Chief Security Officer at @krakenfx, hacker, @THOTCON OPER, @IamTheCavalry, @DEFCON NOC, @SpiderLabs founder - Opinions are my own, not my employer’s

redacted
If you are exploring #nostr, you can find me there: npub1xmp08ww7fku05qwhy3ldgshevq368qjzas628ukpqs4wunuec0gqwgqfpf
18
1
49
29,910
Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
249
665
5,075
3,329,210
We know the identity of the user.
312
615
4,097
Apparently these guys aren’t worried about hackers at @defcon
137
75
2,479
273,282
Me: That’s a great painting you are working on. 10 yo: Thanks, I learned how to do this from a *YouTuber* I watch. Me: Oh, really? 10 yo: He has this poofy hair and paints stuff like clouds, mountains and trees. Me: Bob Ross? 10 yo: Yeah! Do you know him? Me: 🤣
15
214
1,695
Replying to @AOC
Serious question: Are corporate diversity programs tokenism? If so, what is the recommended approach that doesn’t cause more harm than good?
89
49
911
Data for 400 million Twitter users are for sale. Contains emails and phone numbers allegedly obtained via an API vulnerability. The sample posted shows high profile accounts including @VitalikButerin @mcuban and @briankrebs. Stay say, friends. Watch for targeted attacks!
60
406
988
452,766
Replying to @verge
That’s called an arsonist, not a protestor.
54
27
965
Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!
17
26
1,078
154,937
Replying to @mert
I’ve been off caffeine for 24 years. I drank the equivalent of about 10 cups of coffee per day prior. The benefits I’ve had: - Not a slave to “needing my coffee” before I can function in the world - Not getting a headache and having a “bad day” if I don’t have caffeine when I needed it - Being able to sleep / take a nap on command if I want or need to - Not having jet lag when traveling globally due to being able to easily pre & post travel sleep when I should - Not being addicted to a drug
183
11
1,013
433,059
Update: We can now confirm the funds have been returned (minus a small amount lost to fees).
Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
74
79
1,041
262,497
After what we learned about the lack of basic security hygiene at Twitter and the telegraphing that today was coming, I’m genuinely curious how @elonmusk is balancing the risk that multiple reverse shells haven’t been planted by 1 of the 1000s outgoing Engineering team members.
52
122
898
Crypto users are some of the most privacy and security minded users on the planet. There are also places on the planet where is it physically dangerous to access a crypto exchange without a VPN masking their destination from the local ISP. You are making some of your users choose between financial freedom and physical safety.
PSA: Don't use a VPN to access Coinbase. Attackers always use VPN's, so our risk models take that as a negative sign even if you're legitimately using your own account.
48
57
999
128,789
We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.
14
12
948
157,205
Top password in this dump: “password” #2 password: “correct horse battery staple”
New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned haveibeenpwned.com/
13
182
864
As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.
9
24
807
149,113
Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.
18
38
785
186,164
Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem. We look forward to working with good faith actors in the future and consider this as an isolated experience.
29
6
753
123,569
The @defcon 32 badge is not only a GameBoy Color, it can also be a PalmOS device. It has a touch screen! My Graffiti skills are non-existent but character input does work. #defcon #defcon32
29
102
736
97,583
In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.
9
10
726
165,311
It took a lot of work, but I finally cracked the @defcon 30 badge. Volume up! #DEFCON30 #DEFCON
19
97
688
Replying to @MarkHamill
Who’s this?
41
8
667
We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community. Our program, like many others, has clear rules of the road… 1. Do not exploit more than you need to in order to prove the vulnerability. 2. Show your work (i.e. provide a proof of concept) 3. What you extract you return immediately
15
14
668
174,225
Replying to @George_Kurtz
My thoughts are with you and your team in this nightmare situation. If you take a few seconds to step back and look at this from outside your situation room: This is certainly both a security and cyber incident with the threat actor being @CrowdStrike. 10s of 1000s of companies are scrambling to mitigate your company’s impact to their operations they are not safe or protected from loss. This is an important perspective to have as you navigate this recovery effort.
20
39
660
135,704
Replying to @CDCgov
As a dad, please advise on the proper recovery technique of seeing your child shit down the water slide.
31
10
626
We triaged this vulnerability as Critical and within an hour, 47 minutes to be exact, our team of experts had mitigated the issue. Within a few hours, the issue was completely fixed and could not reoccur again.
