Hacking Google with A.I. for $500,000 brutecat.com/r/hacking-googl…

Time for another giveaway! We will pick 6 winners to win one of the following: 1x Annual VIP @hackthebox_eu Licence 5x @PentesterLab 3 Month Licences To enter: 1️⃣ Follow us @BugBountyDefcon 2️⃣ Like this post ❤️ 3️⃣ Re-tweet this post 🔁 Giveaway open until Monday June 15th! GOOD LUCK!

Bootcamp Giveaway We're giving away 1 CARTP® Bootcamp seat and 1 CRTP® Bootcamp seat to two participants. Join live, hands-on training in Azure Red Teaming or Active Directory security. How to participate: • Like & follow us • Comment your preferred bootcamp and why • Repost Winners announced June 4, 2026 Limited-Time Bonus: Enroll in CARTP® (Starts June 5) or CRTP® (Starts June 6) and get 10 extra days of lab access (worth $150 ). Applicable for the first 30 purchases only. alteredsecurity.com/bootcamp… #CyberSecurity #RedTeaming #InfoSec #AlteredSecurity

New banger from @thefosi: HTTP/2 framing WAF bypasses across six proxies. Use it wisely while you can. :p lab.ctbb.show/research/h2-WA…

i hope my sister gets everything she wants in life.

🚨Cyber Alert ‼️ 🇳🇬Nigeria - 𝗡𝗡𝗣𝗖 𝗛𝗲𝗮𝗹𝘁𝗵 𝗠𝗮𝗶𝗻𝘁𝗲𝗻𝗮𝗻𝗰𝗲 𝗢𝗿𝗴𝗮𝗻𝗶𝘀𝗮𝘁𝗶𝗼𝗻 XP95 hacking group claims to have breached NNPC Health Maintenance Organisation. Threat actor: XP95 Sector: Financial / Insurance Data exposure (claimed): 200,000 user records Data type: Personal data Observed: Apr 08, 2026 Status: Pending verification ESIX©: 5.73 Full details and impact assessment on HackRisk.io

Malware Analysis Tutorials: a Reverse Engineering Approach fumalwareanalysis.blogspot.c…

🚨Cyber Alert ‼️ 🇳🇬Nigeria - 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝗶𝗮𝗹 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗙𝘂𝗻𝗱 (𝗜𝗧𝗙) NormalLeVrai claims to have breached an Industrial Training Fund employee’s email, allegedly accessing 92 government files including emails, financial records (2019–2026 salaries), budgets, internal documents, and employee/contact data. Threat actor: NormalLeVrai Sector: Gov / Mil / LE Data exposure (claimed): Not specified Data type: Emails, financial records and employee data Observed: Apr 2, 2026 Status: Pending verification ESIX©: 5.79 Full details and impact assessment on HackRisk.io

I finished the Hack the Box COAE cert the day it came out (by about an hour lol) report and all, really was going for first globally. Gonna be close if nothing else! Review coming next week for the cert portion. If you’re interested in a review of the ai red teaming course that is already live on my personal website. I Throughly enjoyed the course and test, saying it opened my mind to a deeper level of systems thinking overall would not be an under statement.

coming here to casually drop that I passed the OSCP exam and maybe the ultimate reason I went offline, I have a lot to write, but first I would like to say thank you to everyone of you, my community for your support, this is by far one of the nicest things to happen to me,

