Nick Percoco @c7five Twitter profile | Pikagi

Pikagi

Nick Percoco

@c7five

28,480

Followers

964

Following

1,762

Media

27,849

Statuses

Chief Security Officer at @krakenfx , hacker, @THOTCON OPER, @IamTheCavalry , @DEFCON NOC, @SpiderLabs founder - Opinions are my own, not my employer’s - #bitcoin

The Grid

https://t.co/iwRIOdfSn2

Joined April 2009

Don't wanna be here? Send us removal request.

Pinned Tweet

@c7five

Nick Percoco

6 months

In Spring of 1995, I was a Linux user. I had been since late 1993 running Slackware. This was being done on a 386SX processor with 2MB of RAM and 20MB hard disk. There started to be some chatter on USENET about Windows 95 coming out and how it was going being amazing. I

Tweet media one

Tweet media two

Tweet media three

Tweet media four

19

10

89

Last Seen Profiles

@iVRy_VR

@ayef_9

@MongraalUpdates

@surana_sunaina

@deathndhorror

@225_tanoshii

@KtKt79487098

@sheenie_weenie

@pinknishii

@pac_cl

@LZ7q0S9a0rpNamL

@Overbyez

@miki_shin318

@personusingtwt

@bokeplokalmalam

@AddisonBraves

@DianneLaud21179

@loco_massi

@Gerlich_Lab

@Ghatanothoa666

@bokeplokalmalam

@hotwirepr

@ibubohay2

@mcbndclub

@Nilson1489

@reixwife

@BergoHijab

@StwGendut

@Trisha98980835

@SyVyAdsjVF82330

@kenosis38928585

@meulihat

@bokeplokalmalam

@xjessicasimone

@jtgasso

@tOxuh852NUPx2

@c7five

Nick Percoco

2 months

Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

265

746

5K

@c7five

Nick Percoco

2 years

@MarioNawfal @buda_kyiv We know the identity of the user.

341

678

4K

@c7five

Nick Percoco

24 days

Apparently these guys aren’t worried about hackers at @defcon

Tweet media one

162

92

3K

@c7five

Nick Percoco

6 years

Me: That’s a great painting you are working on. 10 yo: Thanks, I learned how to do this from a *YouTuber* I watch. Me: Oh, really? 10 yo: He has this poofy hair and paints stuff like clouds, mountains and trees. Me: Bob Ross? 10 yo: Yeah! Do you know him? Me: 🤣

20

262

2K

@c7five

Nick Percoco

6 years

@AOC Serious question: Are corporate diversity programs tokenism? If so, what is the recommended approach that doesn’t cause more harm than good?

94

56

1K

@c7five

Nick Percoco

2 years

Data for 400 million Twitter users are for sale. Contains emails and phone numbers allegedly obtained via an API vulnerability. The sample posted shows high profile accounts including @VitalikButerin @mcuban and @briankrebs . Stay say, friends. Watch for targeted attacks!

Tweet media one

80

520

1K

@c7five

Nick Percoco

4 years

@verge @observacious That’s called an arsonist, not a protestor.

61

31

1K

@c7five

Nick Percoco

2 months

Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!

19

33

1K

@c7five

Nick Percoco

2 months

Update: We can now confirm the funds have been returned (minus a small amount lost to fees).

@c7five

Nick Percoco

2 months

Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

265

746

5K

78

88

1K

@c7five

Nick Percoco

2 years

After what we learned about the lack of basic security hygiene at Twitter and the telegraphing that today was coming, I’m genuinely curious how @elonmusk is balancing the risk that multiple reverse shells haven’t been planted by 1 of the 1000s outgoing Engineering team members.

66

147

1K

@c7five

Nick Percoco

2 months

We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.

14

17

1K

@c7five

Nick Percoco

5 years

Top password in this dump: “password” #2 password: “correct horse battery staple”

@haveibeenpwned

Have I Been Pwned

@haveibeenpwned

5 years

New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames and passwords stored in MD5 phpBB3 format. 58% of addresses were already in @haveibeenpwned

23

457

728

15

223

974

@c7five

Nick Percoco

2 months

As a security researcher, your license to “hack” a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your “license to hack”. It makes you, and your company, criminals.

11

33

888

@c7five

Nick Percoco

2 months

Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.

