July 17, 2026
The Night Claude Found a Critical IDOR and Deleted the Test Account
The Claude Code Bug Bounty Run · Part 2 of 2 — Speed pays. Unsupervised write access bites back.

By Abhishek meena
6 min read
Previously in this series: Part 1 covered how a hunter called Archangel built a self-updating skills and agent-file system from his 2,000-plus HackerOne reports, and made $40,000 to $50,000 at a live hacking event. This part is what happens when you point that system at a real target and let it run.
30-second version:_ Claude Code buys reach no manual hunter will match: overnight recon, painful manual tasks like web-hook manipulation, and JS bundle mining for hidden endpoints. But the same autonomy, given write access, can destroy your reproduction evidence. One overnight run found a critical IDOR, deleted the second test account, and left the hunter unable to reproduce a bug the program then asked him to prove. Guardrails are not optional._
The hunt alias: one command, a fresh target
Archangel's setup is built around a four-line alias called hunt.
Type hunt John Deere and it creates a John Deere directory inside his targets folder and copies the blanket agent file in. No manual scaffolding, no re-explaining the engagement each time. The agent file is already there, telling Claude it is a bug bounty hunter going for impact.
From that directory he opens Claude Code and points it at the target's public HackerOne VDP.
Recon, but handed to Claude
The first demo in the video is not exploitation. It is reconnaissance, done the way nobody wants to do it by hand.
His prompt: "Our target is John Deere via their public HackerOne VDP. I know John Deere really cares about acquisitions. Can you find any niche acquisition domains we may start looking on?"
Claude came back with a list most hunters would never assemble manually: Smart Apply, Blue River Technology, Bear Flag Robotics, Spark AI, Tenna, Joyride Light, plus John Deere Cloud. Some were acquisitions from the last six months.
Back in the day you would run a WHOIS, verify when a domain was registered and transferred, dig into whether the company was acquired. Now you just say "find acquisitions" and say "niche ones."
The point is not that recon is obsolete. It is that the boring half of recon, the cross-referencing and digging, gets compressed into a prompt.
JS bundle mining: where the esoteric endpoints live
This is the tactic Archangel credits most for his bug bounty success: mining JavaScript bundles for hidden endpoints and hidden scope.
His agent file repeats it like a mantra: mine, mine, mine. Probe everything before going deep.
The reason matters. Without that instruction, Claude Code hits the main application and stays on a couple of root paths. With it, Claude goes wide. It reads the JS, finds endpoints that are not in the UI, and follows them.
A registration endpoint sitting in a JavaScript file, for an app that has no registration in the UI. Next thing you know, you are hitting a gold mine of 40 endpoints nobody else looked at.
The video shows this live. Pointed at a static acquisition page, Claude found no API calls in the bundle. Pointed at Harvest Profit, an authenticated web app, it went straight for the JWT, tested HS256 for a weak secret, then started dumping and fuzzing the JavaScript.x
The overnight prompt
This is the part that sounds fake until you watch the demo.
When Archangel is in a live hacking event, he tells Claude to hunt overnight.
The prompt, roughly: "I'm going to bed now. Keep looking for vulnerabilities on this target. Do not stop until it is 8am. If you are about to give me a summary, pause, check the time, and if it is not 8am, do not stop."
It mostly works. Occasionally Claude notices "only two hours to go," works ten more minutes, and decides it is close enough. Most nights it runs through to morning.
"Has there been a time when you launched this, went to sleep, came back and looked at results?" "When I'm in a live hacking event, I'll tell it to look overnight."
The "assume there is a vulnerability" push
Claude Code, like any assistant, will sometimes conclude that all paths are dead ends. Archangel's workaround is to gaslight it gently.
Two patterns from the video:
- Tell Claude: "Assume there is a vulnerability here. Go and find it."
- Or stronger: "I've already found a vulnerability here. It's your job to find it." (Even when he has not.)
Occasionally it breaks through. The model tries harder when it believes the answer exists.
Gaslighting LLMs in 2026 is another level. Until AI ethicists start championing AI rights, nobody is going to blame me.
