Ignacio Carmona ⚡

Become an absolute Web3 Security beast in 2026!! Resources: 1. Owen Thurm - Web3 Security 101 playlist (Youtube) 2. Past audit reports - solodit.xyz 3. DeFi bible - github.com/OffcierCia/ult… 4. Books & Blog - rareskills.io/blog 5. Use AI to your advantage

1/ 🚀 Just published a Blog on a Cloudflare misconfig I found during a migration — live demo & test cases inside! Read: @smitgharat0001/cloudflare-bypass-origin-server-deserves-some-love-too-e8bd2182cfea" target="_blank" rel="nofollow noopener">medium.com/@smitgharat000…. Quick test steps below. 👇

I once spent a week trying to exploit a bug. At the end, I marked it 'unexploitable' and was about to leave. As I closed my browser, one more feature caught my eye; I tested the bug there, and it worked! So never leave without trying it one more time.

I am predicting that the biggest hack of the 21st century will come from an AI worm. Imagine a prompt that injected once is capable of understanding its capabilities (e.g available tools) and use them to self replicate by infecting internal services or the entire Internet. 1/2

I've made $9K+ just from freelancing in last 5 months. Here's the exact cold DM template that got me 80% response rate: Drop a "🔥" and i will dm you the exact steps

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity… It’s raining criticals. I am open to private smart contract audits. DM while i am still free.

What if your code got professionally audited... for FREE? @GuildAcademy_ is launching a Public Goods Audit led by our graduating security researchers 👨🏽‍💻👩🏽‍💻 If your project has ≤ 1000 SLOC, this is your chance to: ✅ Get a full security review ✅ Receive structured feedback ✅ Strengthen your protocol — at zero cost ⚡ Spots are limited. Don’t miss this chance to level up your project security. Apply here: forms.gle/Lkxzk43fB3BN6F… Selected projects will be contacted for next steps.

Just released the Ultimate IDOR Testing Checklist 🧩 I combined techniques from many sources to cover IDOR scenarios. Know a technique I missed? Drop it in the comments. Notion: mrdesoky0.notion.site/Ultimate-IDOR-… GitHub: github.com/mrdesoky0/vuln… #bugbountytips #IDOR #AppSec #InfoSec

You’ve heard about Hunt Points Program, launched by the Immunefi Foundation on October 23. It recognizes and rewards security contributions to the onchain economy via Immunefi. Now, we’re revealing how the points system actually works. And trust us…you’ll want those points. ⏬

On the train back from London. Laptop open: - Discussing findings with client - Evaluating fixes from another audit - Estimating work for possible zk audit - Working on new Solana audit - Helping people organise a FV event in LatAm - Linear Algebra book next to me At one level it's the life I've always dreamed of. On another, I'm working like a possessed madman. Still, I'm grateful. 👊

Bug Bounty Tip: Account Takeover (ATO) credit : @zack0x01 #infosec #hacking #hacker #bugbounty #bugbountytips

🎉 **BIG GIVEAWAY for all subscribers to my cybersecurity tools & books!** 🎉 🚀 Whether you’re already subscribed or planning to join — this is your chance to **win FREE subscriptions!** 💎 **Prizes:** 🥇 1 winner — **1 Year Free Subscription** 🥈 2 winners — **6 Months Free Subscription** 🥉 3 winners — **1 Extra Month Free** --- 📜 **Giveaway Rules:** 1️⃣ Anyone **already subscribed** to any of my tools or books is **automatically entered** in the giveaway. 2️⃣ If you’re **not subscribed yet**, you must **subscribe for at least one month** to any tool or book to qualify. 3️⃣ Every **additional tool or book** you subscribe to = **an extra entry** 🔥 4️⃣ The **extra giveaway entry** for sharing the post is **only available for active subscribers.**  👉 If you’re not subscribed, sharing doesn’t count. 5️⃣ To get your **extra free entry** (for subscribers only):  🟢 Share this post on **X (Twitter)**  🟢 Mention **[@kassem_s94](x.com/kassem_s94)**  🟢 Send a **screenshot + the tweet link** as proof (via Telegram DM). 6️⃣ The draw will be **public** and 100% random. 7️⃣ Any fake or duplicate accounts = automatic disqualification. 8️⃣ **Giveaway ends in 15 days → Draw Date: 15 / 11 / 2025** ⏳ --- 🧾 **How to Join:** 1️⃣ Visit my tools & books page: 👉 [cybersecurity.tabbeqai.com/Cybersecurity](cybersecurity.tabbeqai.com/Cybersecurity) and contact me directly at t.me/apesofficial 2️⃣ Or get my book: 📘 [3 Bugs That Pay - Book v1](onlysecurity.com/courses/3-bugs…) or contact me to take ur copy for 30$ 3️⃣ Save your payment proof (screenshot). 4️⃣ Optional: share on X for one more chance (if you’re subscribed). --- 🧠 **Some of my featured tools:** 🔹 **XOXO – XSS Recon:** Automates recon & gathers subdomains, URLs, and parameters to create ready-to-use XSS lists. 🔹 **Secret Hunter:** A full Recon + Secrets tool that detects hidden keys/tokens and discovers **endpoints & sources** across code and APIs. 🔹 **Aurora:** Advanced Salesforce Aura scanner that finds sensitive endpoints & generates ready-to-submit markdown reports. 🔹 **3 Bugs That Pay (Book):** A practical guide with real examples of bug bounty findings that actually pay. 💥 Every subscription = one chance to win 💥 Every extra product = another chance 💥 Share your tweet for an extra entry (if you’re a subscriber!) --- 📣 **Results will be posted publicly here:** 👉 [@kassems94 on Telegram](t.me/kassems94) 🐦 Don’t forget to tag me on X: [@kassem_s94](x.com/kassem_s94)

I found a self-stored XSS on a public BBP. It appears low impact on its own and i can't report it yet; i attempted to chain it with login CSRF ( doesn't look vulnerable ), but I'm exploring further; if anyone wants to collaborate and brainstorm exploit chains, ping me.

I had a pleasure to judge the @KuruExchange competition. Congratulations to all winners and big thanks to @AifosSi for being a professional co-judge! --- We had 1147 submissions. One thing I learned from this experience is that LLMs got much better. Good enough that you can't reject a finding with confidence after the first read, but bad enough for them to truly be valid. This means that if you're skilled, it's a great tool. If you're not, it can terribly increase the judging time.. Fortunately, I have high hopes it will get better soon, as some solutions are being worked on as we speak 👀 I'm happy to be a part of securing the @monad's CLOB!

really excited to share this. it's based on a mechanic that i've wanted to build something with for years

🚨THE POWER OF SECRET HUNTER TOOL🚨 💰Bounty: 250$💰 🐞Bug: access token leakage on .js file lead to information's leakage🐞 💁‍♂️Tip: always check .js files for endpoints and leaked keys ⚠️Take advantage of the offer on the Secret Hunter tool and contact me now to get your own copy⚠️ 📩t.me/apesofficial 📩join our community for more tips and tool offers: t.me/kassems94 #BugBounty #bugbountytips #hacking #hackers #secret_hunter

We’re thrilled to see @CorkProtocol enter this new chapter and proud to support them in strengthening their security!

When you audit for 14 days, waited for 7 weeks for judging but end up with $23.87 payout