16

48

843

@c7five

Nick Percoco

2 months

Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem. We look forward to working with good faith actors in the future and consider this as an isolated experience.

31

9

827

@c7five

Nick Percoco

2 months

In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.

11

15

796

@c7five

Nick Percoco

22 days

The @defcon 32 badge is not only a GameBoy Color, it can also be a PalmOS device. It has a touch screen! My Graffiti skills are non-existent but character input does work. #defcon #defcon32

32

119

799

@c7five

Nick Percoco

2 years

It took a lot of work, but I finally cracked the @defcon 30 badge. Volume up! #DEFCON30 #DEFCON

21

111

749

@c7five

Nick Percoco

4 years

@HamillHimself Who’s this?

Tweet media one

45

10

733

@c7five

Nick Percoco

2 months

We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community. Our program, like many others, has clear rules of the road… 1. Do not exploit more than you need to in

15

15

725

@c7five

Nick Percoco

1 month

@George_Kurtz My thoughts are with you and your team in this nightmare situation. If you take a few seconds to step back and look at this from outside your situation room: This is certainly both a security and cyber incident with the threat actor being @CrowdStrike . 10s of 1000s of companies

22

45

714

@c7five

Nick Percoco

2 months

We triaged this vulnerability as Critical and within an hour, 47 minutes to be exact, our team of experts had mitigated the issue. Within a few hours, the issue was completely fixed and could not reoccur again.

3

10

708

@c7five

Nick Percoco

3 years

@CDCgov As a dad, please advise on the proper recovery technique of seeing your child shit down the water slide.

34

11

688

@c7five

Nick Percoco

2 months

This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.

9

8

586

@c7five

Nick Percoco

2 months

To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.

12

10

580

@c7five

Nick Percoco

2 months

Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.

7

9

577

@c7five

Nick Percoco

2 months

After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher.

2

7

530

@c7five

Nick Percoco

2 months

In turn, we requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn. This is common practice for any Bug Bounty program. These security researchers refused.

2

6

528

@c7five

Nick Percoco

2 months

Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue. Here is what we found.

4

5

526

@c7five

Nick Percoco

2 months

Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared - allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector.

16

9

522

@c7five

Nick Percoco

2 months

We have never had issues with legitimate researchers in this way and are always responsive.

1

3

451

@c7five

Nick Percoco

2 months

The initial Bug Bounty report did not fully disclose this transaction information, so we contacted the security researchers to confirm some details to progress with rewarding them for successfully identifying a security flaw on our platform.

3

3

449

@c7five

Nick Percoco

2 years

@StackerSatoshi We know the identify of this account.

42

35

370

@c7five

Nick Percoco

30 days

If you are headed to @defcon , it’s vital that you bring a burner phone. Why? Because hackers. Show me your burner (wrong answers only) - I’ll start: #defcon32

Tweet media one

78

29

362

@c7five

Nick Percoco

2 years

In the last 24 hours, I’ve gained 8,000 new followers. Most of you found yourself here because of a single sentence tweet I wrote yesterday morning. You probably never knew who I was, but decided to follow to see what I’ll say next. Here’s an introduction to who I am:

33

11

273

@c7five

Nick Percoco

9 days

@KimDotcom You are assuming deleting messages actually deletes the data. Not likely.

9

4

289

@c7five

Nick Percoco

2 years

Confused by the @dotMudge whistleblow. When you are hired to lead security at a company, you are undoubtedly going to inherit problems like described in the article. It’s your job to lead through constant improvement to a better, more secure place & reduce risk. It’s hard work.

15

20

273

@c7five

Nick Percoco

2 years

@MarioNawfal @buda_kyiv Update: I’ve been told that @FTX_Official or @SBF_FTX will be making a public statement regarding the sweeping of the Tron wallet in question and them utilizing funds from their verified @krakenfx account to complete this transaction.

62

61

254

@c7five

Nick Percoco

1 year

@gavinthomas2015

Tweet media one

3

0

265

@c7five

Nick Percoco

2 years

Until @elonmusk purchased Twitter and seemingly started to dismantle the unfairness on the platform, people who claimed they had been shadow-banned, removed from searches, or had followers removed were often told those features didn’t exist at Twitter. 🧵 #TWITTERGATE

16

33

223

@c7five

Nick Percoco

1 month

@VP You left out the part of your message where you write: “I am asking that the individuals who damaged monuments and property be identified, arrested and prosecuted to the fullest extent of the law.” Otherwise your statement means nothing and you are supporting their actions.

