anything physical.

With all those withdrawal methods, whenever

you feel like getting greedy and charging more,
just think of this Chinese proverb very wisely:

“Is it better to see $100 in your bank account

or $500 in your blocked Stripe account? "

- Alpha Sage

Section 1.18 - Cash Withdrawal

PayAnywhere

This is a payment processor that receives very

little fraud and is not yet aware of all the risks; Try
not to burn this one, as it is a gold mine as of
now. Same principle as Flint, but easier to
remove. On the other hand, opening the account
requires a bit of skill.

Prepare your SOCKS proxy and VPN to protect

yourself. Go to www.payanywhere.com and open
an account. You will need a background report
because you will be asked 4 verification
questions. You must score 4/4 to open the
account. If you fail, 4 new questions will appear,
but this means you are already burned out. Try
with others complete and clear all cookies/user
agent/etc.

For some reason, the verification questions

are more complicated than on other sites, so it
requires a little luck. If you want to be close to
100% certain, you should run a credit report on
Equifax or TransUnion. Once you are successful,
the site will tell you to wait up to 24 hours to get
your account. Just do it.

You will receive a welcome email and can now

log in to your PayAnywhere online interface. Link
your bank account and wait 48 hours. You can
now download PayAnywhere

Apply on Google Play on your Android burner

and start charging. Stay under $200 for fees and
no more than $1,000 per week, or you will fall into
the audit category and will be asked for 3 months
of bank statements.

At some point, after a few successful charges,

you will receive an email asking you to call the
business information department. You will be
provided with a phone number and extension to
call them, and you should have their merchant
number on hand. You will need the full name, the
last 4 of the SSN, and the merchant ID. You must
also spoof the number to reflect the number you
put on your account
PayAnywhere. Don't be afraid, this is just a
welcome call. That's how this call usually goes.

Agent: Thank you for calling Bancard's

merchant insight department, my name is Bobby,
can I have your merchant number?

You: 93932973423

Agent: Thank you, who am I talking to?

You: Barack Obama

Agent: Thank you Mr. Obama, can you verify

the last 4 digits of your social security number?

You: 1234

Agent: Thank you. I was the one who sent you

this email, the reason for this call is to help you
get started with payment processing with us and
to welcome you to our services. I see you've
already processed the transactions, what do you
think so far?

You: I like it so far, the application is quite

simple and fast.

Agent: I'm glad to hear that. We also wanted to

explain the procedures for disputed and declined
payments. (the agent will speak for approximately
1 minute explaining some key points)

You: I understand.
 Agent: And in case we decide to put your
account under audit, we will request more
information about the cardholders. (other
explanations of the procedure)

Are you OK.

Agent: And what exactly is your business?

You: I sell skateboard accessories online, I am

a reseller.

Agent: Do you have a business registration

certificate or do you do business under your own
name?

You: My given name, Barack Obama. (it's

important to answer that, otherwise you're
screwed)

Agent: Thank you. And finally, do you have a

website address where customers can view your
store?

You: Sure, www.myfakeshop.com .

Agent: Thank you Mr. Obama, do you have

any more questions?

You: No, thank you.

Agent: Thanks for calling back after my email,

have a good afternoon!

And you are ready. Stay under $1000 per week

and deposits will be made every 2 days. This way
you will stay under the radar and receive deposits
every 2 days. It's a

Extremely lucrative withdrawal method, so use it

wisely.
 It's also a good idea to write a short
description of the charges you're making, for
example, "Order 22178" to make it look more
legitimate. You can search on Google for "fake
invoice generator", there is a good generator that
allows you to generate invoices. You'll need
Adobe Acrobat to get rid of the "generated by"
text at the bottom, if the site decides to watermark
it.

Section 1.19 - How to request one

photo ID

Sometimes merchants may ask you for a

photocopy of a government-issued photo ID. This
is easy to

skip if you have the right tools, for example,

don't send a JPEG image with the “Adobe
Photoshop CS6” watermark in the file metadata. I
tell you the secrets.

I have included an SSN card with this guide.

The card is in PSD format and has exactly the
same font as the real SSN cards. The "baseline"
layers are the bottom of the characters. You can
simply copy and move the layers of digits to form
the SSN, and for the name, use the characters
provided. If you are missing some characters,
I place a font layer in the PSD file. Just write it
using that font, and put in some black brush
strokes and eraser strokes to make the letters
look like the other ones.
 For driver's licenses, the process is a little
more complicated, but doable. Since DL
templates are always changing and vary by
state/country, it is impossible to include a scan,
but you can search Google Images for the
template you are looking for. Get a high
resolution image if possible. Once you find it, you
will need to edit the information it contains, the
number as well and the expiration dates. Try to
find the victim's Facebook profile to see if you
can find a decent photo; Otherwise, you can get a
stock photo of your driver's license photo from
sites like iStockPhoto.com. Simply upload the
image you want to use.

