Sabitlenmiş Tweet
Our latest research is out!
If you missed a good write-up for nice vulnerabilities, I brought you one!
Enjoy the reading! @FearsOff @Cloudflare
English
Kirill Firsov
249 posts
Kirill Firsov
@k_firsov
Co-founder and CTO of @FearsOff | Protecting the World’s Top Crypto Exchanges & Financial Institutions | Cybersecurity Enthusiast
Dubai, United Arab Emirates Katılım Nisan 2011
372 Takip Edilen4.2K Takipçiler
@rez0__ As many people as many opinions. Both of them are doing what it has to in a certain way
English
okay im calling it officially. codex is cracked.
if you're a bb hunter and you dont have a hackbot set up yet, i recommend codex with gpt5.5 over claude code.
English
🚨 NEW: AI security startup Depthfirst claims its security AI beats Anthropic’s Mythos in code vulnerability detection.
English
@zachxbt Nice one. How it was recognized in the beginning that the device was linked to a DPRK worker though? I understand the connection in the end but before doing that via luckyguys it has to be some sign for that.
English
1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions.
I spent long hours going through all of it, none of which has ever been publicly released.
It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion.
Enjoy the findings!
English
Kirill Firsov retweetledi
Kudos to the teams of @Bitrefill and @FearsOff for handling this incident with the utmost professionalism and transparency.
‘What doesn’t kill you makes you stronger’, especially in cybersecurity.
Bitrefill@bitrefill
March 1st incident report On March 1, 2026, Bitrefill was the target of a cyberattack. Based on indicators observed during the investigation - including the modus operandi, the malware used, on-chain tracing and reused IP + email addresses (!) - we find many similarities between this attack and past cyberattacks by the DPRK Lazarus / Bluenoroff group against other companies in the crypto industries. The initial access originated through a compromised employee laptop, from which a legacy credential was exfiltrated. That credential provided access to a snapshot containing production secrets. From there, the attackers were able to escalate their access to our broader infrastructure, including parts of our database and certain cryptocurrency wallets. We first detected the incident after noticing suspicious purchasing patterns with certain suppliers. We realized that our gift card stock and supply lines were being exploited. At the same time we found some of our hot wallets being drained and funds transferred to attacker-controlled wallets. The moment we identified the breach, we took all of our systems offline as part of our containment response. Bitrefill operates a global e-commerce business with dozens of suppliers, thousands of products, and multiple payment methods across many countries. Safely switching all these things off and bringing them back online is not trivial. Since the incident, our team has been working closely with top industry security researchers, incident response specialists, on-chain analysts and law enforcement to understand what happened and how we can prevent it from happening again. A sincere thank you to @zeroshadow_io, @SEAL_Org, @RecoverisTeam and @fearsoff for their rapid response and support throughout this ordeal. What about your data Based on our investigation and our logs we don’t have reason to think that customer data was the target of this breach. There is no evidence that they extracted our entire database, only that the attackers ran a limited number of queries consistent with probing to understand what there was to steal, including cryptocurrency and Bitrefill gift card inventory. Bitrefill was designed to store very little personal data. We are a store, not a crypto service provider. We don’t require mandatory KYC. When a customer chooses to verify their account - e.g. to access higher purchasing tiers or certain products - that data is kept exclusively with our external KYC provider, with no backups in our system. Still, based on database logs, we know that a subset of purchase records was accessed and we want to be transparent about that. Around 18,500 purchase records were accessed by the attackers. Those records contained limited customer information, such as email addresses, crypto payment address, and metadata including IP address. For approximately 1,000 purchases, specific products required customers to provide a name. That information is encrypted in our database. However, since the attackers may have gotten access to the encryption keys, we are treating this data as potentially accessed. Customers in this category have already been notified directly by email. At this time, based on the information currently available, we do not believe customers need to take specific action. As a precaution, we recommend remaining cautious of any unexpected communications related to Bitrefill or crypto. If this assessment changes, we will of course immediately inform those affected. What we are doing We have already significantly improved our cybersecurity practices, but vow to continue to draw learnings from this experience to make sure user and company balances and data remain maximally safe. Specifically we’re: -Continuing thorough cybersecurity reviews and pentests with multiple external experts and implementing recommendations; -Further tightening internal access controls; -Further improving logging and monitoring for faster detection and more effective response; and -Continuing to refine and test our incident response procedures and automated shutdown procedures. The bottom line Getting hit by a sophisticated attack sucks (a lot). We’ve been in business for over 10 years and it’s the first time we’ve been hit this hard. But we survived. Bitrefill was designed to limit the impact if something like this ever happened. Bitrefill remains well funded, has been profitable for several years and will absorb these losses from our operational capital. Almost everything is back to normal: payments, stock, accounts. Sales volumes are also back to normal, and we are eternally thankful to our customers for your continued confidence in us. We will continue to do our best to continue deserving your trust. Thank you!
