Mahdy Etemad

24 posts

Mahdy Etemad

Mahdy Etemad

@MahdyEtemad

Scaling SaaS

Katılım Haziran 2026
6 Takip Edilen3 Takipçiler
Mahdy Etemad retweetledi
Ayaan
Ayaan@thekhanayaan·
@whop just tried to drain our account AGAIN. they went after our bank accounts that aren't even connected to them anymore. They've now attempted to pull over $100K from accounts Whop no longer has access to. We disconnected those bank accounts from Whop. Whop should not be able to touch them. Yet they somehow still have the ability to attempt ACH pulls from accounts.
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
2
1
4
246
Mahdy Etemad retweetledi
Can 24
Can 24@0xCan24·
if you handle real money as a creator, this should stop you cold no transaction monitoring, no fraud protection, funds drained before anyone notices this isn't a one-off, it's what happens when security is treated as an afterthought the boring stuff is the stuff that protects you
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
176
19
225
6.5K
Ayaan
Ayaan@thekhanayaan·
@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.
Ayaan tweet media
English
32
15
101
105.8K
Ayaan
Ayaan@thekhanayaan·
Thanks for the condescending reply. The balance yesterday, when this screenshot was taken, was -$385K. Along with that, we have about another $150K that hasn’t been disputed by clients yet, but once it is disputed, that will add up to roughly $240K without the fees. On top of that, I appreciate you addressing the “hijacked” claim, but not the fact that Whop allowed the hackers to continue attempting payments after a 92% failure rate. You also did not address the fact that Whop attempted to ACH pull roughly $15K from our Mercury account out of nowhere while we were actively in discussions about the negative balance, and another 20k from my slash apparently in an attempt to cover part of it. You also have not addressed how all of this was allowed to happen, how this much money was able to leave Whop’s platform, and why no immediate flags, freezes, or manual reviews were triggered.
Ayaan tweet mediaAyaan tweet media
English
4
2
9
796
Whop Support
Whop Support@whop_support·
@thekhanayaan @whop The claims in this thread are untrue and Whop did not steal your funds. Your browser was hijacked after clicking a phishing link in an email. Also, the amount you depict in the photo is completely wrong. Here is a screenshot of your dashboard:
Whop Support tweet media
English
3
0
4
876
Mahdy Etemad retweetledi
Vass
Vass@Va77ss·
Everyone treats login as the security model and this is what it costs. The attacker never logged in. Hijacked session, new api keys, 300 charges in 2 minutes, zero flags. 2FA guards the door while the whole house runs unsupervised
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
77
5
139
5.6K
Mahdy Etemad retweetledi
Aegon
Aegon@0xaegon_nft·
This isn’t the first time Whop has had issues like this zero velocity checks. Zero alerts zero holds $384K gone in 120 seconds not because of a sophisticated attack, but because the safeguards simply don’t exist. When a platform processes this kind of volume with no protection layer, it’s not a bug its a choice.
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
65
1
114
7.8K
Mahdy Etemad retweetledi
ManGana
ManGana@manganacrypto·
Stories like this are exactly why creators need to think beyond features and payout percentages If a platform is handling your customers, subscriptions, and revenue, security has to be part of the conversation too The idea that something of this scale could reportedly unfold so quickly without stronger safeguards in place is genuinely concerning Creators today aren’t just posting content online anymore. Many are running full-fledged businesses with teams, recurring revenue, and communities that depend on these platforms operating responsibly Incidents like this are a reminder that trust and security matter just as much as growth and convenience
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
101
6
123
4.7K
Mahdy Etemad
Mahdy Etemad@MahdyEtemad·
@n1ssue Bro take in, they almost let 4m dollars get wiped out client accounts all at 2am, and with a 92% failure rate. If it wasn’t for our clients banks, the hackers would’ve been able to take our 4 million dollars lolll
English
0
0
0
9
NISSUE
NISSUE@n1ssue·
Bruhhh this reminds me of the early crypto days… Everyone's so concerned about if crypto is a scam, while there are scams still on the traditional web side. Whop used to be the most reliable source for anyone building a subscription model to use as a payment processor, but seeing $1M get swooped like that can get anyone shook. Glad you found an alternative Ayaan, I’m going to be doing the same! Companies should look out for their users, especially when dealing with funds and processing.
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
84
12
88
4.2K
Luan
Luan@britesluan·
Do not use @whop I purchased a service there, and the merchant did not delivered what I paid for, I tried the refund and @whop denied saying that the merchant account was banned because he commited fraud and they can't get the funds, @whop is terrible. Now I lost 1,500 USD.
English
4
0
1
105
Mahdy Etemad
Mahdy Etemad@MahdyEtemad·
@thekhanayaan @whop S/O the boys at Whop for almost letting a 4 MILLION dollar heist take place at 2am, with a 92% failure rate. But somehow our clients' banks had to decline all the payments since Whop has no fraud detection.
English
1
0
4
124
Mahdy Etemad
Mahdy Etemad@MahdyEtemad·
@JaceEngland1 They tried to ACH pull 15k to our mercury account while we we're speaking with them... Whop needs to lock in.
Mahdy Etemad tweet media
English
0
0
1
16
Jace England
Jace England@JaceEngland1·
Is this an ad for Fanbasis lol
Ayaan@thekhanayaan

@whop STOLE $1,000,000 FROM MY BUSINESS @whop let hacker drain our entire client base FOR $374,526 and launder it into crypto in under 2 minutes. A hijacked browser session was all it took. No login. No password. No 2FA prompt. Nothing. In 120 seconds the attacker spun up 2 API keys, ATTEMPTED TO CHARGE $1.2M attackers Successfully charged $384,155 across every client card on file, transferred it to other Whop accounts, and cashed out to crypto. Hundreds of charges in 2 minutes. - Zero velocity checks - Zero withdrawal holds - Zero alerts Because Whop has none of them. ANYONE USING Whop switch to @FanBasisInc a payment platform with actual cyber security.

English
2
0
3
342
Justin
Justin@0friction_·
@thekhanayaan @whop yo bro i had the exact problem there was a payment I DID NOT INITIATE and the money i had in my balance is gone The trace code appears to be a crypto transaction hash
English
1
0
7
750
Mahdy Etemad retweetledi
Ayaan
Ayaan@thekhanayaan·
I'm liable for $700K+ Whop? Every creator, founder, or agency on Whop right now is 1 hijacked session away from the same nightmare. Not 1 bad password. 1 bad click. That's all it takes. Most platforms have velocity checks, withdrawal holds, API key verification, rate limiting. @FanBasisInc has all of them.
English
0
1
10
1.5K
Mahdy Etemad retweetledi
Ayaan
Ayaan@thekhanayaan·
2FA protects login. Our attacker never logged in. They took an active browser session and spun up API keys inside our account without ANY verification. That's not a 2FA problem. That's a Whop problem. A real platform would have: Velocity checks (flag 300+ charges in 120 seconds) Withdrawal holds (require manual approval for transfers) Rate limiting on API key generation Email alerts on new API keys Withdrawal limits per day Whop has zero of these. And they know it."
Ayaan tweet media
English
1
1
10
1.9K

Keşfet

@thekhanayaan @whop @cultured @czoob3 @whop_support @JillianBlo75387 @FanBasisInc @n1ssue