For utility bills, I have included a scan of an

electricity bill. It is very easy to work with this
template. I also included the font you need to use
for it. Edit the correct information on the invoice;
this should be very easy to do. Leave the back as
is, we won't need to edit anything there.

Once you are done, save the image in JPG

format. Don't send the file yet, as the image's Exif
data shows "Made with Adobe Photoshop CS6"
and
any smart trader will spot this. Create a new
OpenOffice Writer document, import the image
into the document, and save it as a PDF. You can
now safely send this PDF to the merchant, who
will have no idea that you have Photoshopped the
image. If your Photoshop skills are not too bad,
you should pass the verification this way.

That's it for the first chapter! Making money is

a good thing, but more importantly, it must be
protected. That's what the second chapter will be
about. Getting paid and avoiding LE can become
a way of life if you like easy money. Let's go!

Chapter 2 - Protect Yourself

This chapter is about how to protect yourself

when making cards online. When getting free
items is fun, the police side of the operation is
less fun. You will learn techniques to ensure that
you cannot be traced when you commit online
fraud.

Section 2.1 - How to protect yourself online

Let's discuss how you can protect yourself

online from placing fraudulent orders. We will talk
about your 3 best friends: VM, VPN, SOCKS.
Friend 1: The VM

The VM (virtual machine) is an installation of

Oracle VirtualBox or VMWare, whichever you
prefer. It's like a computer on your computer.
Your computer is the "host machine" and your
VM is the "guest machine." On your guest
machine, put everything related to carding. Never
place anything related to fraud outside of this
virtual machine. Keep everything in the same
place, you don't want to leave evidence on your
computer. Once your VM is ready, create a
TrueCrypt volume and place your VM files on it.
Only mount your TrueCrypt volume when you
want to access your carding material.
 By using TrueCrypt, you ensure that your VM
is encrypted and that everything related to
carding “disappears” when the power goes out,
and you need to decrypt the volume again to
access it. So if LE breaks into your house, unplug
your computer and all evidence will be gone. No
need to start deleting files here and there. If they
confiscate your computer for analysis, there will
be nothing to find. Your virtual machine is
completely invisible and is only accessed when
you want to upload something.

Now that your physical computer is protected,

you'll need to think about hiding your online
identity. If you don't know much about VirtualBox
and TrueCrypt, you should research about them,
They also have many uses outside of the world of
cards.

Friend 2: The VPN

VPN is the way you can use to hide your

identity online and appear anonymous. It routes
all your computer traffic to a VPN server that
hides your identity and forwards the traffic to the
desired site. I personally use PureVPN, but you
can choose any provider, but read their privacy
policy to make sure they don't keep logs.

If you don't use a VPN, your IP address will be

visible. The police just have to call your ISP and
get your IP information, and they arrest you.
Therefore, using a VPN is crucial for anything
sensitive online. Once you think your VPN is
connected correctly, you can type "what's my ip"
into Google to find your location. Make sure the
location is the advertised location of the VPN
server and not your actual location.

With VPN, you are anonymous, so everything

you do is hidden. The only problem, merchants
know it too. Although they can't tell who you are
when you browse their site, they can see that you
are using an anonymization service and therefore
this order is more likely to be fraudulent. Raise
flags. Many major merchants have a list of
servers
known VPNs and flag orders originating from
those addresses. Then our next friend will solve
that problem.

Friend 3: The SOCKS

We're not talking about underwear here, but

rather a Socks 5 proxy. What's that? Simple. To
ensure that the merchant sees you as legitimate,
you must become the cardholder. If you go to
vip72.org, you can buy socks from many cities
around the world. If you choose a sock in the
cardholder's city, you may appear as if you are
from that city when you make the purchase and
therefore have a better chance of success.

When you install the VIP72 software, you will

be able to choose from a variety of socks per city
and those that are not blacklisted as they are not
public anonymity services. It's like using
someone else's computer (in that city) to make
the purchase. This way you truly appear to be the
cardholder and eliminates all the hassle.
 Use SOCKS over your VPN for maximum
security (in case the socks proxy is
compromised) and it will not be traceable.
Combining that with your encrypted virtual
machine ensures a rock-solid setup with no
chance of being tracked. Once you pick up your
item at delivery and leave, it is gone forever, there
is no way to respond to you. Success!
I see a question that comes up often on
forums, how do we chain socks and Tor
together? Simple. First, don't use Tor. Use any
browser like Google Chrome. This is how we use
the full configuration.

1) Get a VPN (like PureVPN) from the US. USA

(Vip72 likes to crash when using a non-US VPN
location.) (U.S., so don't risk it.)

2) Connect the VPN, open the VIP72

program.