English
@IceSolst He got good views count though, I guess that was the plan
English
When I was a dumb baby I copied the Facebook session cookie into a different browser, and thought “omg I hacked Facebook!”
This guy just did the same thing but with an API key. But he’s not a baby. He’s a “Founder” in “SF”.
Yousif Astarabadi@yousifa
English
@vigneshrajan_10 Try looking at it from a different angle, that's a way to level up.
English
@k_firsov Very well said, what are the ways to level up firsov? Any inputs?
English
So much drama today, people losing their minds over this "new" feature from Anthropic, calling it the death of pentesting and bug bounties. Even stocks tanked for companies that have nothing to do with it. Why?
Because most investors in this space don't know shit about security or what Claude AI actually dropped. We have been running vulnerability scans with various AI models, including Opus 4.6 for months already. This release is basically just a handy button to run what used to be a chain of prompts doing the exact same thing.
Investors: Buy back in.
Bug hunters and pentesters: relax and level up with it. Anthropic’s social media team: Bravo! This clickbait worked out!
Claude@claudeai
Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…
English
@RoseSilicon No, not right now. Humans still pick better targets or those're missed by AI. better handle evasion in tricky envs and so on...
English
Thanks for the article, a good reading. Many points make sense. Remember times where sqlinj were left and right? That time has gone, then was time for path traversal, still there but much less. Now we assume we should see less any other types of vulnerabilities because AI covers them, yet don't forget it's now AI who writes them in the first place. Besides that I have in mind so many scenarios where I can find a bug but AI won't, at least for now. So let's use a quote from the article: no need to panic but embrace AI
English
a very good perspective. yes, in the near future it really has the potential to reduce this situation, but it is not ready yet. is this a revolution? maybes....
I once read an article like this - atum.li/en/blog/opus-4… and I was truly impressed.
Not hype, just adapta.
Kirill Firsov@k_firsov
So much drama today, people losing their minds over this "new" feature from Anthropic, calling it the death of pentesting and bug bounties. Even stocks tanked for companies that have nothing to do with it. Why? Because most investors in this space don't know shit about security or what Claude AI actually dropped. We have been running vulnerability scans with various AI models, including Opus 4.6 for months already. This release is basically just a handy button to run what used to be a chain of prompts doing the exact same thing. Investors: Buy back in. Bug hunters and pentesters: relax and level up with it. Anthropic’s social media team: Bravo! This clickbait worked out!
English
@ctbbpodcast No, you can't. It was fixed before I published it
English
@hetmehtaa But why if you here on X in your feed see everything :)
English
@S1r1u5_ Same. Zero seconds of real suspense, yet it sells the "I’m nervously waiting" vibe though.
English
i was using claude code and it is so weird to see the llm anticipate the amount of the time it takes to run a command, then make a bash call with timeout, and continue with that.
for the llm as a subject, there is no underlying anticipation like human has, its just text. the commands runs with a timeout and returns output. the model reads it. there is no such thing as gap. for me, i need to run it, then anticipate, i live through the gap and then feel the result.
and also, it really doesn't have sense of time. for us core of time is change in one direction and memory modeled around it. if there is no memory, i dont have sense of time. emotions like hope, regret are related to time. everything i do plan, prepare, anticipate, think it all depends on times, its the water i swim my subjective experience.
but for the llm its literally not it, its just text, "i want to run command" + "i will add timeout" + " running it" +" output"+"done".
its just pattern matching, yet it models time perfectly through text. this shit is so weird and beautiful, man. so it has temporal intelligence but without any temporal subjectivity.
English
Stealing a violin doesn't make you a musician. Hacking/buying a cert doesn’t make you "elite" either. It just makes you a criminal... and the one who cheated on the test and still can’t do the job.
If your definition of skill requires breaking the law, you don't have any.
But go on with the "no cert = skid" detective work
English
You don't need them for pentesting companies either.
Most hackers don't have any certs, so why would some corporate bureaucracy tell me I'm not qualified to work with them just because I lack some XXX certificate?
OK, let's wait until you get hacked and see how well that bureaucracy holds up then.
Intigriti@intigriti
| ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄| You don't need certs to be successful in bug bounty |___________| \ (•◡•) / \ / --- | |
English
Wow. Elon is master of turning lemons into lemonade.
Techmeme@Techmeme
Source: SpaceX and xAI are in talks to merge ahead of a planned IPO this year; under the proposed deal, shares of xAI would be exchanged for shares in SpaceX (Reuters) reuters.com/world/musks-sp… #a260129p39" target="_blank" rel="nofollow noopener">techmeme.com/260129/p39#a26…
📥 Send tips! techmeme.com/contact English