Ph.D. computer security researcher @TrailOfBits. Editor of and frequent contributor to #pocorgtfo. My CV is a PDF that’s also an NES ROM sultanik.com/nesresume/
Joined December 2008
- Tweets 3,043
- Following 480
- Followers 1,374
- Likes 3,826
235 Photos and videos
Pinned Tweet
15 Jun 2020
After 6 months and over 5k new lines of 6502 assembly, the Kaizo-style platforming section of the NES game in my résumé is finally done! Yes, among other things, the PDF of my résumé is also an NES ROM. You can download it here for your emulating pleasure: sultanik.com/files/ESultanik…
4
49
182
Evan Sultanik retweeted
Jun 5
We beat Google's quantum circuit again, and we didn't have to forge a proof this time.
Today we're releasing trailmix, a toolkit for quantum "kickmix" circuits. It includes 5 new circuits we built for elliptic curve addition, the hardest part of Shor's algorithm.
17
25
114
21,169
Evan Sultanik retweeted
Mar 1
Memory Analysis for #Linux has always been a bit hit-or-miss. @trailofbits has released a tool called #mquire that doesn't require debug symbols for the originating Kernel.
#MemoryForensics #IncidentResponse #DFIR #DigitalForensics
2
8
21
2,588
27 Oct 2025
This made me mirken until I realized the "i" and "e" were swapped.
OED #WordOfTheDay: mirken, v.
Shetland. To become dark and gloomy; to grow murky.
View the entry: oxford.ly/3Lqld6t
ALT The OED definition of 'mirken', today's word of the day.
2
179
Evan Sultanik retweeted
2 Oct 2025
#BSidesBerlin Speaker Showcase
@kiki_morozova explores Weaponizing Image Scaling Against Production AI Systems.
@SecurityBSides #AI #Infosec
5
7
7,111
Evan Sultanik retweeted
25 Aug 2025
Solving the Traveling Salesman Problem for NYC's 474-station subway network, obviously! @ESultanik used Christofides algorithm to find a 20h 42min route through all 474 stations, which would beat the world record by 45 minutes. blog.trailofbits.com/2025/08…
2
7
28
3,867
Evan Sultanik retweeted
21 Aug 2025
New post and tool! Attackers can break production AI systems by using image scaling to hide multi-modal prompt injections from users.
🧵for more info on what broke, how this works, and our new tool to try this out yourself
21 Aug 2025
We hacked Gemini CLI, Vertex AI, Assistant, and other AI systems by embedding prompts into images that are not visible to users.
4
51
195
39,285
Evan Sultanik retweeted
5 Feb 2025
Our new whitepaper covers secure-by-design steps that CEXes can take to keep users' accounts (and funds) safe from account takeover (ATO) in 2025.
(Read more 👇)
2
11
59
5,883
Evan Sultanik retweeted
5 Nov 2024
When working on Magika (Google's AI-powered content-type detection), I checked other file formats KBs and detection engines to create filesets to train the model on.
I gave a talk at HackLu to share an overview of the existing engines.
speakerdeck.com/ange/overvie…
5
26
82
11,536
10 Oct 2024
Any idea why AA’s website is offering itineraries with legs operated by Lufthansa Group? 🤯 @thenonstopdan @AlexInAir
2
2
802
Evan Sultanik retweeted
4 Aug 2024
It's great to see Multiplier by @trailofbits being open-sourced! github.com/trailofbits/multi… I believe it exemplifies the kind of foundational, next-generation tools we need for proper software understanding, maintenance, and sustainment.
1
33
128
14,186
Evan Sultanik retweeted
30 Jul 2024
Any crazy libmagic (file) or yara rules out there that blew your mind?
blog.trailofbits.com/2022/07… covered quite a lot of file libmagic syntax.
cc @gynvael @hexacorn @ESultanik @decalage2
2
8
14
2,829
16 May 2019
Telegram is _never_ the solution. Friends don't let friends use Telegram. This'll be a thread!
15 May 2019
Why WhatsApp will never be secure
telegra.ph/Why-WhatsApp-Will…
43
528
903
13 Oct 2022
Yet another way that Telegram leaks information about who talks to whom:
x.com/hkashfi/status/1580625…
13 Oct 2022
Adding this to the long list of reasons why I'd never trust Telegram for anything serious.
mastodon.technology/@rysiek/…
1
11 May 2024
Even Telegram “secret chats” can be subverted by the server.
9 May 2024
This is your regular reminder that “secret chats” in telegram rely on server-provided prime numbers (messages.getDhConfig).
The server could send “bad” prime numbers to clients and decrypt conversations later.
Section 1.2.1 of tel-03245433 theses.hal.science/tel-03245…
558
14 Apr 2024
I hate to be “reviewer #2”, but I’m a bit disappointed that my prior work was not cited sultanik.com/blog/revisiting…
2
409
Evan Sultanik retweeted
8 Apr 2024
This Wednesday, April 10th, 4:30pm ET: "In Pursuit of Silent Flaws: Dataflow Analysis for Bugfinding and Triage" Evan Sultanik @ESultanik - Trail of Bits @trailofbits ceri.as/sultanik Live on Zoom.
1
3
366
12 Mar 2024
I had to try this myself. @trailofbits was apparently founded by @DanielMiessler and Elijah Savage, not @dguido and @alexsotirov. It is known for having created the fastest open-source password cracker in the world, @shellphish.
7
3
9
5,282
Evan Sultanik retweeted
6 Feb 2024
MD5 4d37c6712a2239962005eda3be6367b4
4
88
269
68,305