3) Log in, select country, state, city, then

double-click the desired proxy.

4) When the proxy is in the selected list, open

Proxifier.

5) In your browser's proxy settings, select

"use system settings."

6) Google "what is my IP" and make sure you

appear in the desired city.

If "what is my ip" shows the desired city and

your VPN is connected, you are now invisible and
can log whatever you want. Don't skip the VPN,
you never know when/if your socks will give away
your location. Prevention is better than cure.
 Another way LE can catch you is through your
username. At TCF and Evolution Market, some LE
officers have accounts and are looking for "big
fish" to catch. One step LE takes is to Google
your username and find clearweb sites you might
be registered with, so you have a starting path for
your research, so use a different username than
your clearnet operations .

They will check who lives in your place and

make a list of family or friends, so make sure you
are not linked to that place in any way (business,
friends, family, etc.)

They can use voice recognition to pick up

your voice on a call. This is not the way to get
caught, but it will serve as additional evidence if
you are ever convicted of that crime.

If you want to be paranoid about security, you

can make a door guard for your computer. If you
have your virtual machine running on TrueCrypt
and you have to leave your computer on while
you are somewhere else, sleeping for example, it
is good practice to use an extension cable to
power your computer and fix that extension to
disconnect when the door is open . In the event of
a raid, all evidence will be destroyed. This is not
required, but can be an additional layer of
protection in case the police indicate your
location and decided to pay him a visit. But
usually when you leave home or go somewhere
else, you should at least unmount your TrueCrypt
volume. If you don't want to lose all the state of
your virtual machine (sometimes you have
multiple applications running), you can Save
Virtual Machine State on Shutdown to prevent
everything from reopening.

If you started carding before purchasing this

guide and installed carding material on a hard
drive, don't just delete the files. Any competent
LE officer can easily recover them. To avoid this,
download the DBAN software and burn the iso to
a CD or DVD. Insert the CD into the computer,
boot into it, and securely erase your hard drive
using the DoD standard or RCMP method. This
way you will erase all traces of carding-related
files and be safe in case LE seizes your hard
drives or USB drives for investigation purposes.
When they break into your house, you won't have
time to destroy all your hard drives. They take an
average of 3 seconds to grab what they want.
Besides, do you really want to sleep with worries
and be afraid of getting caught? Me neither.

Section 2.2 - Burner Telephones

This section is about how to call banks safely

and avoid being traceable. If you use your home
phone for that,
They will surely arrest him. Here's how to solve
that problem.

The first step is to register a RingCentral

account (you can load it with a level 2 card) where
you will purchase the phone numbers needed to
impersonate all of your cardholders. Go to
ringcentral.com and register an account. They will
then ask you for a phone number where they can
reach you. You can make an excuse like you are
at work and you will call them when you have 2
seconds. Call and talk to them and agree to an
office plan. You can say you are going on
vacation for a few months and need an IP phone
to call home for free. This process is quite simple.

Once you've set up your RingCentral account,

take some time to explore the options in its
interface and learn how to register phone
numbers. You can select by state and city to
register phone numbers and point them to the
face of your burner. They often change their
interface, so I won't go into the details here, but
make sure all the "burner" numbers ring on your
burner cell phone. As an alternative to that, you
can get a desk phone, configure the SIP
information on it, configure port forwarding on
your router, and if your router supports it, select
VPN in the WAN connection type, to have a desk
phone protected. which can be 24 hours a day, 7
days a week. A mobile phone burner works, but
since there is no VPN possibility for calls, it can
be a bit dangerous. You can always get cards
Prepaid SIMs with a fake name for your cell
phone, but since the phone's IMEI can be flagged,
we recommend getting a cheap $10 phone and
throwing it away after every big heist.

If you choose the desk phone, you don't need

to throw anything away as the location can never
be tracked by any means if your router uses a
VPN connection. This is the option that I use
personally. Just make sure you are available to
take the merchant's confirmation call, as a missed
confirmation call is often synonymous with
failure. They are paranoid like that sometimes.

Many phones from Polycom, Aastra or Cisco

function as desk phones as they also have
legitimate uses. You can also have a legitimate
line and a scam line if your phone supports 2 SIP
lines, which most models do. Every time a card
burns, I change the card in RingCentral and have
yet to see an account canceled due to
chargebacks. So far everything is going well, and
it's been months. When spoofing the cardholder
number, there are 2 very popular services,
Spooftel and Spoofcard.

Spooftel only accepts bitcoins for payment,

but they are pretty cheap, just $0.10 per minute
for any

number and they don't block numbers for

anything.
Spoofcard accepts credit cards for payment
(you can load them with a level 2 card) but often
calls are dropped after 30 seconds for no reason,
for all sorts of reasons, so I stay away from them
and use Spooftel even if I have to spend some
bitcoins.