FCMB: Sophisticated API exploitation resulted in the successful siphoning of ₦677 million from a ₦3.5 billion fraudulent attempt. Sterling Bank: A critical middleware vulnerability enabled the exfiltration of sensitive PII for over 900,000 customers. Remita: A massive cloud misconfiguration exposed 3TB of archival data, including transaction logs and infrastructure blueprints. Here is a clean technical breakdown of these incidents: 1. FCMB: The ₦3.5 Billion Heist This was a logic based exploitation of the bank's digital transaction pipeline Attackers identified a flaw in the API reconciliation layer, specifically involving the Payattitude integration By exploiting this vulnerability, hackers initiated transactions that the system validated as successful even though the source accounts were unfunded. This is known as a Zero Balance or Double Spend exploit. While the system eventually flagged the anomaly at the ₦3.5 billion mark, the latency in the bank's real-time fraud monitoring allowed ₦677 million to be successfully routed to mule accounts and withdrawn before the kill switch was activated. 2. Sterling Bank: The 900k Record Exfiltration This event was kinda like a Network Intrusion targeted at customer identity data, allegedly carried out by the threat actor ByteToBreach. The breach targeted a critical vulnerability in the Oracle WebLogic Server. This middleware sits between the public facing applications and the bank’s private databases. Attackers bypassed authentication to extract roughly 2.2 GB of data. The data contained Personally Identifiable Information (PII) for over 900,000 customers, including names, contact details, and internal Customer Information File (CIF) numbers. This data is highly valuable for "Social Engineering 2.0, where scammers use real account details to trick victims into revealing OTPs or other lateral valuable infos 3. Remita: The 3TB S3 Infrastructure Exposure This was a Critical Cloud Misconfiguration representing one of the largest infrastructure level exposures in the Nigerian fintech space A massive Amazon S3 Bucket (Cloud Storage) was left in a Public Read state. This meant the data was accessible to anyone with the endpoint URL, requiring no hacking tools or passwords to download The volume 3 Terabytes indicates an entire archival Data Lake was exposed. This typically includes millions of individual files and logs accumulated over years 800GB of KYC Documents, Massive troves of sensitive personal data, including Passports, Government IDs, Bank Statements, and Utility Bills Core Databases: Full exports of MySQL and Postgres databases, including three primary databases and over 35,000 password hashes The Master Keys: Exposure of Government HSM (Hardware Security Module) keys, which are used to encrypt and authorize high-level financial transactions Developer Blueprints: Source code, Docker registries, and GitKraken-to-S3 backups, providing a literal how-to guide for attackers to find further vulnerabilities in the system's logic The exposure included transaction archives, RRR (Remita Retrieval Reference) metadata, and internal system logs. Most dangerously, logs of this size often leak secrets such as API keys and session tokens, which provide a roadmap for attackers to move laterally into other connected financial systems what can we do

‼️🇳🇬 A massive breach allegedly from Remita, a major Nigerian payment processing platform, has been leaked on a popular cybercrime forum. ▪️ Total Size: ~3TB of S3 storage ▪️ Data Includes: 800GB of KYC documents (IDs, passports, photos, bank statements, electricity bills), MySQL/Postgres databases, logs, docker registries, source codes, government HSM keys, GitKraken to S3 backups ▪️ Source codes, 35,000 password hashes, and three databases

🚨Cyber Alert ‼️ 🇳🇬Nigeria - 𝗦𝘁𝗲𝗿𝗹𝗶𝗻𝗴 𝗕𝗮𝗻𝗸 𝗟𝘁𝗱 Threat actor ByteToBreach claims to have breached Sterling Bank Ltd, alleging the compromise of customer and employee data linked to approximately 900,000 accounts and over 3,000 staff. Threat actor: ByteToBreach Sector: Financial / Insurance Data exposure (claimed): 900,000 customer accounts and 3,000 employee records Data type: Banking records, identity documents (BVN, NUBAN, passport and driver’s licence), transaction histories, loan records, credit scores, and employee data Observed: Mar 27, 2026 Status: Pending verification ESIX©: 6.18 Full details and impact assessment on HackRisk.io

Cybersecurity is not about what you know, it is about what you can do 🔐 👉 Limited-time offers: bit.ly/4bAakbY Build real skills with hands-on labs and certification prep before March 26. #CyberSecurity #InfoSec #TechSkills

