- Joined
- Feb 14, 2026
- Messages
- 9
- Thread Author
- #1
A technical breakdown of Amex account takeovers. Learn how to hijack session tokens, extract Membership Rewards, and dodge the Financial Review.
You buy an Amex login log from a Russian marketplace. You route your browser through a cheap datacenter proxy. You try to log into the account. The screen throws a 2FA prompt and instantly locks the profile. You just burned 60 dollars.
Amex runs the most aggressive telemetry in the financial sector. They own the entire payment stack. They issue the cards and process the transactions. Their security algorithm sees absolutely everything you do.
I clear out aged Amex accounts for a living. I pull roughly 2 million Membership Rewards points a month. Copy my exact workflow.
Hijacking the active session token
Brute forcing a raw username fails instantly. You extract the active session cookie.
I use Evilginx2 to set up a reverse proxy. I register a domain that looks exactly like the Amex login portal. I send targeted phishing emails to wealthy individuals. I scrape business directories to find CEOs and high-level executives.
The victim clicks the link. They type their credentials into my fake page. Amex sends them a real 6-digit SMS code to their phone. They type that code into my fake page.
The proxy intercepts the authentication token. I inject that exact token directly into my Dolphin Anty browser using an extension. I am now completely logged into the account. I bypass the 2FA prompt entirely because the system assumes I am the victim on a trusted device.
The network environment
Session tokens tie directly to geographic locations. If a token generates in Seattle and you inject it using a proxy in Miami, Amex kills the session immediately.
I use premium residential proxies. I buy access to compromised home routers through a private pool. I match the IP address to the victim's exact zip code. Check the IP on IPQS before you ever inject the cookie. Throw the IP away if the fraud score sits above 10 percent.
You configure your browser profile to match the victim's user-agent. The stolen log file tells you what device the victim used. Build a Windows Chrome profile for a Windows Chrome victim.
Navigating the dashboard
Rookies log in and immediately try to change the email address. That triggers an automated account lock.
You touch absolutely nothing in the profile settings. Leave the phone number alone. Leave the billing address alone.
Spend 10 minutes clicking around the dashboard. Check the recent statements. Look at the spending habits. Scroll through the available Amex Offers. You act like a bored consumer reviewing their monthly expenses.
Extracting Membership Rewards points
Membership Rewards points are untraceable liquid cash.
Redeeming points for Apple products or Home Depot gift cards triggers a manual review. Physical goods require a shipping address. Fraud analysts scrutinize physical gift card redemptions heavily.
You transfer the points directly to travel partners.
I link the Amex account to an Air France Flying Blue account or a British Airways Executive Club account. Create the airline account using the victim's exact name. Amex verifies the name match before approving the transfer.
Amex processes airline transfers instantly. You move 500,000 points in a single click.
Selling the miles to brokers
You now control an airline account loaded with half a million miles.
I sell the login credentials to mileage brokers on this forum. A reliable broker pays me roughly 1.2 cents per mile in Bitcoin. You message them on Jabber. You hand over the account details. They verify the balance. The cryptocurrency hits your wallet 10 minutes later.
They use the miles to book first-class international flights for their own clients. You take the crypto and walk away. You avoid the physical risk of holding stolen goods.
The Authorized User exploit
Sometimes you hit an account with a massive credit limit and zero reward points. You extract the raw credit.
Navigate to the account management tab. Request an Additional Card. Amex allows primary cardholders to add Authorized Users. They ask for a name, date of birth, and a Social Security Number.
Provide the name of your physical drop receiver. Provide a synthetic SSN. Amex legally requires the SSN, but they give you 60 days to provide the physical documentation before they cancel the AU card.
That 60-day window gives you plenty of time to drain the limit.
You ship the new physical card to a vacant house. You track the FedEx package. You grab the envelope off the porch. You walk into a luxury boutique and swipe it for a Rolex.
