HashedMystic

I took five days off twitter to step back and reflect on how I want to move forward in 2026. During that time, I finished a book and I spent a good amount of hands-on time with my ALFA adapter, running controlled penetration testing exercises. One of the projects I worked on involved auditing a home-lab Wi-Fi setup: capturing handshakes, testing weak encryption and misconfigured access points, and validating how easily poor security choices can be exploited. Just reinforcing a solid reminder to myself on how small oversights can open the door to much bigger problems. AI is clearly taking over, y'all can see how x402 is blowing up and while everyone is building and shipping with AI, the security side is now feeling like an afterthought and tbh that’s the part that worries me. Even state-of-the-art products ship with flaws, and many AI builders and “coders” aren’t senior engineers, they don’t always think in terms of threat models or security architecture the way experienced engineers do. I just hope 2026 turns out to be far less bloody than what my imagination keeps projecting. On a lighter note, it’s good to come back and see $ZEC, $BTC, $ETH, and the broader market back up. Checked my Rainbow wallet and everything’s green again. GM to my favorites on CT, now it’s time to catch up on all the tweets and insights you dropped while I was away. @0xSammy @notthreadguy @OVGNFT @BadlandYW @Yuchenj_UW ❤️

(Short) #BugBounty Tips for the Coming Year: 1. Skill - A lot of advice out there say you should go complete all PortSwigger Labs before you start hunting. While there's nothing wrong in that, I genuinely feel that is counter productive. Here is what I do instead - Pick a Main Bug: This is your mass hunt specialty. This is the bug you should be able to hunt in your sleep. Learn everything about it, read everything until Programs hate to see you coming. Could be BAC, XSS, Info Disclosure. Anything - Pick a secondary High Severity or more: This is your Highs and Crits lane. Basically you don't actively find these because they're rare, but whenever you do come across it. You best be able to pop a High or a Crit. Things like SSRF, Auth issues, Account Takeovers etc fall under here. 2. Program Selection - One of the most popular advice out there is to stick to one program for months, while I do believe in this 100% but you need to actually be clever about it - You see triagers and security teams in companies are humans like us, they take breaks, they go on leaves just like the rest of us. If you spend months hacking and submitting reports to one program and response slows down or they go on break. Guess what happens to you ? - For me I test 3 Programs weekly: - Main: This is the most program I spend my hours on, at least 4 - 7 hours a day. - Secondary: This is more of a have multiple income sources type program. I dedicate at least 2 - 3 hrs to this - Unicorn: This is your moonshot program, basically you test on this not with the mindset of finding numerous bugs, but with the mindset of "YOU ONLY NEED TO WIN ONCE". These are your high paying programs that you can earn $10k - $50k just by popping an IDOR. I only test these on the weekends. 3. Hack more than you read - Bug Bounty is a hands on field, if you're not actively hunting bugs you learn, you wont actually know anything about it. You'd just be the ChatGPT of vulnerabilities. Heck even ChatGPT would be better than you at that point. So Solve @yeswehack Dojo Challenges, Solve labs, @intigriti used to run a monthly XSS challenge, I don't know if its still active but you get the point. Basically actively hacking >> Reading writeups or texting people to teach you. - Run from the content creator trap. It is easy to feel like you need to start posting bounties, sharing write ups for every finding but in the beginning you should avoid this. Your time should be spent hacking => learning => more hacking => oh would you look at that. Its MORE HACKING. - Outwork everyone. You see a lot of bug bounty has to do with luck. But you don't get lucky if your not actively putting yourself in positions to actually get lucky. HACK HACK HACK 4. Finance - The wisest decision I made was to start treating bug bounty as a Capital Generation scheme not as a career. You see you are going to have months where you find nothing, months where you enter dupe city. Its inevitable, it happens to all of us. So the wise choice is to use bug bounty as an avenue to fund other things that would actually give you the life you want. Be it a business, skills, education or investments. Whatever. - Treat every bounty as a little soldier. @NahamSec posted a video this year about this where he talks about allocating a percentage of every bounty you earn to an account for a purpose. I can not emphasize how important that advice is and how it changed my approach to hunting for the better. Here is the video => youtube.com/watch?v=j5nm38… 5. Health - Bug bounty is hellish work lol. You spend hours daily sitting in front of a screen. You need to at least try and do the following: - Gym or any sort of movement - Sleep Properly - Touch grass occasionally Remember, A burned-out hacker finds nothing. Good luck on your hunts in the coming year and most importantly, never stop learning !!! #Bugbountytips

How Your SIM Card Threatens Your Privacy Your SIM card does more than just connect your phone. It quietly keeps a record of your daily activities, almost like a diary. It logs the neighborhoods you visit, your late-night outings, and the events you attend. Unfortunately, your phone’s settings can’t prevent this tracking. Your SIM constantly communicates with multiple cell towers to maintain a signal. Each time it connects, your unique ID (IMSI) is recorded, building a detailed map of where you go. VPNs and encrypted apps can’t block this kind of tracking. Jsyk.. Your phone actually has three computers inside, not just one. The first is the Application Processor (iOS or Android), which is the only part you can actually control. The second is the Baseband Processor. This hidden chip manages your phone’s communications and runs its own software, which you can’t see or change. The third is the SIM card itself. It’s actually a small computer with its own operating system and can run commands on its own. Some SIM cards can send texts, start data connections, or share your location without your phone’s main system telling you. These hidden messages use special encryption and aren’t saved anywhere you can see them. Also, a VPN does not protect everything on your phone. On iOS and Android, most app traffic goes through the VPN, but some system services might not, depending on how your device and network are set up. Also, parts of your phone like the Baseband Processor and SIM card work outside the VPN, managing network signals and carrier communication directly. This does not mean all your data is exposed, but it does mean a VPN cannot fully protect everything your device does. Some privacy experts, such as Naomi Brockwell(@naomibrockwell ), have stopped using SIM cards in their phones. Their method is simple. - They keep their phones on Airplane Mode and only connect to Wi-Fi. - They use a separate mobile hotspot for the SIM card instead. - This keeps your cellular identity separate from your browsing and messaging. Anyways, If you’re in the U.S., the Calyx Institute offers privacy-respecting mobile hotspots with unlimited data through a non-profit model. While they don’t rely on ad tracking like large telecom companies, the service still depends on carrier infrastructure, so it’s more privacy-conscious. You can delete apps and block trackers, but the SIM card operates at a level you can’t control. The first step is being aware of this. You can’t avoid a surveillance system if you don’t know it exists.