Be careful as LE can subpoena any of those 2

companies to reveal the number you used to
make the spoofed call, so don't use your real
phone to make the conversation as there is a way
to trace it back to you. Use your burner combined
with Spooftel for maximum safety.

As soon as RingCentral receives a

chargeback, you will be notified by email and
your account will be cancelled. They ask for
supporting documents, but do not respond.
Simply open another account with another card.
 Section 2.3 – Android Device Spoofing – The
Perfect Way

This section is one of the most important, if

not the most important, if you want to have any
luck cashing out large amounts. If your goal is
just to do a quick heist and get $1,000 and then
move on to something else, it's okay to skip this
section. However, if you want to follow me and
earn 5 figures a month in fraud money, you
definitely need to up your game.

Stepping up the game means getting a

physical Android device from your local store,
which will cost around $100. You can also get a
used one on Craigslist, in fact as long as you
have a physical device in your hands you'll be
fine. You don't need to get any SIM card or any
plan, just get the phone, you won't use it to call
anyway. However, if you already use a physical
recording Android device, you can reuse it for
that.

This section is also about giving up on the

Genymotion emulator completely, because it has
too many restrictions and you won't be able to
fake it completely. Square and Flint apps have
many special permissions including obtaining
MAC addresses, serial numbers, IMEI, IMSI,
phone numbers and much more information. This
section will tell you how to fake that data and
send junk (but real-looking) data to trick those
apps into believing that you are someone new. If
you follow this tutorial, there is no way that even
the most advanced app in the world can find out
that you are spoofing your identity.
 Step 1: Unlock and root your phone
First of all, prepare your phone, connect it to a
VPN (any is fine), create a junk Google account
(any name is fine, it doesn't matter, but don't put
your real name) and download the IMEI .info app.
You'll only need this one for now.

The next step is to unlock your phone's

bootloader. Since every Android phone model is
different, I can't give you exact instructions, but I
will put you on the right track for some of the
major brands. I've included the ADB and Fastboot
folders, in case you need to use any of those files
during the process.

Motorola devices

Go to http://motorola-global-
portal.custhelp.com and you will have all the
necessary instructions. The website is well made
and you will find it easy.

LG devices

head to
http://forum.xda-developers.com/showthread.ph
p?t=2224020 and you will see the instructions, it
is not very difficult.

Samsung devices

There are too many different models, and each

model is different, you can only search for it. The

Most phones can also skip this step and go

straight to the next.
 Now that your phone's bootloader is unlocked,
you will need to root your phone. This varies by
device, but I'll give you the usual procedure. The
normal procedure is more complicated, but I
created batch files to make it faster, for your
convenience.

Connect your Android device to the USB port

and place "UPDATE-SuperSU-v2.02.zip" (from the
"Android ClockworkRoot" folder) in the root of
the phone's SD card. Turn off your phone and
turn it on again while holding down the "volume
down" key and you will be in the home menu.
Then double click on the “ROOT.bat” file from the
same folder and it will install the recovery ROM.
Boot the phone into recovery mode and you will
be in the Clockwork home menu.

From there, install a package from the SD card

and locate your SuperSU file (the zip file we put
earlier) and your phone will be rooted. Optionally,
if you want to restore your logo and get rid of the
warning message when you turn on your phone,
you can search for your firmware, download and
unzip it, replace the "logo.bin" file in the folder
provided by the downloaded one, put the phone
in standby mode. start menu and double click
"LOGO.bat" to restore your logo.
Now your phone is rooted, but that was just
the first part. Now we will install the spoof tools
that will allow us to become someone else
without anyone noticing. We want to make
money, so let's do it the right way. Optionally, you
can download the "Root Checker" app from
Google Play to verify that you have successfully
rooted your phone.
 Step 2: Install the Xprivacy package and
framework

Boot your phone in normal mode and place

the "xposed.apk" and "xprivacy.apk" files in the
root of your SD card. On your phone, open
Google Chrome and go to the address
“file:///sdcard/xposed.apk” and this will download
the Xposed Framework. Go to your Downloads
folder and install that file. Once you are done,
restart your device.

Repeat the process but for the "xprivacy.apk"

file. Next, you will need to open the Xposed app,
enable the framework, and enable Xprivacy.
Reboot the phone again. Xprivacy is an operating
system modification that allows you to send fake
data to applications that ask for device data such
as IMEI, IMSI, serial and a few more parameters.
We will use this to trick apps into tricking that we
are someone else.
Connect to your VPN (Android has a native
VPN feature in the Settings menu), open Google
Play, create a dummy account, and download (but
don't open) your favorite payment apps like
Square, Flint, PayAnywhere, etc. and install them
on your phone.

We are done with the installation of the app,

now we will move on to the impersonation part.
This is the most interesting and important part.