7

12

196

@c7five

Nick Percoco

3 years

Working to massively scale a team at @krakenfx to do some amazing things in crypto for our clients. I’m hiring *30* front end engineers with React skills. Fully remote. Global. Get paid in #Bitcoin Apply:

40

86

182

@c7five

Nick Percoco

4 years

Next debate needs dog shock collars.

8

16

179

@c7five

Nick Percoco

1 year

@elonmusk Is it OK for humans to impersonate bots?

16

6

177

@c7five

Nick Percoco

3 years

@wikileaks @BriarApp Never used this app so I can’t comment on the security effectiveness of it, but I’m pretty certain Julian can’t either.

3

3

172

@c7five

Nick Percoco

2 years

@elonmusk So instead of just visible to the OP, impressions will be visible to all? Good way to identify a shadow banned account.

8

9

170

@c7five

Nick Percoco

2 years

BRB I’m all out of popcorn. 🍿

12

8

171

@c7five

Nick Percoco

6 years

I’ve been in InfoSec for 20+ yrs professionally. Before it was 10+ yrs of BBS & IRC. Women were there the entire time. The problem has never been with the minority of women in the “community” but with the acceptance of the minority of men who act like fucking morons.

4

37

172

@c7five

Nick Percoco

11 years

iOS 7: "Siri, are you going to sell my fingerprints to the NSA?" http://t.co/mwDJbtBBMq

Tweet media one

30

755

171

@c7five

Nick Percoco

4 years

Yesterday’s Twitter takeover is one of the best examples as why world leaders should not be making official statements or announcements on social media. Do it live, in front of cameras from multiple media agencies and allow people to confirm the legitimacy of the statements.

6

51

174

@c7five

Nick Percoco

2 years

It’s @dualcoremusic at @defcon 30. Performing the quintessential hacker anthem. #DEFCON30 #defcon

8

25

170

@c7five

Nick Percoco

2 years

So a guy is banned from @defcon for abusing. He is friends w/ CEO of a company that’s presenting sponsor of @BSidesCleveland . The con puts bad guy on as a “special guest”. The CEO is a keynote & people hope he denounces the situation, but he tucks & runs from the event instead.

19

15

169

@c7five

Nick Percoco

2 years

Kinder Surprise Eggs are banned in the America. Trying to bring one into the county can result in a $2,500 fine per egg. This Congress passed law exists because Kinder Eggs and similar might cause children to choke. It’s more difficult to get candy than a gun in America.

9

35

172

@c7five

Nick Percoco

2 years

One lesson learned by the @dotMudge testimony: If you are offered a cybersecurity executive leadership position at a company and you wont have actual authority over basic security policies, security hygiene, policy enforcement and access control, don’t take the fucking job.

9

33

170

@c7five

Nick Percoco

2 months

This is the last message this thread. If you want to read it from beginning start here:

@c7five

Nick Percoco

2 months

Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

265

746

5K

8

4

168

@c7five

Nick Percoco

1 month

Headed to #Bitcoin2024 in Nashville? Remember criminals are looking to capitalize on the concentration of Bitcoiners there. You represent something they value, and it is no secret you will be in town. Tweeting your hotel location, bars you are at (while you are there), etc could

6

26

167

@c7five

Nick Percoco

7 years

This is (by far) the best hacker culture swag item at @defcon this year. Likely lost on most. Thanks to @wbm312 for pulling it off.

Tweet media one

19

34

159

@c7five

Nick Percoco

3 months

Today, we’ve announced a new initiative to accelerate the token listing process at @krakenfx - the goal here is the provide the crypto community and project teams with transparency & simplicity when navigating the process needed to become listed on our exchange.

90

16

151

@c7five

Nick Percoco

5 years

ATTN: There is an organized crime group actively targeting members of the #cryptocurrency industry. You MUST remove mobile phone numbers from your personal email, work email & exchange/bank account recovery processes NOW! 1/ #crypto #bitcoin

9

95

144

@c7five

Nick Percoco

1 year

@elonmusk Try again on 4/20.

