Jump to content

The Romanian Teen Hacker Who Hunts Bugs to Resist the Dark Side

Recommended Posts

The Romanian Teen Hacker Who Hunts Bugs to Resist the Dark Side


IT’S 3 AM, and his eyes are almost closed. The pack of gummy bears on his desk is empty. So’s the Chinese takeout box. Romanian white hat hacker Alex Coltuneac has had three hours of sleep tonight. And last night. And the night before that. He’s busy trying to find a vulnerability in YouTube live chat, which he plans to report to the company and hopefully get some money in return. None of the bugs he has discovered in the past few days electrifies him, so he keeps digging.


In the past four years, Coltuneac has gotten bug bounty payments from Google, Facebook, Microsoft, Adobe, Yahoo, eBay, and PayPal for flaws he reported. Such bounty programs are a chance for Eastern European hackers like him to pursue a legitimate career in cybersecurity.


And he’s only 19 years old. In a country better known for cybercrime, the teenager is part of small but growing cohort of hackers who are deciding to play it nice. This is a departure for the hacking community of Romania, known for such hits as the hackers Hackerville and Guccifer, and fraudsters who steal money from American bank accounts, perpetrate eBay frauds, and land themselves on the FBI’s most wanted list.

Coltuneac is a freshman at the Babes-Bolyai University in Cluj-Napoca, where he learns Computer Science taught in English. Raised by a family who emphasized honest values, he started using a computer when his was 6. First, he taught himself how to play games, but as he got older he began to see the computer’s potential as a tool to make money. He spent his early teenage years watching fellow Romanian hackers make astounding sums of money selling exploits on the black market. They were able to rake in thousands of US dollars with just a few clicks, far more than Coltuneac’s parents made in a month.  He was a good kid, from a good family. He didn’t want to join them. But he did want to pay for college.


The allure of that life was powerful.


Which is why he was so grateful to find out about bug bounty programs when he was 15. They pay enough to  keep his conscience clear and his bank account full. Bounties cover the cost his education and living expenses, so “there’s no excuse to break the law,” he said.

Coltuneac won’t say how much he earns as a vulnerability hunter, yet gifted white hat hackers doing the same kind of job brag about making in a lucky month about $6,000. That’s how much an ordinary Romanian earns in a year. The average take home pay in the country was about $520 a month this March, one of the lowest in the European Union.

On the white market, a flaw found and reported legitimately is priced at a few hundred dollars, enough for Coltuneac to pay his rent this month. Sensitive ones are often rewarded with several thousand dollars. In very few cases, the bounty exceeds $100,000. He’s constantly hoping to find one of those. And that sum is still far less than what he would get if he sold the same vulnerabilities on the gray or black markets. (Gray markets sell exploits to nations and corporations to use against their foe; black markets sell to the highest bidder, often criminals.) Zerodium, a gray hat vulnerability broker working with law enforcement and intelligence agencies, awards a hacker up to $500,000 for a high-risk bug with fully functional exploit.


Patching Giants

Coltuneac started hunting vulnerabilities when he was 15, after visiting a Romanian cybersecurity forum, in his free time after school. Like most Romanian hackers, the teen is self taught. Soon, he got his first few hundred dollars from Google, and used them to buy himself a brand new computer. His desktop was dead slow.

“I got lucky. I found a sensitive file. I used brute force,” he said.


The tech giant is among the companies he closely monitors for bug bounty programs. He has recently found an LFI vulnerability and several XSS flaws in Google FeedBurner. Last year alone, Google awarded over $2 million to security researchers globally, and since 2010, when it began its bug bounty program, it has paid a total of $6 million. For 2015, Google highlighted Romania as among the top countries bug bounties were paid out to.

Coltuneac has also made it to Microsoft’s Bounty Hunters: The Honor Roll. This spring he found an XSS vuln in their OAuth interface. Microsoft is constantly improving its bounty program, and last year, the company included rewards for flaws found in Azure, ASP.NET, .NET Core runtime and the Edge browser.


Articol complet: https://www.wired.com/2016/05/romanian-teen-hacker-hunts-bugs-resist-dark-side/

  • Upvote 7
Link to comment
Share on other sites

7 minutes ago, Gecko said:


Ok, hai s-o luam logic. Cum numesti tu atatea ore petrecute inserand bucati de cod inspirate din vocabularele acunetix si havij in toate inputurile posibile? Stiinta? Hacking?

Tu cum altfel ai cauta daca nu inserezi "bucati de cod inspirate din vocabularele acunetix si havij"?

  • Upvote 1
Link to comment
Share on other sites

15 minutes ago, dekeeu said:

Multam' pentru feedback .


1. Felicitari!

2. Nu baga in seama rautatile/frustrarile care de multe ori vin involuntar din diferite motive. Cainii latra, ursul trece :) Am cunoscut "episoade" in privat, de cand sunt pe RST, de persoane care gasesc vulnerabilitati majore in companii mari, cel mai recent fiind aseara. Dar pentru ca au bunul simt necesar si au fost crescuti cum trebuie de parinti nu ii vezi facand galagie ci se ambitioneaza si mai mult. Ceea ce ma duce la punctul urmator:

3. Keep it up si la mai mare!

Vorbind strict in nume propriu, daca crezi ca te pot ajuta cu ceva in viitor, in limita posibilitatilor o voi face cu placere.



  • Upvote 3
Link to comment
Share on other sites

47 minutes ago, Gecko said:

Da, doar ca in aceeasi masura, e wired.com, nu blogulusandel.ro, sa dai feature la orisicine doar pentru ca exista in domeniu.



E security-research coaie , nu poti numi asa ceva ,,Apostrofeala grupa mare''   fa si tu asta , unii dintre cei mai buni castiga lunar 40k.


haahhhaha , parlitule



Bravo @dekeeu  , la mai multe !

Edited by Anonym13
Link to comment
Share on other sites

On 31.05.2016 at 5:47 PM, Nytro said:

This is a departure for the hacking community of Romania, known for such hits as the hackers Hackerville and Guccifer,  and fraudsters who steal money from American bank accounts, perpetrate eBay frauds, and land themselves on the FBI’s most wanted list.




That's offensive and hurty-feely ... 

Link to comment
Share on other sites

16 minutes ago, Amalf said:



That's offensive and hurty-feely ... 


Care va grabiti sa aruncati cu pietre.. probabil ar fi ideal sa aruncati un ochi si peste context: articolul este scris de o Romanca (deci este un anume bias din acest punct de vedere si nu este 100% obiectiv, documentat, etc.) care din cate am inteles din propriile ei spuse este la primul articol pentru publicatia respectiva. Iar cei care observa mass-media din ziua de astazi isi vor da seama ca nu se mai urmeaza pasii standard de odinioara in a face o investigatie cum trebuie din toate prismele, in a prezenta lucrurile din punct de vedere obiectiv, in a se informa in mod serios despre toate fatetele monedei si apoi in a le prezenta succint si a le sintetiza intr-un mod care nu cauta "wow" si cerseste atentie. Un reportaj serios ar fi un studiu etnografic, cu resurse si persoane alocate, etc. Din aceste motive cred ca sunteti destui care va aruncati la pus diagnostic si tras concluzii pripite fara macar sa-l cunoasteti pe om.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...