2
7
644
159,099
This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.
9
6
540
147,169
Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.
7
6
532
181,461
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.
12
7
530
172,791
After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher.
2
4
482
148,076
In turn, we requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn. This is common practice for any Bug Bounty program. These security researchers refused.
2
3
483
139,449
Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue. Here is what we found.
4
3
483
182,319
Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared - allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector.
15
6
474
159,691
We have never had issues with legitimate researchers in this way and are always responsive.
1
1
414
142,496
The initial Bug Bounty report did not fully disclose this transaction information, so we contacted the security researchers to confirm some details to progress with rewarding them for successfully identifying a security flaw on our platform.
3
1
411
134,631
Replying to @StackerSatoshi
We know the identify of this account.
35
33
341
If you are headed to @defcon, it’s vital that you bring a burner phone. Why? Because hackers. Show me your burner (wrong answers only) - I’ll start: #defcon32
70
25
329
92,896
Replying to @peterlanee

ALT Have You Ever Had A Dream Wtf GIF

346
26,371
Replying to @scottshapiro
Crypto users are some of the most privacy and security minded users on the planet. There are also places on the planet where is it physically dangerous to access a crypto exchange without a VPN masking their destination from the local ISP. You are making some of your users choose between financial freedom and physical safety.
17
6
310
9,540
In the last 24 hours, I’ve gained 8,000 new followers. Most of you found yourself here because of a single sentence tweet I wrote yesterday morning. You probably never knew who I was, but decided to follow to see what I’ll say next. Here’s an introduction to who I am:
33
10
258
Replying to @KimDotcom
You are assuming deleting messages actually deletes the data. Not likely.
6
3
251
97,946
Confused by the @dotMudge whistleblow. When you are hired to lead security at a company, you are undoubtedly going to inherit problems like described in the article. It’s your job to lead through constant improvement to a better, more secure place & reduce risk. It’s hard work.
10
16
257
Decided to get into #bitcoin solo mining with a @braiins BMM 101. It’s of course not profitable unless it finds a block, but still a fun device to have on my desk with a built in “lottery ticket” every 10 minutes.
32
21
255
16,043
Update: I’ve been told that @FTX_Official or @SBF_FTX will be making a public statement regarding the sweeping of the Tron wallet in question and them utilizing funds from their verified @krakenfx account to complete this transaction.
26
58
240
Replying to @gavinthomas2015
3
247
28,902
Until @elonmusk purchased Twitter and seemingly started to dismantle the unfairness on the platform, people who claimed they had been shadow-banned, removed from searches, or had followers removed were often told those features didn’t exist at Twitter. 🧵#TWITTERGATE
13
33
215
👀😂🐶
16
62
218
9,111
Spotted in D.C.
22
21
202
23,334
Powered by @krakenfx
JUST IN: Bankrupt crypto exchange FTX to begin repaying customers on February 18.
25
21
199
52,395
Replying to @ginacarano
And a lot of grandmas fled from communist or socialist countries to be able give us that soup.
10
7
183
9,479
Replying to @VP46Archive @VP
You left out the part of your message where you write: “I am asking that the individuals who damaged monuments and property be identified, arrested and prosecuted to the fullest extent of the law.” Otherwise your statement means nothing and you are supporting their actions.
6
11
179
7,006
Working to massively scale a team at @krakenfx to do some amazing things in crypto for our clients. I’m hiring *30* front end engineers with React skills. Fully remote. Global. Get paid in #Bitcoin Apply: jobs.lever.co/kraken/a5e33e5…
27
56
172
Next debate needs dog shock collars.
7
14
168
Replying to @elonmusk
Is it OK for humans to impersonate bots?
14
5
155
59,299
Replying to @wikileaks @BriarApp
Never used this app so I can’t comment on the security effectiveness of it, but I’m pretty certain Julian can’t either.
2
2
154
I’ve been in InfoSec for 20+ yrs professionally. Before it was 10+ yrs of BBS & IRC. Women were there the entire time. The problem has never been with the minority of women in the “community” but with the acceptance of the minority of men who act like fucking morons.
4
32
155
Replying to @elonmusk
So instead of just visible to the OP, impressions will be visible to all? Good way to identify a shadow banned account.