14

2

137

@c7five

Nick Percoco

2 years

Wait until you learn about what people do with Excel

8

26

141

@c7five

Nick Percoco

2 years

Over the last decade, I ran services at @rapid7 , was the CSO at @Uptake and now run Security, IT & Engineering at a top 3 crypto exchange. It’s been a fun ride & the recent events have certainly been stressful and exciting. I’m optimistic about the future. Thanks for reading.

12

2

141

@c7five

Nick Percoco

10 months

Kraken helps UK police return over $2 million in stolen crypto to victims

Tweet card media

Kraken helps UK police return over $2 million in stolen crypto to victims

Kraken assisted the South East Regional Organised Crime Unit in converting the stolen funds into GBP before they could be paid back.

www.theblock.co

21

13

126

@c7five

Nick Percoco

2 years

@th3j35t3r

Tweet media one

3

9

124

@c7five

Nick Percoco

7 years

A bus stop in #Chicago is your entry point to the #UptakeChallenge . #infosecjobs #devopsjobs #developerjobs

Tweet media one

8

63

132

@c7five

Nick Percoco

1 month

Pro Tip: If a celebrity is launching a token, it’s a scam.

15

12

134

@c7five

Nick Percoco

30 days

I’m attending my 25th @defcon this year. I’ve been a speaker 10 times and ran a contest for 6 years. This year is my 8th year as a @DEFCON_NOC Goon. I can’t wait to catch up with friends from the hacker community in a few days!

13

11

134

@c7five

Nick Percoco

6 years

@RachelTobac @defcon This happened to a family member’s computer back then - I think it was a eMachine as well. It wasn’t a virus. It was a feature of your BIOS. When your computer’s fans start to fail or get clogged by dust, it would play that music through your speakers.

2

25

128

@c7five

Nick Percoco

6 years

@elonmusk @defcon Thanks for coming! #fuckacceptance

Tweet media one

4

3

94

@c7five

Nick Percoco

3 years

@ErrataRob I use my neighbors’ open wifi for doing things that aren’t trustworthy.

5

1

120

@c7five

Nick Percoco

10 months

. . : : The Hacker's Manifesto : : . . Another one got caught today, it's all over the papers. "Teenager arrested in computer crime scandal", "Hacker arrested after bank tampering"... Damn Kids. They're all alike. But did you, in your three-piece psychology and 1950's

9

43

122

@c7five

Nick Percoco

4 years

I was on @united flight on Sept 11th, 2001 that departed Chicago around the same time as the hijacked flights the left Boston. I was headed to Detroit for a client engagement. I still have the ticket today. (a thread) #September11th

Tweet media one

2

14

119

@c7five

Nick Percoco

2 years

Gotta close out the week strong

@AutismCapital

Autism Capital 🧩

2 years

🚨 ALERT: High probability insiders at FTX are currently trying to run off with funds. Both FTX and FTX US wallets have now been affected and commingled. The current amount being laundered is ~$380M. Please share information below. Let's crowdsource this.

1K

4K

14K

5

10

103

@c7five

Nick Percoco

3 years

Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened

Tweet card media

Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened

On August 10, a hacker stole more than $600 million through Poly Network and a bizarre series of events unfolded in the aftermath. In this article, Kraken Security Labs dives into the technical...

blog.kraken.com

1

35

117

@c7five

Nick Percoco

3 years

Cool Job Alert: I’m hiring a Cloud Security Engineer for my team at @krakenfx . Fully remote. Option to get paid in #Bitcoin and/or #Ethereum .

59

86

87

@c7five

Nick Percoco

2 months

In 30 years, the German government will look back at 2024 and say “WTF were we thinking?” (but in German) #Bitcoin #HODL

28

10

114

@c7five

Nick Percoco

4 years

Just arrived! #DEFCONSafeMode @defcon

Tweet media one

2

8

105

@c7five

Nick Percoco

2 years

@austinpeay

2

2

106

@c7five

Nick Percoco

2 years

@elonmusk End to End encrypted DMs.

