Next week at @mandconsulting_ , we're dropping a new tool and blog post we've been working on. I hope you like secrets - and mass exploitation & disclosure of Fortune 100-500s on previously less-documented attack surface.

Pertaining to this post, I have a question of efficacy. Assuming the scammers website is vulnerable to XSS, would session hijacking be appropriate as to obtain IP addresses from the scammers? What about changing deposit addresses to allow the return of victims funds?

Jackie is the female, US contractor version of JonathanData. Incompetent, skill-less and doubles down on the wrong people. All over a single username, which anyone with a brain knows same alias or similarity != related to or the person. Still no apology either.

Scammer alert: D3f4ult “VC Slayer” ⚔️. The background story. I met this kid in prison. He seemed fine, kept him as a friend. Chatted here and there. He wanted to remake his life in crypto trading. Cool. I have been working non-stop, with my 10 co-workers, painstakingly building a startup.

People crying that they can’t beg bounty new CVEs on HackerOne anymore is wild

Found an SSRF in Sliver C2 (CVE-2025-27090), allowing an attacker to read and write TCP traffic through affected teamservers. Demo shows leaking the IP of a Sliver teamserver hidden behind redirectors Writeup and PoC in replies