4
7
146
99,361
BRB I’m all out of popcorn. 🍿
12
6
162
2024 Proof of Reserves has been completed by @krakenfx Our latest Proof of Reserves covered the most widely held cryptocurrencies on the platform. It included the spot positions, open margin positions, futures balances and on-chain staked amounts of eligible assets. In total, this most recent attestation – which became available on Kraken on November 1, 2024 – covered a value of over $21.5 billion of client assets. We pioneered the Proof of Reserves process in 2014 and we have committed to undertaking it regularly since January 2022. blog.kraken.com/news/2024-pr…
18
21
159
19,711
iOS 7: "Siri, are you going to sell my fingerprints to the NSA?"
27
681
161
Replying to @tmuxvim @mert
It didn’t start there. It ended there.
4
154
57,160
Yesterday’s Twitter takeover is one of the best examples as why world leaders should not be making official statements or announcements on social media. Do it live, in front of cameras from multiple media agencies and allow people to confirm the legitimacy of the statements.
6
45
152
Kinder Surprise Eggs are banned in the America. Trying to bring one into the county can result in a $2,500 fine per egg. This Congress passed law exists because Kinder Eggs and similar might cause children to choke. It’s more difficult to get candy than a gun in America.
8
31
144
It’s @dualcoremusic at @defcon 30. Performing the quintessential hacker anthem. #DEFCON30 #defcon
8
22
159
So a guy is banned from @defcon for abusing. He is friends w/ CEO of a company that’s presenting sponsor of @BSidesCleveland. The con puts bad guy on as a “special guest”. The CEO is a keynote & people hope he denounces the situation, but he tucks & runs from the event instead.
16
10
139
This is the last message this thread. If you want to read it from beginning start here:
Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
8
2
153
53,743
One lesson learned by the @dotMudge testimony: If you are offered a cybersecurity executive leadership position at a company and you wont have actual authority over basic security policies, security hygiene, policy enforcement and access control, don’t take the fucking job.
7
25
141
2024 was an amazing year for @krakenfx! Key highlights include: * $1.5B revenue (+128% YoY growth) * $380M in adjusted EBITDA * $665B in total trading volume * $42.8B in client assets on-platform * 2.5M funded accounts * 2.5B trades executed since inception * 99.9% uptime, sub-2ms latency
13
16
162
9,459
Headed to #Bitcoin2024 in Nashville? Remember criminals are looking to capitalize on the concentration of Bitcoiners there. You represent something they value, and it is no secret you will be in town. Tweeting your hotel location, bars you are at (while you are there), etc could lead to unexpected dangers - aka don’t doxx yourself & become a target. Be considerate of other’s privacy as well if posting photos. Watch out for extra friendly attractives you don’t know who are eager to hand you a drink you didn’t see get opened or poured by a bartender. 💤 Stay safe! #Bitcoin @TheBitcoinConf
6
26
152
17,720
This is (by far) the best hacker culture swag item at @defcon this year. Likely lost on most. Thanks to @wbm312 for pulling it off.
17
31
140
Today, we’ve announced a new initiative to accelerate the token listing process at @krakenfx - the goal here is the provide the crypto community and project teams with transparency & simplicity when navigating the process needed to become listed on our exchange. blog.kraken.com/product/acce…
79
14
140
41,971
ATTN: There is an organized crime group actively targeting members of the #cryptocurrency industry. You MUST remove mobile phone numbers from your personal email, work email & exchange/bank account recovery processes NOW! 1/ #crypto #bitcoin
9
91
138
Replying to @elonmusk
Try again on 4/20.
12
2
125
66,155
Over the last decade, I ran services at @rapid7, was the CSO at @Uptake and now run Security, IT & Engineering at a top 3 crypto exchange. It’s been a fun ride & the recent events have certainly been stressful and exciting. I’m optimistic about the future. Thanks for reading.
10
2
132
Wait until you learn about what people do with Excel
6
20
118
I was on @united flight on Sept 11th, 2001 that departed Chicago around the same time as the hijacked flights the left Boston. I was headed to Detroit for a client engagement. I still have the ticket today. (a thread) #September11th
3
15
131
I’m attending my 25th @defcon this year. I’ve been a speaker 10 times and ran a contest for 6 years. This year is my 8th year as a @DEFCON_NOC Goon. I can’t wait to catch up with friends from the hacker community in a few days!