2

2

102

@c7five

Nick Percoco

1 year

@SwiftOnSecurity Got this exact same text on one of my lines today. I was laughing because that’s a clever way to confuse almost everyone. I bet it has a higher success rate. This scammer is probably over 40. 😂

2

2

103

@c7five

Nick Percoco

5 years

I love it when a small change makes a big impact. Last week, we announced new Two Factor Authentication (2FA) requirements for @krakenfx clients. In just 7 days, over 10,000 clients have upgraded their account security to enable 2FA for login. #kraken #crypto #security

14

12

93

@c7five

Nick Percoco

3 years

About a decade ago, a @thotcon attendee handed me these custom lock picks after the closing ceremony. They have the original conference logo and my handle on them. If you made these, please reach out.

Tweet media one

6

16

100

@c7five

Nick Percoco

1 month

If you are tech company providing a free service to the entire planet, you need to weed out individuals in your org who think erasing a U.S. President from their platform is some moral crusade they are leading. It completely erodes trust in the platform itself and calls into

Tweet media one

11

7

102

@c7five

Nick Percoco

5 years

Having done consulting gigs for Las Vegas casinos, this comes as no surprise for Fremont Street. A decade ago, even the strip casinos had flat networks. Plug into the 4 port switch behind the quick service register selling pizza & and the casino network was yours to “explore”.

@LasVegasLocally

Las Vegas Locally 🌴

@LasVegasLocally

5 years

The computer networks at two Fremont Street casinos — Four Queens and Binion's — were hacked last night, according to multiple sources. Slot machines, player loyalty programs, credit card processing, hotel reservations, and ATMs were all affected.

38

210

481

12

28

98

@c7five

Nick Percoco

6 years

@Jaku @elonmusk I’m disappointed that the seat occupancy sensors are not used to trigger farts. @elonmusk Next update?

3

4

97

@c7five

Nick Percoco

2 years

* stay “safe” 😂

1

2

97

@c7five

Nick Percoco

5 years

netcat was released 23 years ago. Might explain why there are researchers that never heard of it.

Tweet card media

netcat - Wikipedia

en.m.wikipedia.org

13

17

99

@c7five

Nick Percoco

2 years

Honored to accept this @CSOonline #CSO50 award on behalf of the @krakenfx security program. It was fun and rewarding to lead such a talented and passionate team that resulted in our project entry.

Tweet media one

32

68

89

@c7five

Nick Percoco

2 months

49

Tweet media one

23

0

97

@c7five

Nick Percoco

9 months

None of @krakenfx apps or services utilize @Ledger Connect Kit. Your funds are safe and you are safe to move funds to/from our platform.

11

9

81

@c7five

Nick Percoco

5 months

The information security world went from telling people to never scan QR codes due to potential mobile exploits to making it a core part of Passkeys. That QR code threat must have disappeared or maybe it wasn’t as large as the noise everyone was making about it. 🤔

12

32

97

@c7five

Nick Percoco

6 years

@levarburton @alexhutton @gates_mcfadden @BrentSpiner @Marina_Sirtis @akaWorf Something about this looks familiar...

Tweet media one

5

0

94

@c7five

Nick Percoco

5 years

@HamillHimself My money is on Shmi.

2

0

90

@c7five

Nick Percoco

6 years

@elonmusk When merging in traffic on an expressway, blinker detection in Autopilot would be great. Allow the driver to customize their mood on a sliding scale between “dick” and “doormat”.

4

2

87

@c7five

Nick Percoco

1 month

@enjojoyy Yes, this is a tragedy. Computer crimes often receive harsher sentences than rapist and murders.

3

3

94

@c7five

Nick Percoco

3 years

“The Matrix” for @Apple II - source in thread #TheMatrix

Tweet media one

Tweet media two

Tweet media three

4

18

86

@c7five

Nick Percoco

4 years

@oculus Thanks for giving me a single way to log into Oculus. I wonder how I was doing this previously. 🤔 Could it have been my fucking OCULUS account?

0

0

88

@c7five

Nick Percoco

5 years

TIL: @defcon badges are actually made of rock candy and they are DELICIOUS.

Tweet media one

7

11

91

@c7five

Nick Percoco

4 years

If you have a knack for cryptocurrency, security and working with clients a Account Security Specialist position at @krakenfx might be perfect for you. We are looking to hire 10 people for this #job globally - ASAP. Fully remote - get paid in #bitcoin

22

20

84

@c7five

Nick Percoco

4 years

Here we go!

@krakenfx

Kraken Exchange

4 years

NEW: Kraken Wins Bank Charter Approval

196

1K

4K

2

9

78