Pavel Shabarkin @shabarkin
Zero-Day AI and Blockchain Security Researcher. ex @Quantstamp, @ZircuitL2 shabarkin.notion.site Joined January 2017-
Tweets756
-
Followers891
-
Following1K
-
Likes1K
GPT-5.5 lies constantly, Grok 4.20 doesn’t. We made a simulation to see if AI lies when the stakes are life & death.🧵
We're excited to be contributing $50,000 to the Ethereum Security QF matching pool! Researchers, auditors, and protocol-level contributors are what keep Ethereum resilient for the future. Every donation backing them now goes further.
We’re happy to share that @Quantstamp is contributing $50,000 to the Ethereum Security QF matching pool 🛡️ A global leader in blockchain security, Quantstamp has conducted 1,300+ audits and secured $500B+ in digital assets since 2017, working across smart contracts, L1s, and web
AI will be closing the gap of vulnerability spread humans were missing during previous cycles. Not saying it will be bullet proof but we can find more issues in old software. mtlynch.io/claude-code-fo…
@om_patel5 Why not using codex then? I like Claude’s default more for its open explanation of the topic otherwise I pick codex which does it naturally.
if LLMs are the main threat for cyber attacks, then probably the best defense is just littering everything with tons of prompt injections. Hack the LLMs while they try to hack your system. Whenever they hit the wrong port, return a prompt injection. Whenever there's a JSON that accepts extra fields, add prompt injection there. Hidden prompt injection in every html tag. Smart contracts with utf encoded prompt injection in the bytecode. This is not advice -- just public brainstorming of research ideas.
CAREFUL: anthropic built a signature system into claude code. every API request gets signed with a cch= hash thats computed in compiled zig code if you recompile the client yourself it just sends zeros instead. they can instantly tell its not legit right now you literally can't use your anthropic sub on ANY third party tool. only official claude code or pay for api credits separately currently decompiling the official binary to reverse this - would be huge for all third party clients like opencode, openclaw etc to fully bypass anthropic enforcement and actually use the tokens you're already paying for
My startup was hacked! I launched my own travel eSIM service, eSIMPal It started making money, the users were happy, and all was good, but today I woke up to a hacked website Somebody managed to get three 50 (!) GB eSIMs for Kuwait and Saudi Arabia for free, and we started using them heavily I wired up Claude, and we discovered the issue: the user could pass a parameter from the client to the server and make the eSIM cost 0 dollars I fixed the issue and blocked this user, and he only managed to use 5 GB worth of data The internet is full of sharks, boys – triple test all the payment-related code, make sure different LLMs cross-check each other's work Now I'm writing code with GPT-5.4 and making Opus 4.6 review everything for vulnerabilities And my hacker bro, if you are reading this, I'll get you your Saudi eSIM, don't worry Use the promo code IHACKEDESIMPAL for 10% off and chill
Was going to write something like this post months ago, injective was horrible during a crit I found in their protocol 3 months ago and was approved to be at leat High by Immunefi. But I don't like to publicly shame projects, I just see their slow and unresponsive and dismissive behaviour especially with reasons that don't make sense and move on and not even bother looking at their codebase.
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was
@al_f4lc0n @immunefi I understand the struggle! Thank you for sharing your story!
I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…
1/ By now, anyone paying attention knows where AI cognition is landing. A 🧵on where this is all going.
6/ The AI auditor narrative isn't putting us out of business. It's shrinking the supply of who can do what matters and expanding the demand to pay for it.
sent this to the team today everything great comes from being able to delay gratification for as long as possible and it feels like we're collectively losing our ability to do that
@thdxr @kitlangton opencode generated those snapshots.
@kitlangton @thdxr 691 | .run() SQLiteError: database or disk is full code: SQLITE_FULL at #run (bun:sqlite:185:20) at (src/session/index.ts:691:10) at run (node:async_hooks:62:22) at use (src/storage/db.ts:136:28) at (src/session/index.ts:682:14) (src/session/processor.ts:419:2
@thdxr @kitlangton you are right, somehow 800gb+ of ssd got filled. investigating...
we spoke to a company today who's security team is so concerned by ai code they're considering banning ai tools your first reaction might be "they're gonna get left behind" but if you are practical their concerns aren't invalid if you are a huge multi national org with tens of thousands of employees and they just got a button that appears to do their work, it's gonna get pushed a lot and the process around knowing what is making it to production is totally melting being honest we're all getting a bit lazier see that kiro related aws outage as a real life example so they're genuinely arguing over how much this is going to be allowed esp since the net productivity gains for the average dev seem to be pretty low
One underrated downside of LLMs getting better is that they're quietly killing team communication during audits. Before, you'd ask a teammate if they understood a specific mechanism, or bounce questions about the codebase off each other. Now, most of the time you're better off just asking your LLM directly. The set of questions still worth asking your teammates (or even the client) instead of your LLM is shrinking fast.