ALT Anonymous Hackers GIF

13
10
123
12,247
Replying to @RachelTobac @defcon
This happened to a family member’s computer back then - I think it was a eMachine as well. It wasn’t a virus. It was a feature of your BIOS. When your computer’s fans start to fail or get clogged by dust, it would play that music through your speakers.
2
18
109
Pro Tip: If a celebrity is launching a token, it’s a scam.
12
11
115
7,170
Thanks for coming! #fuckacceptance
4
3
94
. . : : The Hacker's Manifesto : : . . Another one got caught today, it's all over the papers. "Teenager arrested in computer crime scandal", "Hacker arrested after bank tampering"... Damn Kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain ever take a look behind the eyes of a hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school. I've listened to the teacher explain for the fifteenth time how to reduce a fraction. I understand it. "No, Mrs. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to do. If it makes a mistake, it's because I screwed up. Not because it doesn't like me... or feels threatened by me... or thinks I'm a smart ass... or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... A door opened to a world... Rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day to day incompetencies is sought... A board is found. "This is it... This is where I belong..." I know everyone here... Even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... We've been spoon fed baby food at school when we hungered for steak... The bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... The world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... And you call us criminals. We exist without skin color, without nationality, without religious bias... And you call us criminals. You build atomic bombs, you wage wars, you murder, you cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... After all, We're all alike. +++The Mentor+++
9
37
112
27,183
Replying to @robertgraham
I use my neighbors’ open wifi for doing things that aren’t trustworthy.
4
1
107
Gotta close out the week strong
🚨 ALERT: High probability insiders at FTX are currently trying to run off with funds. Both FTX and FTX US wallets have now been affected and commingled. The current amount being laundered is ~$380M. Please share information below. Let's crowdsource this.
5
10
101
Cool Job Alert: I’m hiring a Cloud Security Engineer for my team at @krakenfx. Fully remote. Option to get paid in #Bitcoin and/or #Ethereum. jobs.lever.co/kraken/19204f2…
30
51
84
In 30 years, the German government will look back at 2024 and say “WTF were we thinking?” (but in German) #Bitcoin #HODL
28
8
109
8,157
Replying to @sweatystartup
Since you own the property, you can: - put speakers in the units on either side and play random annoying music and sounds 24/7 at high levels - Drill small holes in the walls and pump fart spray in bursts at random times from multiple locations - drop in multiple strobe lights through the ceiling and let those randomly flash 24/7 - Go buy 100 mice at a pet store and let them loose in the unit.
18
109
23,100
Replying to @elonmusk
End to End encrypted DMs.
2
2
98
15,135
Replying to @SwiftOnSecurity
Got this exact same text on one of my lines today. I was laughing because that’s a clever way to confuse almost everyone. I bet it has a higher success rate. This scammer is probably over 40. 😂
2
1
90
13,126
About a decade ago, a @thotcon attendee handed me these custom lock picks after the closing ceremony. They have the original conference logo and my handle on them. If you made these, please reach out.
5
13
86
I love it when a small change makes a big impact. Last week, we announced new Two Factor Authentication (2FA) requirements for @krakenfx clients. In just 7 days, over 10,000 clients have upgraded their account security to enable 2FA for login. #kraken #crypto #security
14
11
84
If you are tech company providing a free service to the entire planet, you need to weed out individuals in your org who think erasing a U.S. President from their platform is some moral crusade they are leading. It completely erodes trust in the platform itself and calls into question all of your products’ output.
10
5
99
7,320
Having done consulting gigs for Las Vegas casinos, this comes as no surprise for Fremont Street. A decade ago, even the strip casinos had flat networks. Plug into the 4 port switch behind the quick service register selling pizza & and the casino network was yours to “explore”.
The computer networks at two Fremont Street casinos — Four Queens and Binion's — were hacked last night, according to multiple sources. Slot machines, player loyalty programs, credit card processing, hotel reservations, and ATMs were all affected.
10
22
84
Replying to @Jaku
I’m disappointed that the seat occupancy sensors are not used to trigger farts. @elonmusk Next update?
3
4
95
Honored to accept this @CSOonline #CSO50 award on behalf of the @krakenfx security program. It was fun and rewarding to lead such a talented and passionate team that resulted in our project entry.
18
41
84
* stay “safe” 😂
1
2
83
25,541