AV/EDR Lab Environment Setup A curated list of various resources helpful in building own malware-centric research lab. A post by Udayveer Singh (@m4lici0u5) Source: an0nud4y.notion.site/AV-EDR-… #redteam #blueteam #maldev #malwaredevelopment

Hi @RaenestApp I am a Security Engineer and a student. The essential Item missing from my setup is a powerstation. An itel 1kWh Power Tank solar panel would help me stay consistent, research more, and keep improving. Thank you🥹 fash335200 #RaenestMakeAWish #raenestat

🚩 Excited to share that I’ve earned the @hackthebox_eu CPTS certification. 10 intense days — completed 12/14 objectives and submitted a 100 page commercial-grade report. Tough but incredibly rewarding. 💪 #CPTS #HackTheBox #PenTesting #OffensiveSecurity

Meet Onipede Abdulhakeem Security Engineer & Founder of OSCG. Passionate about Offensive Cybersecurity and empowering students to thrive in tech. Get ready to learn, grow, and level up. 🚀 #MeetTheSpeaker #CyberSecurity #OSCG

Critical: Client-Side Encryption Collapse site.com ↓ some_javascript.js ↓ Line no 80519 → encObj base64 key ↓ atob(val) → "Encoded_Password" ↓ CryptoJS.AES.decrypt(encObj, passphrase) ↓ 55 configuration properties → 107 operational secrets exposed → Azure AD client_secret → OAuth client_credentials flow → RSA public keys → Forge encrypted /enc/ API requests → HMAC key → Backend-accepted payload signing → Direct Line token → Production chatbot access → Monitoring / RUM keys → Telemetry manipulation → Auth0 reCAPTCHA config → Auth flow manipulation → 31 encrypted authentication endpoints mapped ↓ Use extracted Azure AD credentials ↓ Request token from Microsoft OAuth endpoint (client_credentials) ↓ Receive valid JWT with high-privilege role (e.g., AllAccess) ↓ “Super token” accepted by backend across protected API routes (No user interaction required, role-based authorization granted) ↓ All sensitive authentication and account endpoints were wrapped in client-side hybrid encryption → Every request payload encrypted in browser → AES-256-CBC used for body encryption → RSA-OAEP used to wrap per-request AES key → Server accepts any request that decrypts successfully → Decryption success treated as implicit authorization ↓ Reverse-engineer encryption module (@**6246) → Algorithm: AES-256-CBC RSA-OAEP (SHA-512) → Random 32-byte AES key per request → IV derived client-side → AES key wrapped with embedded RSA public key (promocode_pem) → Final format: { "key": base64(RSA_key), "body": hex(AES_ciphertext) } ↓ Hook JSON.stringify XMLHttpRequest ↓ Capture plaintext BEFORE encryption (credentials, OTPs, tokens) Capture encrypted wrapper AFTER encryption Capture correlated server responses ↓ Analyze MFA implementation ↓ IP-based rate limiting only (lockout resets on IP change) OTP expiration not strictly enforced server-side Encrypted payload fields trusted after decryption ↓ Mass takeover method ↓ 1. Trigger MFA or password reset 2. Rotate IP to bypass rate limiting 3. Reuse or brute-force OTP under weak enforcement 4. Complete password reset flow 5. Authenticate as victim 6. Capture decrypted OTP and auth tokens via runtime hook 7. Reuse valid 2FA tokens for subsequent authenticated requests ↓ Full attack chain achieved: → Extract secrets from client bundle → Generate high-privilege JWT (“super token”) → Read any plaintext request (credentials, PII, tokens) → Forge any encrypted request the server will accept → Bypass MFA protections via IP rotation → Reset victim passwords → Decrypt authentication flows in runtime → Mass account takeover

Meet Our Speaker: Nafiu Abdulmalik Offensive Security Engineer & OSCG co-founder, passionate about empowering the next generation of cybersecurity professionals. Bringing real-world experience and practical insights to A Day In The Life Series 🛡️✨