Step 3 – Spoofing Application Privileges

 Be careful in this part. Making a mistake may
result in your identity being revealed, so proceed
carefully. I take no responsibility for anyone who
is arrested for incorrectly following instructions.
You have been warned. Unplug your phone from
your computer before continuing.

Open the Xprivacy app and click the icon at

the top right of the window, then go to Settings.
There will be a "Randomize Data" button, click on
it. You will see below that the IMEI, IMSI, serial,
etc. have been falsified. You can click as many
times as you want, everything is fine. Uncheck
"Randomize data at boot" and make sure nothing
is checked next to the parameters. Click in the
Number field
phone and enter the 10-digit phone number of
your target, and enter the latitude and longitude
of the victim's home. Exit the setup menu.

You are on the main Xprivacy screen. Check

the box to the right of your app and click the app
icon to open the advanced properties panel. You
will need to check the boxes next to all items that
have a small key icon next to them, except
Internet. Do not check the boxes if the
background is red. Last but not least, make sure
the "Restrict" option at the top is activated.

Congratulations, your device is counterfeit!

But there is one more detail: having a legitimate
IP is essential. So we'll move on to the last part of
this section.

Step 4: Connect your device to the SOCKS

proxy

First, you'll need to configure your router to

use a VPN connection. Any VPN provider is fine.
The same procedure will be detailed in section 2.2
(burner phones). Set PPTP as the WAN
connection type and, on your PC, Google "what's
my IP" to make sure you're behind a VPN.
On the computer (or virtual machine) where
you are using VIP72, configure the firewall to
always allow incoming TCP port 9951 on all
domains. Make sure you open the VIP72 and
Proxifier client and test your connection to make
sure it appears in the proxy location.

On your Android device, head to Google Play

and install ProxyDroid. Open the application and
put the local IP address of the computer (or VM)
running Proxyfier, port 9951, without username
and password. Check "global mode" and connect
the proxy. Your phone will vibrate and beep, and
you will be connected to the proxy.

Open Google Chrome on your device and

search for “what is my ip”, at this point the IP
displayed should be the IP of the proxy you are
using. You will also appear at that location. It's
now safe to open your payment processing app.
Junk data will be sent to those apps instead of
real data, giving you full protection.

It will take a long time for your accounts to

burn; This method is a proven phishing method
that is not found anywhere other than this book
and will surely take forever to burn. You will
notice that some app options will be blocked and
Xprivacy will display a message; For example,
Square wants to record audio from your
microphone, which is an invasion of the
privacy. Flint wants to read data from the
computer connected via USB; hence the
importance of unplugging your device.

Section 2.4 - AVS

AVS is an address verification system, a fraud

prevention system used by stores to ensure that
the billing address is correct.

It works by calculating the numerical part of

the address (mailing address and zip code)
against what is on file with the bank to make sure
it is accurate. Compare only the numerical part;
so 123 Right Street is the same as 123 Wrong
Way. The zip code is compared in its entirety.

Why is AVS important? Because it causes

automatic declines on many sites if the AVS does
not completely match. If the cardholder cannot
type their own address, the website will not
believe for a second that you are the real
cardholder. Many sellers sell non-AVS cards. Is
this good? We'll see.

Let's say you have an Amex card not AVS

from Colombia (they are very popular). People
tend to use them in US online stores. USA And
they put the billing address and the shipping
address so that they are the same,
hoping the card passes AVS. Going to. But...

A smart fraud detection agent will see that the

BIN is from Colombia. What is the probability that
someone with a card from Colombia has a US
billing address? USA Registered, especially
knowing that the card is not AVS? That's right,
very thin. Expect the order to be canceled
immediately unless the fraud agent is very stupid
(they're getting smarter and smarter these days).

Non-AVS cards should be taken with caution.

Don't assume you can register any store with
these just because they don't use address
verification systems.

Section 2.5 - Airline Tickets

Another popular question is, “how can I get

airline tickets?” ”Although this is feasible, I
advise against it because it is dangerous. If you
still want to do it, I'll tell you how.

About 1 year ago, I landed in Japan, and as I

got off the plane, still at the boarding dock, there
were 2 security men blocking the way. They
shouted, “Everyone get your boarding pass! ”,
and people passed one by one, “ok”, “go ahead”,
until there was a guy
strange looking guy who showed his pass and
the bouncer said “follow me”, as they left,
security shouted, “everyone else can go!” ”. If
you don't want to be this guy, keep reading.
 If you charter a local flight, there is usually no
danger. You must use a card from the same
country as the country you are traveling to. You
can put your real name or the name of the
cardholder and use a fake ID. If you choose to use
your own name, make sure you have evidence to
support your case if you are stopped while
boarding or leaving the venue. You can say you
bought tickets on Craigslist or a forum, but have
some (fake?) evidence to back it up. You want to
avoid any suspicion of credit card fraud in case
problems arise. Better safe than sorry, although
I've done it many times and never had any
problems. If you use your real name, use any ID
except your passport, this can save your butt
later. Use a non-government ID such as a student
card, in many cases they accept it. Present a
government ID if requested, but not a passport.