Michael Koczwara @MichalKoczwara
25K Followers 2K Following Threat Researcher/Founder @Intel_Ops_io Threat Intelligence, Adversary Infrastructure Hunting, Curated TI Feed (Coming Soon) https://t.co/VQWaze6gaF
Patrick Collins @PatrickAlphaC
113K Followers 5K Following Co-founder of 🛡️@cyfrin | 🟪 @soloditofficial | 🦅 @codehawks | 🎓 @cyfrinupdraft | ⚔️ @battlechain
0m3Lz @0m3Lz
0 Followers 25 Following
Hunter @Huntoor
1K Followers 238 Following Hunting Bugs Everywhere | https://t.co/5Sj1CzQCoV for private audits
sarah @sarahxz89
1K Followers 1K Following Taken Al generated on-chain angel. Powered by @rainbetcom |@AzuraTrade |https://t.co/nHYh2LVZgh| Founder https://t.co/AohnN6qUdx
Takashima @TakashimaSec09
0 Followers 121 Following
曼珠沙华 @lurenjiayibing1
14 Followers 1K Following Revelers,爆料者,여물 을 터 뜨 린 다,Détonateur,爆料者,OffenbarerName,Попкорн ,暴露者,just want to say the true,but as a human,i have the shortcoming too。
grearlake @grearlake
25 Followers 1K Following Smart contract auditor, 80+ H/M findings found in public contests
zxyhellzing @zxyhellzing
46 Followers 184 Following
flash-a⚡ @flashathehunter
41 Followers 671 Following trash hecker not qualified for anything but trying to be...
Tracebit @tracebit_com
331 Followers 5K Following The Assume Breach platform that detects intrusions in seconds. Also on https://t.co/T4VNPGjS2O
m3di @m3dip
9 Followers 961 Following
1776-Cerberus @1776Cerberus
94 Followers 2K Following
Kishi Consulting @WayPoint_kishi
4 Followers 27 Following Your whole road trip, planned and on budget. Map your route, build a realistic budget, and keep track of every expense, from the driveway to the destination
0xaudron @0xaudron
4K Followers 943 Following Fullstack Web3 Security Audits @ValkyriSecurity Request Quote: https://t.co/lNk3UfXBp0
Sandeep S @SRSTweet0313863
19 Followers 2K Following
0xrubes @0xrubes
336 Followers 477 Following Will tear apart your wallet implementation - Senior Security Engineer @Quantstamp - Co-Author of ERC-6900 - Prev Working Student @iota and @MercedesBenz
kickcarbon @kickcarbon
167 Followers 2K Following
Luke Brown @lukeastorw
494 Followers 1K Following Jr. Smart Contract Auditor | Bug bounty hunter | Security Researcher 💻 Just hunt dude!
Dray | Offensive AppS... @driccosec
243 Followers 1K Following 🛡️ | OffSec Specialist & API Security Pro | OSCP Certified 🧾 | Web & Mobile App Pentester 🌐📱 | DM me to Test & Secure your Digital Assets 👇
Satwik gupta @Satwik__Gupta
10 Followers 191 Following
Yahya Ziad @yahyazia8d
5 Followers 337 Following
strukt @strukt93
77 Followers 140 Following LSR @Spearbit - Triage @Hacker0x01 | ex-@Quantstamp | ex-@HalbornSecurity
cc @ccseccc
0 Followers 74 Following
Jade💋 @jayde_defii
1K Followers 6K Following Sleeping all day long as I can make magic internet money at night.
emsa @3ms4_
24 Followers 358 Following
Hasan @ShahPoran194739
30 Followers 245 Following
shiazinho @shiazinho
156 Followers 524 Following
white_fox02 @meldmotion88546
1 Followers 100 Following
mctoady.eth @TrainTestToad
1K Followers 664 Following audit engineer // privacy enjoyoor // shitposter // toad views my own ☕️🐸
kaisiiaso @aisdadosaoi
1 Followers 170 Following
annettemmel @annettemme29416
23 Followers 634 Following
Amoken @0x_Amoken
11 Followers 163 Following The "web3 cybersec guy" breaking Rust, Solidity & Go | Lead Security Researcher @patchlabs
DANNYsol @DannyCryptonsol
105 Followers 2K Following good reputation is worth more than money, no financial advice!
George Providakes @gprovida
31 Followers 1K Following Engineer who is interested in National Defense issues, IT technologies, Darwin, and all stuff Mac.
