google-flow.php

<?php
$google_client_id       = 'xxx';
$google_client_secret   = 'xxx';
$google_redirect_url    = 'xxx';
$google_developer_key   = 'xxx';
$google_application_name = 'xxx';
$google_application_scope = 'email'; /* I only needed the basic user info */

//include google api files
require_once 'Google/Client.php';
require_once 'Google/Service/Oauth2.php';

//start session
session_start();

//Create the Client
$gClient = new Google_Client();
// Set Basic Client info as established at the beginning of the file
$gClient->setApplicationName($google_application_name);
$gClient->setClientId($google_client_id);
$gClient->setClientSecret($google_client_secret);
$gClient->setRedirectUri($google_redirect_url);
$gClient->setDeveloperKey($google_developer_key);
$gClient->setScopes($google_application_scope);
//Set this to 'force' in order to get a new refresh_token.
//Useful if you had already granted access to this application.
$gClient->setApprovalPrompt('force');
//Critical in order to get a refresh_token, otherwise it's not provided in the response.
$gClient->setAccessType('offline');

$google_oauthV2 = new Google_Service_Oauth2($gClient);

/************************************************
  If we're logging out we just need to clear our
  local access token in this case
 ************************************************/
if (isset($_REQUEST['logout'])) {
  unset($_SESSION['access_token']);
  //Perform any other sort of redirection or work.
}

/************************************************
  If we have a code back from the OAuth 2.0 flow,
  we need to exchange that with the authenticate()
  function. We store the resultant access token
  bundle in the session, and redirect to ourself.
 ************************************************/
if (isset($_GET['code'])) {
    $gClient->authenticate($_GET['code']);
    $_SESSION['token'] = $gClient->getAccessToken();
    header('Location: ' . filter_var($google_redirect_url, FILTER_SANITIZE_URL));
    return;
}

/************************************************
  If we have an access token, we can make
  requests, else we generate an authentication URL.
 ************************************************/
if (isset($_SESSION['token'])) {
    $gClient->setAccessToken($_SESSION['token']);
}
else {
  $authUrl = $gClient->createAuthUrl();
}

/************************************************
  If we're signed in we can go ahead and retrieve
  the user's information.
************************************************/
if ($gClient->getAccessToken()) {
  //Check if our token has expired.
  if ($gClient->isAccessTokenExpired()) {
      //Retrieve token from database
      $refreshToken = getRefreshToken($con);
      //Here's where the magical refresh_token comes into play
      $gClient->refreshToken($refreshToken);
  }
  //Basic User Information
  $user                 = $google_oauthV2->userinfo->get();
  $user_id              = $user['id'];
  $user_name            = filter_var($user['name'], FILTER_SANITIZE_SPECIAL_CHARS);
  $email                = filter_var($user['email'], FILTER_SANITIZE_EMAIL);
  $profile_url          = filter_var($user['link'], FILTER_VALIDATE_URL);
  $profile_image_url    = filter_var($user['picture'], FILTER_VALIDATE_URL);

  $_SESSION['token']    = $gClient->getAccessToken();
  //Save the refresh token on our database.
  $tokens = json_decode($gClient->getAccessToken());
  setRefreshToken($con, $tokens->refresh_token);
}

/************************************************
  Basic user redirects based on whether or not
  they are authenticated.
************************************************/
if(isset($authUrl)) {
   //If not already on the login page, redirect to the login page.
    if ($_SERVER["REQUEST_URI"] != "/test/clients/login.php") {
      header('Location: http://fatcave.me/test/clients/login.php');
    }
}
else {
  //If not already on our main page for authenticated users
  //then let's redirect there.
  if ($_SERVER["REQUEST_URI"] != "/test/clients/") {
    header('Location: http://fatcave.me/test/clients/');
  }
}

//Simple function to store a given refresh_token on a database
function setRefreshToken ($con, $token) {
  if (isset($token) && isset($email)) {
    $result = mysqli_query($con,"UPDATE mytable SET refresh_token='" . $token . "'");
  }
}

//Retrieves the refresh_token from our database.
function getRefreshToken ($con) {
  $result = mysqli_query($con,"SELECT refresh_token FROM mytable");
  $rows = mysqli_num_rows($result);
  if ($rows == 0) {
    return "";
  }
  else {
    $row = mysqli_fetch_array($result);
    return $row['Refresh'];
  }
}
?>
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).
We just shared HQ data on our channel: https://t.me/theprotocolone