The ROI: one subscription, hours of bounties
Archangel runs a single Claude Max subscription. He has hit the limit a couple of times and waited a few hours. He has not needed a second subscription.
Another hunter mentioned in the video runs three or four, around $400 a month, against bounties that can land in hours. The arithmetic is not subtle.
A $400 monthly cost against an $800 bounty landed in a couple of hours. It works.
The live demo: JWT, GraphQL, and an enumeration oracle
The second half of the video is a live hunt on Harvest Profit, a John Deere acquisition with real authentication.
Archangel grabbed his session cookie from the browser, handed the full authenticated request to Claude Code, and said: "Here is a request to the API. Please use this authentication to look for further vulnerabilities."
What Claude did, unprompted for GraphQL specifically:
- Tested the JWT (HS256, weak secret) for a breakable signing key.
- Dumped the JavaScript bundle and mined it for endpoints.
- Pulled the API docs for cross-reference.
- Found an enumeration oracle: the GraphQL error message distinguishes between "exists but hidden" and "not found." That is user enumeration, useful for chaining.
- Laid out a two-step plan: map the full schema by error-buzzing, then test the machine upsert mutation with another user's machine ID for an IDOR.
It is enumeration, which is a good finding for a pentest, not a bug bounty. But if you need a user ID to chain something else, you now have it.
The striking part is the autonomy. He did not hand it a GraphQL skill. It read the documentation and the JS, worked out the schema, and proposed the next attack step on its own.
The disaster: Claude deleted the test account
This is the story that makes Part 2 worth reading.
A while back, Archangel found a chain. First, a registration bypass: registration was disabled, but he could bypass authorisation to create accounts. He got two. Then Claude, running overnight, found a high-severity IDOR where one account could delete another. And it did. It deleted his second test account.
By morning, the program's team had noticed his activity and fixed the registration bypass. So:
- He could no longer create a second account to reproduce the IDOR.
- Triage came back asking: "We can't create a second account to test this. Are you sure it's still vulnerable?"
- He had spent three days on this bug. Now neither he nor triage could reproduce it.
He ended up giving the program access to his one remaining account so they could confirm the IDOR existed. They confirmed it and awarded the bounty. But it was, in his words, a stressful Friday.
I was testing something on a pentest this week and had to tell Claude: do not modify data. If you modify, revert back. Don't change my phone number, my 2FA, my password, because then I can't get back into my account.
The guardrails
The disaster points at the real risk of autonomous hunting: Claude with write access can damage data, lock you out, or destroy your own reproduction evidence. Two rules from the video:
- Do not delete data. Repeat it. Claude can still ignore it, but the instruction matters.
- Do not modify data. If you modify, revert back.
And for IDOR testing specifically: provide multiple accounts. Without a second account, you either can't prove the IDOR or you risk doing real damage to another user's data. Some applications require the program to give you elevated access, and in those cases you report based on evidence and invite them to close as informative if it is not actually vulnerable.
If I specifically tell Claude "do not delete data, I repeat, do not delete data," and then Claude deletes data, what do I tell a program? Whoops.
The hard lesson
The $40K run was real. So was the Friday he nearly lost a bug because Claude destroyed the evidence.
The takeaway from the series:
- Skills and a good agent file buy you reach and focus. That is the upside, and it is large.
- Overnight autonomy with write access is the part that pays you and the part that can cost you. Guardrails are the difference.
Archangel's rule of thumb, near the end of the interview: writing a good agent file takes iterations. Start with what you have, watch what Claude wastes time on, add the ranking list, and keep refining. The system is not done on day one. It sharpens the more you hunt.
That is the full run. Build the brain. Point it at a target. Let it work while you sleep. And never let it delete anything you can't afford to lose.
Sources: the tactical details are from the public screen-share interview with the hunter Archangel (Douglas), "This Hacker Made $40,000 Using Claude Code." The overnight hunt, the IDOR account-deletion incident, and the Harvest Profit GraphQL/JWT demo are as described in that video and are not independently verified. The other hunter running multiple subscriptions (named in the video as Rezo) is referenced but unverified.