Dodging the Financial Review
Amex constantly monitors accounts for bust-out behavior. A sudden 15,000 dollar charge at a jewelry store on an account that normally buys groceries triggers a Financial Review.
During an FR, Amex freezes all cards. They demand the cardholder submit an IRS Form 4506-C. That form allows Amex to pull two years of tax returns directly from the federal government. You cannot fake a 4506-C. The review kills the account completely.
Match the victim's velocity to avoid the freeze.
Read the last three months of statements. I copy their exact spending patterns. If the victim regularly buys high-end electronics, I hit Best Buy. If they regularly spend thousands at luxury hotels, I book non-refundable suites.
Keep your single transaction amounts under 4000 dollars. Multiple smaller transactions blend into the background noise smoothly. One massive swipe flags the fraud engine instantly.
Handling the SafeKey prompt
Online purchases trigger SafeKey. This is the Amex version of 3D Secure.
SafeKey relies heavily on browser cookies and historical device trust. Your injected session cookie carries massive trust weight. The system usually processes the transaction silently in the background.
Sometimes SafeKey demands an email or SMS verification.
I buy full access logs. A good log includes the victim's email password. I log into their Gmail account using a separate residential proxy. I intercept the SafeKey verification code. I delete the Amex email from their inbox and empty the trash folder.
If it demands an SMS code, you drop the order entirely. Close the browser. Move to the next log. SIM swapping a target just to clear a 2000 dollar laptop carries massive federal prison time. Keep your risk profile clean.
The cooldown and the burn
You get exactly one major extraction per account.
Dump the points. Order the AU card. Log out.
Delete the browser profile completely. Burn the residential proxy IP. Never log back into the account to check the status of your points transfer.
The victim eventually checks their mobile app. They notice the missing points or the unauthorized card. They call the fraud department.
Amex closes the account and issues new account numbers. By the time the corporate fraud investigator pulls the web traffic logs, you have already fenced the airline miles and washed the cryptocurrency through a mixer.
Set up your reverse proxies correctly. Pay for the premium IP addresses. Check the geographic data twice.
Drop your specific Evilginx configuration errors below. I check the board on Thursday nights.
You buy an Amex login log from a Russian marketplace. You route your browser through a cheap datacenter proxy. You try to log into the account. The screen throws a 2FA prompt and instantly locks the profile. You just burned 60 dollars.
Amex runs the most aggressive telemetry in the financial sector. They own the entire payment stack. They issue the cards and process the transactions. Their security algorithm sees absolutely everything you do.
I clear out aged Amex accounts for a living. I pull roughly 2 million Membership Rewards points a month. Copy my exact workflow.
Hijacking the active session token
Brute forcing a raw username fails instantly. You extract the active session cookie.
I use Evilginx2 to set up a reverse proxy. I register a domain that looks exactly like the Amex login portal. I send targeted phishing emails to wealthy individuals. I scrape business directories to find CEOs and high-level executives.
The victim clicks the link. They type their credentials into my fake page. Amex sends them a real 6-digit SMS code to their phone. They type that code into my fake page.
The proxy intercepts the authentication token. I inject that exact token directly into my Dolphin Anty browser using an extension. I am now completely logged into the account. I bypass the 2FA prompt entirely because the system assumes I am the victim on a trusted device.
The network environment
Session tokens tie directly to geographic locations. If a token generates in Seattle and you inject it using a proxy in Miami, Amex kills the session immediately.
I use premium residential proxies. I buy access to compromised home routers through a private pool. I match the IP address to the victim's exact zip code. Check the IP on IPQS before you ever inject the cookie. Throw the IP away if the fraud score sits above 10 percent.
You configure your browser profile to match the victim's user-agent. The stolen log file tells you what device the victim used. Build a Windows Chrome profile for a Windows Chrome victim.
Navigating the dashboard
Rookies log in and immediately try to change the email address. That triggers an automated account lock.
You touch absolutely nothing in the profile settings. Leave the phone number alone. Leave the billing address alone.
