I'm extencil. Brazilian. Security researcher, infrastructure builder.

WHERE TO FIND ME

• mail: extencil@segfault.net · extencil@proton.thc.org
• x/twitter: x.com/extencil
• bluesky: bsky.app/profile/extencil.me
• mastodon: mastodon.social/@extencil
• github: github.com/extencil
• reddit: reddit.com/user/extencil
• gitlab: gitlab.com/extencil
• telegram: t.me/extencil
• youtube: youtube.com/@extencil-thc

If I don't reply to you via emails, I'm dead

Featured Project

A free mail forwarding service. Around 50 domains. No logs. No alias caps. No freemium theater. Unlicense, open source, auditable end to end. Phrack, team-teso/THC, eurocompton, antisec and others route aliases through it.

• service: mail.thc.org (mirror: reads.phrack.org)

I ethically hacked

• 2026, dns2tcp-gateway — ohmymex/dns2tcp-gateway (Hall of Fame)
• 2023, segfault.net — hackerschoice/segfault (Hall of Fame)
• 2024, Qualitor — CVE-2024-44849 — unauthenticated RCE
• 2021, LinkedIn — spam delivered through LinkedIn's own SMTP, Premium or not.
• 2021, Brazilian Army enlistment portal — session takeover on Gov.br-connected accounts. Password optional.
• 2021, Enem / INEP — source disclosure plus unauthenticated pivots against government-hosted apps, bypassing the expected proxy path.
• OpenBugBounty quality badge for reports on 10+ named public sites.

WHAT I DO

• network edge hardening
• email infrastructure and alias flows — abuse surfaces, counter logic, policy
• deployment and service reliability with predictable failure modes
• defensive automation for public-facing systems
• proxy and routing layers with explicit trust boundaries
• developer tooling that cuts repetitive operator work