If you are loading an international flight, that is

more difficult. You have to use your real name
and passport number. Note that it does not make
you a fraud suspect in a chargeback case, as they
cannot prove that you uploaded it yourself, as
long as you have taken your precautions on the
computer. Please show at check-in and go to self
check-in to avoid people as much as possible. Try
to book a short flight and avoid first class (flag
flying) flights.
Upon arrival, leave the airport as quickly as
possible. If they didn't catch you

good job! Otherwise, well, nothing because

you don't have this guide in jail.

In all cases, you should never charge the

airline directly. They have representatives waiting
at the plane exit just to catch the scammers.
Cards from third party websites like Expedia,
Cheapoair, etc. as they cannot move fast enough
to catch a card. If you card them successfully,
you have little chance of being caught exiting the
plane.

Now, this has been discussed before, but not

hotel cards! You don't want security knocking on
your door at 3 a.m. to talk about fraud. If you're
going on a trip, carry some of it, but I guess you
also have a little bit of money if you're going on a
trip. Use common sense.

Card only one-way flights, do not card return

flights unless they are very close to each other (2-
3 days maximum). If there is a chargeback and
you are waiting for your return flight, rest assured
they will wait for you.

Last but not least, have solid arguments if you

are intercepted on the way out.
As if I had bought it from someone else. Do not
leave evidence of any card tests. This is common
sense, but it is always welcome to remind our
fellow carders. To have a solid story, create a
bitcoin wallet with a random name. Create a new
Virwox account with your real details, buy
bitcoins for around 30% of the flight value and
send them to that fake wallet. Then, create a fake
email address with that same person's name and
trade with their real email as if you were
negotiating a rate of about 30% of the retail price.
Once your flight is over, use the bitcoins in that
wallet as you wish. In case you are stopped at the
airport, you will be able to show those emails and
transactions and act as an innocent victim.
However, if you booked through a third party, the
chances of that happening are very low.

Also, ATO is required for airline tickets over

$300 as most sites will call the billing number to
verify and cancel the order if you are not available
to take the call, so have your recorder ready if
you do. does.

Section 2.6 – Fake Emails

Sometimes you may need to impersonate

someone and spoof an email for various reasons.
There is a clean, undetectable way to do that, and
that's what I'm going to do.
explain here. The email will look 100% legitimate.

To spoof emails, you will need to make the

email yourself. This means creating the headers
and everything. To test, simply send a "Hello
World" to a Hotmail test address, click "View
Message Source" and you'll see the top headers.
Paste everything (the source) into a Notepad++
document. You will see a header that looks like:

From: Real name <real [email protected]>

Modify it to what you want to display, it's

pretty self explanatory. For example, change it to
that:

From: TCF Hack <[email protected]>

 Then you have the entire email in a Notepad++
document. Next, get a Telnet client. I recommend
Putty, it is free to download. Next, make sure
you're using an anonymous connection (I advise
against VPN as it's obviously coming from a
public proxy - use something like a hacked wifi,
3G dongle, etc.) and your security is correct.

Find the mail exchange server for your

domain. For that, go to
http://www.dnsqueries.com/en/mx-lookup.php
and enter your domain, example "hotmail.com"
and you will get the exchange addresses.
mail. If there are many, choose one at random. In
your case it will be "mx3.hotmail.com".

We have everything we need! Open a Putty

Telnet connection to your mail exchange server,
port 25. The "conversation" will be as follows (it
may vary a little, depending on the messaging
software):

Send: EHLO mx.spoofedserver.com

Answer: Welcome mx.fakeserver.com

Send: MAIL FROM:

[email protected]

Answer: 250 2.1.0 Ok

Send: RCPT To: [email protected]

Answer: 250 2.1.5 Ok

Send data

Answer: 354 final data with

<CR><LF>.<CR> <LF>
 (paste all your data here, the one you edited
with Notepad, then press Enter, put a period (.)
and press Enter again)

Answer: 250 2.0.0 Ok: queued as 43958340634

Your fake email is sent. Note that for some

providers like Hotmail, if you try that (Hotmail to
Hotmail), they will spam you because the source
IP is not one of the Hotmail servers and they
recognize it as spoofed. However, if you send an
email to Hotmail from another server (e.g.
@tcf.onion), it will work like a charm. For smaller
messaging servers, everything will be fine. Now
more people will fall for their scams.

