diff --git a/scoreboard_injector/main.py b/scoreboard_injector/main.py
index 7e63b1d..cf2f188 100644
--- a/scoreboard_injector/main.py
+++ b/scoreboard_injector/main.py
@@ -194,14 +194,14 @@ async def http_polling_listener():
     while True:
         try:
             async with aiohttp.ClientSession() as session:
-                # ForcAD API endpoints that should return JSON
+                # ForcAD API endpoints for actual attack/flag data (not attack_data which is exploit credentials)
                 # Try different possible paths
                 endpoints_to_try = [
-                    ('/api/client/attack_data', 'GET'),
-                    ('/api/client/attacks', 'GET'),
-                    ('/api/flag/info', 'GET'),
-                    ('/api/info', 'GET'),
-                    ('/api/game_state', 'GET'),
+                    ('/api/flag/submit', 'GET'),  # Flag submission history
+                    ('/api/client/stolen_flags', 'GET'),  # Stolen flags
+                    ('/api/client/flag_stats', 'GET'),  # Flag statistics
+                    ('/api/game/status', 'GET'),  # Game status with flags
+                    ('/api/service/status', 'GET'),  # Service status
                 ]
                 
                 data_found = False
@@ -527,11 +527,11 @@ async def debug_scoreboard():
             # Test HTTP endpoints - both HTML and API paths
             base_url = SCOREBOARD_API_URL.rstrip('/api')
             endpoints = [
-                "/api/client/attack_data",
-                "/api/client/attacks",
-                "/api/flag/info",
-                "/api/info",
-                "/api/game_state",
+                "/api/flag/submit",
+                "/api/client/stolen_flags",
+                "/api/client/flag_stats",
+                "/api/game/status",
+                "/api/service/status",
                 "/api/attacks",
                 "/api/scoreboard",
                 "/api/teams",