@ishowcybersec Count me in

I’m creating a private group for Cybersecurity Content Creators on X. The goal is simple: Help each other grow, share knowledge, & amplify content that actually helps people stay secure. We grow together. We support each other. Comment or DM if you want to join.

Toronto police seize 'SMS blasters,' a cybercrime weapon never before seen in Canada nationalpost.com/news/canada/to…

Thinking about bug bounty but not sure where to start? 90 days. 3 phases. Check the thread 🧵 for the student guide we wish existed when we started.

Telegram OSINT Intelligence D4rk_Intel-OSINT-Investigative-Toolkit has been updated with Telegram OSINT - a powerful angle for investigations, as the platform hosts vast amounts of public data that isn't always easy to navigate with its native search. #OSINT #Cybersecurity

Regret won't change your past. Anxiety won't change your future. Action is the only way to change everything. Goodmorning @x fam 😊

@yiir72 @JupiterMarkct @davidhaguenl @yddsbll yeah i have helped you report both your acccount and the clone. Thank you for your attention to this matter

@JupiterMarkct ↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑ @hashedmystic @davidhaguenl @yddsbll

White hat hacker life Find a $10M bug, report it responsibly Get a $500 bounty Watch the black hat who found it next get $292 M This is fine.

@mertistaken @Bugcrowd ❤

2-month #1 streak. 🙌🏻 congrats to all the researchers! last month i found the most critical vulnerability of my life, in one of forbes' top 20 companies in the world. i've reported thousands of bugs over the years, including hundreds of critical ones, but this was the first time one of them actually made me feel bad. i thought about what would happen if it fell into the wrong hands, how it could affect the lives of tens of millions of people and dominate global headlines. it was genuinely unsettling. i was reminded, once again, how important our work really is. anyone watching closely sees how capable ai has become, especially in cyber security. putting the marketing noise aside, we need to embrace ai's stunning capabilities as an advantage and blend them with our own skills. even small, vision-driven nudges from an experienced researcher to an ai create a butterfly effect that completely changes where the output lands. the moment i started transferring my own know-how into my agent system, i felt the difference instantly. it's an incredible boost. we have to keep up with change; "adapt or perish."

Malware Analysis Crash Course by Google Flare team. Link:- docs.google.com/document/d/1I8…

@cyb3rshi3ld 🛡️

Join our cybersecurity community group! Open to Analysts, Engineers, and Architects. If you're interested, drop a 🛡️

@Gtr_Cliff count me in bro, that what i am cuurently on , i am on streak 11 now

The goal was to get Security+ certified and deep dive into Offensive Security.Starting on Monday the 20th together with some guys feel free to join us, we'll use H.T.B Penetration Tester path and eventually get the C.P.T.S cert. #100DaysOfOffensiveSecurity

@cb_doge @grok if this is true, then does that mean the only safe feature on WhatsApp is video call and not even voice calls?

🚨 WhatsApp’s “end-to-end encrypted” privacy is a total lie. New class-action lawsuit just dropped: Meta secretly let employees, contractors like Accenture, and third parties read, intercept, and store your private messages WITHOUT consent. All while marketing it as “only you and the recipient can read it.” Zuck lied to billions. Your chats were never safe.

@elormkdaniel C. Secure File Transfer Protocol

NETWORKING KNOWLEDGE CHECKPOINT Which protocol is used to securely transfer files over a network using encryption? A. FTP B. TFTP C. SFTP D. SNMP

How about you guys report his account for scam, I'm just chilling for a week more to see if he refunds cos i have opened a ticket in his discord, it's not about the amount anymore, it's about intentionally scamming and still trying to look clean, i hate nigs like that and they need to go down, he'll prolly continue with another account, but I'll make sure this goes down @RuneSwap1

gm

@0xyakulth @emperorjournal_ @GuarEmperor will love to join the discord , send link pls

Thank you for join my trade future call Many member @emperorjournal_ profit from following my entry call. So what I admire about the members of the Private discord community that is built by @GuarEmperor That is, they are not afraid of defeat and do not care about it winning and losing. When you try something new, it can be a new opportunity for you to make a profit in a new style. If you want to join me leave a comment. I will send you an invite link via dm.

@Zun2025 testing

gm everyone, testing 𝕏's new reply feature this tweet is set to "accounts you follow and who they follow can reply" can you reply?

@GuarEmperor @MarkELtash @Zeksintra Minted out

yeah ik many dao alpha play this hope you cooking all thanks @MarkELtash @Zeksintra for sharing early (2 hours after post official) and sharing guide how to mint and bridge

@ethicalrohitt @lostsec_ Will be in your dm bro. 🫡

@hashedmystic @lostsec_ Yes bro.

4th Bounty Hit ✨ €1000 (₹1,07,002.00) for discovering a critical SSRF @lostsec_ Thank you for always supporting and guiding me. Means a lot❤️”🫂