Section 2.7 – Complete falsification of your

identity

These are people who take seriously the

possibility of hiding their identity. Newbies would
assume that by changing your VPN location, you
are someone new. More advanced users will say
that by changing your VPN, your socks, and
using a completely new browser with user agent,
changing fonts, resolution, and system time, you
are better off. In fact, they are both wrong.
Payment processors and Paypal have extremely
advanced ways of fingerprinting people and here
we will learn how to avoid it.

What software or websites (via complex

Javascript calls) they can use to fingerprint, may
include motherboard serial numbers, system
UUID (unique identifier), etc. That's a lot of things
to make fun of! To avoid the
investigation of spoofing everything, I have
prepared a small program, DMI Spoof, included in
this package. This program was written by myself
and is used to modify a VirtualBox virtual
machine to make it look brand new!

Run DMI Spoof and you will be prompted for 2

parameters.

1) Path of VboxManage.exe. This is the full

path of the VboxManage.exe file, usually located
in the same installation directory as VirtualBox.

2) Name of your VM. When you open

VirtualBox, this is the name that appears in bold
black characters in the list. Do you know what is
it.

Note that you can also provide those

parameters on the command line to run it faster,
the first parameter will be the path of
VboxManage.exe and the second parameter will
be the virtual machine name. Provides a faster
way to fake everything.

Once you have provided those 2 parameters,

DMI Spoof will alter the VM to change the BIOS
brand, motherboard information and serial
numbers, CPUID information and some other
parameters. It will appear as if you have a
completely new computer made of completely
different hardware, with no way of knowing that
this has been counterfeited.
Once you start your VM, change the following
settings in Windows as they can also be used to
fingerprint you and cannot be modified using DMI
Spoof:
 - Screen resolution (you can usually drag a
corner of your VM)

- Install or remove a font in the Fonts folder

(the list of fonts can be found using JS)

- Change computer name (reobot required)

- Use Tmac to spoof the network MAC

address (can be found using advanced
Javascript)

- Disable Flash (some sites silently place

Flash cookies on your computer)

- Switch user agent (use the switch user

agent extension for Firefox)
Change VPN location or proxy
Socks (this is obvious)

Once you've changed everything, don't access

your sites again from the same IP as before, or
you'll have to restart the whole process!

This is enough to protect you from all

fingerprinting processes; For payment
processors and high-security sites, this is a must.
There is no such thing as "too much security."
 Keep in mind that all of this is equivalent to
having a new computer. It will appear brand new
and there is no way to trace this back to the
original machine. DMI spoofing is somewhat
easier to do in a virtual machine, and if you read
this chapter correctly, you'll know that you should
always put your card software in a virtual
machine for maximum security.

Section 2.8 - Protecting your VPN

When it comes to using a VPN, many people

have a Sharky connection and their VPN
connection sometimes disconnects. What if you
are using a withdrawal script
automatically or have you logged in with your
fake username in an online store? That's how it
is. The connection will be established and reveal
your real IP. For Windows 7+ users, there is
native Windows protection you can use to
prevent such a thing.

When you connect your VPN for the first time,

Windows will ask you if this connection is a
home, office, or public network. You must select
Public. Then, go to the Windows firewall
advanced settings and follow these steps to
protect yourself:

1) Go to the “outbound traffic rules” section

of the advanced settings window.

2) Right-click "outbound traffic rules" and

select "add rule."
 3) You will be asked what type of rule you
want to create. Select "program".

4) Click "browse" and select the .exe file of

the application you want, for example, Firefox.

5) Select "block connection".

6) When asked when the rule will apply,

check “home” and “office”, uncheck “public”.

7) Give this rule a meaningful name, for

example, “Firefox VPN”.

8) Create the same rule for each program you

want to protect.

In this way, all connections that are not in the

public domain (not made through VPN) will be
blocked for the

selected programs, while still allowing system

requests to follow the standard path. If your VPN
is disconnected, you won't be able to use those
programs. You should do this to:

-Firefox

Google Chrome

Tor Browser
 Tor process

- VIP72 Client

Proxifier
Pidgin

-Thunderbird

- Any other program that you consider useful.

Please note that you cannot block all packets

that are not sent through the VPN. Many
programs, including the operating system itself,
must communicate on the local network without
restrictions, and using the "block all programs"
rule instead of selecting a program can make the
system unstable and have unpredictable
consequences. Additionally, you must use traffic
on the "Home" domain in order to connect to your
VPN.

This ensures that your IP will never be

revealed in the event of a disconnection. In that
case, simply reconnect your VPN and everything
will continue as normal. You won't have to
constantly monitor your connection status.

In case you don't know the file path to choose,

you can open the task manager by using Ctrl + Alt
+ Delete (or right click on the taskbar and select
"open task manager"), right click on the process
and select "open the location of the
archive ". This will give you the full path of the
file, so you can add it to your firewall rules.

