Investigated a fraudulent website impersonating a logistics platform and identified backend infrastructure used for credential harvesting. • Analyzed cloned login flows and client-side behavior to uncover hidden API endpoints • Traced request/response patterns to identify credential exfiltration paths • Discovered integrations with external messaging infrastructure used for real-time data collection • Mapped the full flow from user input → backend processing → operator notification • Documented indicators and coordinated escalation for platform and hosting provider response Result: Enabled rapid takedown of a live credential harvesting operation and reduced risk of account compromise for targeted users.