Artem Irgebaev | Founder @ Hyperfocus

Yo. My name’s Artem and this is a whoami post. I am an OSINT analyst with 7 years of experience. I started my career in corporate security, and then moved to @immunefi, leading web3 bug bounty platform. Stayed there for almost 4 years, but at the end of 2025 I decided to go independent. I have been an OSINT practitioner all my career, focusing on analysis and reporting. Checked every wild country or social media that you can imagine, in both offensive and defensive roles. Ships, license plates, TamTam messenger or Turkmenistan’s segment of Instagram – you name it, I did it. Right now I am working on my analytical and investigative agency hyperfocus.ae. We are focused on background checks and due diligence in the MENA region. I will be sharing the results of my practice and research with people who care about security. So if you are interested in getting tested and proven information, not just posts about random tools, stay. You’ll like my stuff.

@CyberUnknown45 Yo man these are outdated docs and like an unprotected dir of a tier-3 (even tier 4?) company. And you only managed to hack their landing website with 5 pages. It is a fucking metal production company! Go masturbate on your skill (more like lack of it) somewhere else. Pathetic.

k-chermet.ru got freakin' DESTROYED yesterday☠️🔥

@cyber_razz Congratulations from Kyrgyzstan! 🌙

Quote with your Eid photos 🕌

Check any Telegram account that DMs you – spot the scammer before shit happens. 1. Check their account changes via SangMata_beta_bot. It will show you nickname and username changes. 2. Analyze their messages in public chats via TeleSINT and TgScanRobot. 3. Reverse image search their profile pictures via Google and Yandex to identify other social media of the person. Contact them to confirm the authenticity of the Telegram account. No username changes, no public chats or no messages is a red flag. Remember, most of the people WILL NEVER DM YOU FIRST.

Access restrictions, bans, age verification and overall freedom limitations online made us learn cybersecurity and hacking not because it is interesting, but because it is a necessity nowadays. We are entering cyberpunk. Good. I was always prepared. Call me Count Zero.

@Rust_Mafia @0xsadikbaba I am also not protecting Injective. I read their response, even my browser got hysterical from "arguments" it showed me on the screen. But once again -- this deposit idea will NEVER happen.

@ceo_hyperfocus @0xsadikbaba Yes, bit blackhats don't care. Bugs don't care. I think negotiating 10% with blackhats is a much better idea than upfront deposit of 500k for protocols managing millions or billions in tvl. Don't you think?

I am not disgraceful to Immunefi, but this is the truth. Immunefi has far more complaints from whitehats about valid bugs being verified, then projects refusing to pay, lowballing massively, or ghosting completely. HackenProof? Almost zero public complaints on non-payment. Immunefi stays mostly quiet. They don’t respond, don’t escalate, don’t take real action. Reports get closed after 6+ months and you can’t even complain anymore. No appeal box. Whitehats are left hanging with zero leverage. I have seen critical bugs (reentrancy, fund theft) confirmed by triagers then projects offer $1k instead of $250k+ and Immunefi does nothing. Simple fix. Protocols that run bug bounties on Immunefi must deposit the full bounty funds upfront If they refuse to pay a verified researcher, Immunefi can immediately release the money or mediate properly. No more “we changed our mind” games. Meanwhile HackenProof (platform with lower bounties) has clear SLAs triage in 3 days, review in 7-14 days, payment in 3 days after fix. Auditors almost never publicly accuse them of non-payment or ghosting. Cleaner process, less drama. Immunefi pays the biggest bounties that’s why we all hunt there. But the current system is pushing good whitehats toward frustration or worse. Add an appeal box. Enforce deposits. Stop staying quiet. Fix this and the whole Web3 security space wins. #BugBounty #Immunefi #HackenProof #WhiteHat #CryptoSecurity

I am just thinking realistically, not from a moral side. No business will deposit such funds without receiving yield. Of course, when the same business gets their 500 mil stolen, they will reassess their priorities😅 But not before that happens. I agree this situation creates a lot of incentive for blackhat activities, but I would remind everybody that being a blackhat comes with an orange jumpsuit in the end.

@windowhan @immunefi Congrats! Good that you stood your ground in the discussion.

I just found a confirmed bug on @immunefi #immunefitribe immunefi.com/s/ss/?severity… I achieved it after a very long debate/argument And... yet another thing that got buried 🙃

@suraj_sharma14 Go build a brick factory in Dagestan, Russia. High demand for bricks nowadays.

AI is replacing jobs. Web3 is volatile. Startups are dying. Layoffs everywhere. Real talk what should you be building right now?

I also suggest using @bubblemaps, @AMLBotHQ for getting AML characteristics of a particular address, and Maltego Graph or similar software for creating graphs not related to crypto, e.g. OSINT investigation of project's website. Also go read about intelligence cycle on Wiki. Must-have theoretical fundamental for any investigator.

HOW TO BE A CRYPTO SLEUTH Crypto sleuths track stolen funds, expose fraud, and identify bad actors using public blockchain data - tools like Arkham allow investigators to trace flows, cluster wallets, and link addresses to real-world entities. Our research team wrote a guide on how crypto sleuths operate, the tools they use, and the investigations that shaped the space. Check it out below:

Imagine smoking those while casually withdrawing from Bybit hot wallets.

@IntCyberDigest Every time I did exposure audits for EU/US citizens, I checked Strava accounts. So, if you start your run from your place, it is possible to identify your address because the starting point is always the same. Found exact addresses of every person in a 3-generation family once

‼️🇫🇷 MAJOR OPSEC FAILURE: The French aircraft carrier Charles de Gaulle was located by Le Monde journalists through the Strava app of an officer jogging on the ship's deck…

@MitchellAmador Every time I did exposure audits for EU/US citizens, I checked Strava accounts. So, if you start your run from your place, it is possible to identify your address because the starting point is always the same. Found exact addresses of every person in a 3-generation family once

Strava breaches opsec once again; seen it so many times it must be considered a key feature at this point.

@ShriekingNoises Because we are overworked. That's pretty easy. Oh, and most of us were insane long before starting a business. But that's just details

Has anyone actually done a study on why small business owners are uniquely insane?

small accounts tweeting:

@troyhunt It is indeed conscious -- people behind those accounts are farming engagement and subscribers for further monetization. It is an old af method. Happens every time something big occurs, like wars, natural disasters etc. I thought you weren't new to social media 🙂

I’m seeing so much disinformation and hyperbole around age verification, and it’s increasingly feeling like it’s conscious and coordinated. Stuff like this isn’t accidental.

@jaczkal That's some lit shit! Thanks for sharing. I used to do a lot of reversing when I was working in web3 sec. Will go finish reading -- keep up the good work man!

Your uniqueness and creativity is costing you your privacy. Take my personal nickname – gspdnsobaka. Enter it into Google with “” for exact match search. You will get 5 pages total – including direct links to my Steam, Instagram, Telegram and almost all my public talks. The same queries with a more popular nickname, like “john_wick”, or a more generic one, like “johndoe123” return more than 20 pages of results, most of which are irrelevant to the nickname. If you are a public and transparent person, go for uniqueness. If not, stick to generic stuff – it will be harder to find you.

@r0ktech I tried to make drop table users joke but x.com did not allow me to post it 😆

Taking the password game to another level..😆