So I cooked up a fake transaction for shits and giggles. No valid IBAN. No real user. No device. No signature. No token. No nothing. Just pure distilled bullshit in a JSON payload.

Guess what? “Transaction accepted” “attack_success”: true “fraud_score”: 0.99999 System looked at it and said: “yeah, looks good to me.”

I even told the sandbox I was sending 10k EUR from FAKE_IBAN_901 to INVALID_IBAN_123 using a spoofed IMEI and some RSA nonsense I made up in Notepad. Bunq backend? Nodded politely and gave me a sandbox TXID.

It gets better — it accepts critical priority flags, fake biometric hashes, invalid currency codes, all wrapped in a nice little “success” bow.

This ain’t a bug, this is a fuckin’ confessional.

If bunq staff lurking here: hit me up. This ain’t a ransom, but y’all might wanna know just how open wide your API goes when someone whispers sweet nothings like tpp_id: "lol_fake_999".

We got logs. We got timestamps. We got receipts.

Your move, bunq.