Spend 10 minutes clicking around the dashboard. Check the recent statements. Look at the spending habits. Scroll through the available Amex Offers. You act like a bored consumer reviewing their monthly expenses.
Extracting Membership Rewards points
Membership Rewards points are untraceable liquid cash.
Redeeming points for Apple products or Home Depot gift cards triggers a manual review. Physical goods require a shipping address. Fraud analysts scrutinize physical gift card redemptions heavily.
You transfer the points directly to travel partners.
I link the Amex account to an Air France Flying Blue account or a British Airways Executive Club account. Create the airline account using the victim's exact name. Amex verifies the name match before approving the transfer.
Amex processes airline transfers instantly. You move 500,000 points in a single click.
Selling the miles to brokers
You now control an airline account loaded with half a million miles.
I sell the login credentials to mileage brokers on this forum. A reliable broker pays me roughly 1.2 cents per mile in Bitcoin. You message them on Jabber. You hand over the account details. They verify the balance. The cryptocurrency hits your wallet 10 minutes later.
They use the miles to book first-class international flights for their own clients. You take the crypto and walk away. You avoid the physical risk of holding stolen goods.
The Authorized User exploit
Sometimes you hit an account with a massive credit limit and zero reward points. You extract the raw credit.
Navigate to the account management tab. Request an Additional Card. Amex allows primary cardholders to add Authorized Users. They ask for a name, date of birth, and a Social Security Number.
Provide the name of your physical drop receiver. Provide a synthetic SSN. Amex legally requires the SSN, but they give you 60 days to provide the physical documentation before they cancel the AU card.
That 60-day window gives you plenty of time to drain the limit.
You ship the new physical card to a vacant house. You track the FedEx package. You grab the envelope off the porch. You walk into a luxury boutique and swipe it for a Rolex.
Dodging the Financial Review
Amex constantly monitors accounts for bust-out behavior. A sudden 15,000 dollar charge at a jewelry store on an account that normally buys groceries triggers a Financial Review.
During an FR, Amex freezes all cards. They demand the cardholder submit an IRS Form 4506-C. That form allows Amex to pull two years of tax returns directly from the federal government. You cannot fake a 4506-C. The review kills the account completely.
Match the victim's velocity to avoid the freeze.
Read the last three months of statements. I copy their exact spending patterns. If the victim regularly buys high-end electronics, I hit Best Buy. If they regularly spend thousands at luxury hotels, I book non-refundable suites.
Keep your single transaction amounts under 4000 dollars. Multiple smaller transactions blend into the background noise smoothly. One massive swipe flags the fraud engine instantly.
Handling the SafeKey prompt
Online purchases trigger SafeKey. This is the Amex version of 3D Secure.
SafeKey relies heavily on browser cookies and historical device trust. Your injected session cookie carries massive trust weight. The system usually processes the transaction silently in the background.
Sometimes SafeKey demands an email or SMS verification.
I buy full access logs. A good log includes the victim's email password. I log into their Gmail account using a separate residential proxy. I intercept the SafeKey verification code. I delete the Amex email from their inbox and empty the trash folder.
If it demands an SMS code, you drop the order entirely. Close the browser. Move to the next log. SIM swapping a target just to clear a 2000 dollar laptop carries massive federal prison time. Keep your risk profile clean.
The cooldown and the burn
You get exactly one major extraction per account.
Dump the points. Order the AU card. Log out.
Delete the browser profile completely. Burn the residential proxy IP. Never log back into the account to check the status of your points transfer.
The victim eventually checks their mobile app. They notice the missing points or the unauthorized card. They call the fraud department.
Amex closes the account and issues new account numbers. By the time the corporate fraud investigator pulls the web traffic logs, you have already fenced the airline miles and washed the cryptocurrency through a mixer.
Set up your reverse proxies correctly. Pay for the premium IP addresses. Check the geographic data twice.
Drop your specific Evilginx configuration errors below. I check the board on Thursday nights.