For older versions of Windows like XP, you

can use the Comodo firewall to achieve the same,
however, this is beyond the scope of this tutorial
and has been shown to cause system instability.
The Windows 7 native method has proven to be
the most stable and secure so far, so enjoy your
protected system!

Section 2.9 - The 10 most common mistakes

This section talks about the most common

mistakes newbies make when they start carding.
Some can be fatal, others are simply not
important, but it is important to understand those
points.

#1 – Show off your stuff

When you get free stuff, don't brag to your

friends, your family, or your girls. You never know
when someone will get mad at you and decide to
report you. Keep it to yourself and don't worry!
Just say you have a way to get cheap stuff and
it's private. That's all.
# 2 - Link with your personal life
 Don't ask a friend to use your house as a
drop-in. Don't send to your workplace, your
parent's house, or worse yet, your own home! If
the police show up at your friend's house, they
will surely give you away. Don't trust people so
much.

# 3 – Starting too big

When you first start carding, don't attack

merchants like Newegg or TigerDirect. They are
not easy and will give you a negative feeling
about carding even before you get free stuff. Start
small, for example with clothes.

# 4 – Using the same nickname on hacking

boards and clearnet sites

Many newbies forget that, and yes, there are

probably LE officers at TCF, watching what's
going on. If they can Google your username and
see your Facebook or anything else, you're
screwed. Use a name you don't use anywhere
else!

#5 – Respond to fraud allegations

Sometimes you may be caught out of balance
and for example a store will respond "the order
was fraudulent so we canceled it." If you carded
them successfully 3 times before, don't talk about
it. If you just want to show them that you own
them, you can persuade LE to track you, because
you just linked the fraudulent orders. Just don't
answer anything.
 # 6 - Do not wash your bitcoins

If you buy (or card) bitcoins with Virwox, they

can use the blockchain to track where those
bitcoins went and eventually link it to you. Use a
service like BTC Fog to launder them and get new
bitcoins, not linkable to you, for your
underground operations.

# 7 - Talk to your partners on a trackable site

Don't use Facebook to talk to your partner

about carding. Any LE officer can subpoena
Facebook to get your conversation history and
catch you. Use Pidgin + OTR to encrypt your
conversation and use VPN to connect to ICQ.
Make sure it is not traceable.
# 8 - Being off balance during an ATO

When you are ATOing an account, stay calm,

don't be fooled by the questions. If you answer
incorrectly (because very often, they have
inaccurate information), stay calm and explain
yourself, remember, the card is yours. Don't show
fear, because they will catch you.

# 9 - Hit the same drop

This is self-explanatory; Finding drops is a

pain, but go the extra mile and get a virgin drop.
It's already hot in the first place, so don't add
more and you risk getting caught. One drop is
good for 3 days; After that, it's time to move on.
You can also apply this principle with girls.

# 10 - Accessing your fake online store

without VPN

When your Stripe account gets burned and

they subpoena your fake e-store to give them the
login log, you don't want them to see your real IP
and trace back to you. Always use VPN to upload
files, test your store, etc.
Section 2.10 - Glossary

This is a list of common words used in the

card world and many people are unsure of their
meaning. Here are some of them.

ATO: Account Acquisition. This is when you

call the bank while posing as the cardholder to
perform whatever transaction you want on the
account.

CC: Credit card. Do you know what is it.

CH: CardHolder. The true owner of the card.

COB: Billing change. This is changing the

billing address when doing an ATO. Be careful, as
this may cause the cardholder to ring.

CVC: Card Verification Code. Also known as

CVV or CVC2, this is the 3-digit code on the back
of the card near the signature panel (4 digits for
Amex cards).
 DL: Driver's license. It is used for verification
purposes.

Date of birth: Date of birth. You also know

what this is.

MCSC: MasterCard Security Code. Also known

as MSC, this is the security mechanism that
requests questions

verification during an online purchase made with

MasterCard.

RC: RingCentral. Your favorite source for

burner phones.

SSN: Social Security Number. Do you know

what is it.

VBV: verified by Visa. The same as MCSC but

for Visa cards.

Conclusion

I hope this guide has been useful to you. I

tried to put as much knowledge as possible to
help my fellow carders in the underworld. Use any
part that works for you and try to achieve great
success. Again, thanks to everyone who
purchased the guide, and if you have any
questions, please post on the forums so everyone
can see the question and provide better help.

I don't like being PM'd with card questions;

The reason is that sometimes there may be a
member who knows more than me about a
particular topic and if everyone can see your
question, you may get more help and it will
benefit the entire community. That's why I
encourage you to make your question public.

Also, I do not provide personal support on

ICQ. This guide has been sold in over 300 copies
and if it would help everyone who
bought, I would spend all day doing it. That being
said, thanks for purchasing this guide, now it's
time to make money!

Mewtor