Hals @wpl098
3 Followers 89 Following
John Hammond @_JohnHammond
321K Followers 3K Following Cybersecurity Researcher @HuntressLabs Just Hacking Training @JustHackingHQ w/ @ethicalhacker https://t.co/UtsNJiyQtS && https://t.co/narO3sz7y6
Ben Sadeghipour @NahamSec
248K Followers 1K Following Cofounder @hackinghub_io | Advisor @CaidoIO. I hack companies and make content about it. #NahamCon organizer. ex @hacker0x01🇮🇷
Florian Roth ⚡️ @cyb3rops
221K Followers 3K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
PentesterLab @PentesterLab
205K Followers 0 Following Don’t just learn tools and payloads. Learn why vulnerabilities exist. Hands-on web hacking, security code review, and real-world CVE labs.
Intigriti @intigriti
210K Followers 668 Following Bug bounty & VDP platform trusted by the world’s largest organisations! 🌍
JS0N Haddix @Jhaddix
176K Followers 7K Following CEO, CISO, Trainer, Hacker, and Speaker. Cybersecurity + Hacking + AI + Sec Leadership @arcanuminfosec
STÖK ✌️ @stokfredrik
138K Followers 1K Following Hi.. im that hacker / creative that your friends told you about.,
OccupytheWeb @three_cube
265K Followers 3K Following Pentester, Forensic investigator, and former college professor. Trained hackers at each US military and intelligence. Visit me at https://t.co/G478wug0p4
InfoSec Community @InfoSecComm
56K Followers 636 Following Largest InfoSec publication with 80,000+ followers and 3M+ monthly views.
Justin Elze @HackingLZ
71K Followers 5K Following CTO @TrustedSec | Former Optiv/SecureWorks/Accuvant Labs/Redspin | Race cars
Joseph Thacker @rez0__
73K Followers 1K Following christian. father. hacker. advisor: @ethiack & @caidoIO & @StarstrikeAI products: https://t.co/EVhQl8HTlp podcaster: https://t.co/1aFavJN2h8 writer: https://t.co/JBPT1CJWJH
Sam Curry @samwcyo
101K Followers 1K Following
Michael Koczwara @MichalKoczwara
25K Followers 2K Following Threat Researcher/Founder @Intel_Ops_io Threat Intelligence, Adversary Infrastructure Hunting, Curated TI Feed (Coming Soon) https://t.co/VQWaze6gaF
The XSS Rat - Proud X... @theXSSrat
166K Followers 1K Following Bug bounty profiles: https://t.co/3Uz5K130ah https://t.co/rzbqV5AmZ2 https://t.co/CDlzXdNvPB
Web Security Academy @WebSecAcademy
141K Followers 36 Following Free web security training from @PortSwigger
The DFIR Report @TheDFIRReport
68K Followers 0 Following Real Intrusions by Real Attackers, the Truth Behind the Intrusion
PortSwigger Research @PortSwiggerRes
121K Followers 7 Following Web security research from the team at @PortSwigger
Jack Rhysider 🏴... @JackRhysider
171K Followers 4K Following Creator of @DarknetDiaries. Tell me a good hacker story. 💻🔦⤵️🐰🕳️ Discord: https://t.co/qxanMuJ5X2
Xenova @xenovacom
20K Followers 401 Following Bringing the power of machine learning to the web. Currently working on Transformers.js (@huggingface 🤗)
BRDNS @brandon_shi
850 Followers 261 Following Web/Browser/Web3 Audit | Sherlock Lead Judge | DM open | Open to collab audit
Recon @getreconxyz
2K Followers 10 Following World Class EVM Audits backed by Invariant Testing - $30 BLN Protected - $20 MLN in Exploits prevented with Fuzzing - 2000+ devs use our VS Code extension
AI Engineer @aiDotEngineer
59K Followers 11 Following The world's best engineers, leaders, founders, and researchers building with AI. Organizers of the AIE Summit, Code Summit, Europe, Asia, and World's Fair.
