fatcousin
// case comparison

gig payout fraud vs ATO

both can show unauthorized account changes on a platform — but gig payout fraud is payout redirect and tip skimming; ATO is credential compromise that may include payout change as one downstream abuse.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

gig worker payout fraud

platform payout redirect · tip skimming · ghost driver accounts — interim playbook until DoorDash/Uber parsers ship.

  1. 01payment processor subpoena response normalizer stripedrop stripe subpoena response · parse merchant + transaction artifacts · runs locally
  2. 02payment processor subpoena response normalizer paypaldrop paypal subpoena response · parse account + transaction artifacts · runs locally
  3. 03venmo transaction export forensic analyzerdrop venmo download · parse payment timeline + notes · runs locally
  4. 04ios venmo artifact forensic extractordrop iOS Venmo database files from the app container · parse payment records and transaction notes · surface audience settings (public/friends/private) · surface social feed likes and comments on transactions · reconstruct Venmo financial and social activity timeline · runs locally
  5. 05case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
case b

account takeover (ATO)

credential stuffing → SIM swap → password reset chain → exfil. evidence lives in identity-provider logs, mailbox rules, and session artifacts.

  1. 01okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  2. 02o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  3. 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. 05mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. 06password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  7. 07credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. 08sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward gig payout fraud if you see…

  • payout destination change or tip reroute in Stripe/PayPal/Venmo artifacts without prior credential-stuffing or SIM swap in IdP logs
  • ghost driver account or earnings skim pattern — fraud is payout abuse only, not full session hijack across identity provider
  • payment-processor subpoena timeline focused on payout redirect — no mailbox rules, MFA bypass, or password spray

lean toward ATO if you see…

  • credential stuffing, password spray, or SIM swap in Okta/identity-provider logs before gig platform activity
  • MFA bypass or session takeover from new geo/device spanning mailbox rules and multiple app grants — not isolated payout redirect
  • gig platform login anomaly plus broader account compromise artifacts (email rule planting, OAuth grant) — payout change is one symptom of takeover
ready