I alluded to some of the weekend train-wreckage that was happening in private groups on Monday, but now that the situation is public and many in the community are affected, I think we should go over a few points:

  • A semi-well known /r/churning Redditor, JonLuca, allegedly examined Chase’s source code last summer and manufactured or found links that bypassed Chase’s backend business intelligence rules (it’s unclear to me what is meant by “source code”, perhaps just looking at the HTML/JavaScript at chase.com, or perhaps something else).
  • This weekend in private groups there was a discussion about leaking the JonLuca hacked no-lifetime-language, pre-approved Chase business credit card links to the greater community as an attempt to shield a few heavy hitters from potential shutdown by overwhelming Chase’s fraud team with sheer numbers, allowing them to blend into the noise.
  • After a long discussion, the links were shared in several private groups, then at a semi-public event, and finally on Reddit. To be clear, I think the motivations were different for each case, and disclaimers ranged from none at all to very cautionary/”this might get you shutdown”. Certainly not all actors were malicious but some probably were and the cat jumped way out of the bag.
  • Yesterday, a wave of Chase shutdowns came and according to several other private groups, they keep coming. There are mixed data points, but it seems like if you used at least three of those links, or perhaps just two, you’ve been shutdown or you shouldn’t be surprised if you get shutdown over the next couple of days.

In the end, I think a fair number of shutdowns happened to people who probably weren’t going into the links with their eyes wide open or with full information, and that sucks. This game can be very caveat emptor and you should always be slightly weary.

Where do I stand in all of this? I didn’t use the links or share the links because I didn’t think they were safe, so I’m fine and I hope you’re right there with me. What’s the difference between these links and the American Express links I shared yesterday? The main difference is that the American Express links are low risk to me because they are semi-public, they don’t bypass any American Express backend eligibility checks, and they’re widely targeted.

My advice for you: Don’t use backdoor applications that bypass eligibility checks unless they’re public links you can find at the bank’s website, or if the links are widely targeted. Definitely never, ever use links that were hacked out of an examination of a bank’s source code, whether or not that source code was public. If you don’t know where a link came from, research it, ask around (feel free to ask me if you don’t know who else to ask), and do some diligence. Stay safe out there!

A stuffed cat emerging from a bag.
A freeze frame capture of the actual moment the cat jumped out of the bag.