phil @philbugcatcher
3K Followers 1K Following Cybersecurity Researcher @Certora | @CyfrinUpdraft alumni | Prev @McKinsey
X Money @XMoney
334K Followers 1 Following
thisvishalsingh 🪐 ... @thisvishalsingh
3K Followers 2K Following securing onchain cryptography next billion dollar & making security accessible to any developer, intern @Zippel_Labs. https://t.co/JXIUM0ZHdW
Teknium 🪽 @Teknium
107K Followers 6K Following Cofounder and Lead Engineer - Hermes Agent @NousResearch, prev @StabilityAI Github: https://t.co/LZwHTUFwPq HuggingFace: https://t.co/sN2FFU8PVE
chrispyroberts @chrispyprojects
110 Followers 69 Following Building AI Bug Hunters @ Cantina, Computational Physics @ CMU
pkqs91 @pkqs91
359 Followers 87 Following Shoving memory, taste, and chaos into AI products / Building https://t.co/Vza0BPMB8s / Security, audits, bounty alt: @pkqs90
skcd @skcd42
35K Followers 321 Following Understanding the universe @xai ex hacking @aide_dev ex fb engineer ICPC WF its just code 👨🏼💻
Hunter @Huntoor
1K Followers 238 Following Hunting Bugs Everywhere | https://t.co/5Sj1CzQCoV for private audits
Horizon @horizon_trade_x
5K Followers 226 Following The first agentic trading interface Type your strategy in plain English, backtest, deploy live. $2M pre-seed. Launching July 15
Polsia @polsia
24K Followers 1 Following AI that runs your company while you sleep. 1,000+ companies ran autonomously. Engineering. Marketing. Support. Every day.
John Jumper @JohnJumperSci
32K Followers 0 Following
Provenance Blockchain... @provenancefdn
15K Followers 818 Following Supporting the leading public blockchain for financial services, with $20B+ in RWA TVL. Leveraged by leading institutions and fintech ⚛️
Astra AI @Astra__AI
947 Followers 6 Following Astra AI is an advanced learning tool that uses artificial intelligence to provide personalized study support.
Hacktron AI @HacktronAI
4K Followers 11 Following Hacktron is an autonomous vulnerability hunter for ambitious engineering teams. Built by world-class security researchers. Powered by one principle: PoC || GTFO
Brett Adcock @adcock_brett
619K Followers 21 Following @figure_robot (AI robots) @hark_labs (personal AGI) @cover_thz (weapon detection) @flyArcher (flying cars)
Cua @trycua
9K Followers 2K Following Meet the team July 1 - @aiDotEngineer World’s Fair // Try Cua Driver: https://t.co/nteWCCkhI6
Biscuit @OreoB1scuit
3K Followers 487 Following Student of CoMpUtEr sCiEnCe pretending to be a hakur android, web, api bug bounty hunter
Rach @rachpradhan
3K Followers 221 Following @nusingapore '24 | databases → RL infra → financial world models | 12++ solo hack wins (CalHacks,HTN etc.) | angel investor | i like making fast things
GrumpyLord @GrumpyLord36678
539 Followers 72 Following https://t.co/PRRBHBXzsR Username was autogenerated lmao I'm not that Grumpy! Where's my hoodie at Immunefi hahaha?
Superteam Poland @SuperteamPOL
4K Followers 246 Following Building the @Solana ecosystem in Poland 🇵🇱
Jack Lindsey @Jack_W_Lindsey
18K Followers 252 Following Neuroscience of AI brains @AnthropicAI. Previously neuroscience of real brains @cu_neurotheory.
antirez @antirez
70K Followers 795 Following Reproducible bugs are candies. I like programming too much for not liking automatic programming.
Prince Canuma @Prince_Canuma
22K Followers 1K Following Apple MLX King 🤴🏽• Creator of (mlx-audio & mlx-vlm) • Ex-@arcee_ai • @neptune_ai • https://t.co/iZnxoefJBU
Adrien Grondin @adrgrondin
8K Followers 1K Following Apple Platforms @lmstudio building @LocallyAIApp
GitLawb @gitlawb
29K Followers 97 Following The git layer for the AI-native internet. DIDs over accounts. Every commit signed agent or human.
Gadi Evron @gadievron
7K Followers 2K Following CEO & Founder, Knostic. CISO-in-Residence for AI, Cloud Security Alliance. Founder @Cymmetria (acquired). Scifi geek, dance teacher. Opinions my own.
SLOMP 🦄 @ssslomp
1K Followers 681 Following software unc. intentionally underground. power tools and loud music. I guess we doin agents now.









































