DDoS Me Once, Phish Me Twice, Ransom Me Thrice - Talk the Talk

Posted by author in the category "cybersecurity"

I've had a chance to speak at Prskalnik Ping!, and this blog is essentially my entire presentation put into writing + some additional details that I believe are worth sharing, but would turn my presentation into a 2 hour long lecture. Thank you Matej Aleksov and Aiken Tine Ahac for the invite, and special thanks to Preskok and AutoBrief for hosting the event and all the support.

Disclaimer: This blog post, and linked presentation, are for educational and defensive security research purposes only. All systems, tools, and techniques shown are deployed in an isolated, offline laboratory environment using publicly available, open-source projects. No real networks, companies, or individuals are targeted or harmed. The vulnerabilities and attack chains demonstrated reflect real-world techniques documented in recentincident reports and are shown to raise awareness and improve defenses. Reproduction of these techniques outside authorized testing environments or without explicit permission is illegal in most jurisdictions. I do not endorse, support, or facilitate any malicious activity. Use, misuse, or distribution of this information for illegal purposes is strictly prohibited.

Welcome to the digital world!

Welcome to the digital world! Right now, most people live in a fairytale, where everything "just works". And I don't blame them, the immersion is fantastic. You want to get somewhere? Use Google Maps, call an Uber/Bolt. Are you bored? Here are the countless ways to entertain yourself! You need to pass an exam? Study with the help of an LLM.

Technology is everywhere around us, which is both fantastic and terrifying. It's fantastic because Big Tech companies are making our lives easier. My laptop and my personal phone? MacBook Pro and iPhone. My work phone? Pixel. What do I use to run my business? Google Workspace. Where are all my backups held? You almost got me there, I'll never tell you, you sneaky bastards.

But the fairytale has cracks. Because essentially every business, and every individual, is exposed to the same threats. The issue is: how do I explain that to people? I mean, let's say you read this:

ENISA's latest reports indicate that the most rampant cybersecurity threats across Europe in 2025 are dominated by distributed denial-of-service (DDoS) attacks, ransomware, and an ongoing wave of hacktivism, accompanied by highly professionalized cybercrime and intensified state-aligned cyberespionage campaigns.

And you're like: "What?" To most people, those are blank words that mean nothing.

The Noise of Charlatans

The issue with cybersecurity isn't just the language. It's the noise.

When you think of cybersecurity, or IT in general, what comes to your mind? Nerds in TV shows or movies crammed in a basement? Hackers with green-on-black text with Matrix-style code running down the screen?

But that's not what the real work is like. And it's not just that IT professionals can be bad at communicating (though, let's be honest, we often are). The bigger problem is that the space is filled with noise.

Politicians love to talk about "cyber-resilience" and "digital sovereignty". Charlatans online love to sell you the latest "AI-powered, blockchain-backed, zero-trust" snake oil that promises to solve all your problems. It's a lot of talking. A lot of buzzwords. A lot of fear-mongering. This creates a fog. When a security team says, "Your legacy VPN appliance is running an unpatched RCE vulnerability," it sounds just like the buzzwords the charlatans use. It gets ignored because it sounds like "tech speak".

The Doctor, The Mechanic, and The Reality Check

Let's look at how we understand other risks.

When a doctor tells you that your high cholesterol and hypertension might lead to serious cardiovascular issues, you understand. You're potentially risking death. You'll start eating healthy, hit the gym, and get sorted out.

When your car engine light turns on, and you ignore it until the engine seizes, the mechanic explains that you ran out of oil. Even if you don't understand engines, the sequence makes sense: you skipped maintenance, ignored a clear signal, and now you are paying for it.

Cybersecurity does not get this benefit. We don't "feel" the cholesterol building up in our networks. We don't hear the engine sputtering until the ransomware note appears on the screen.

We learn by doing, by seeing, by exploring. By getting burned by our mistakes. We learn by trial and error. It's a natural process. We were made to learn from consequences. But in cybersecurity, "experiencing" usually means "getting hacked". And getting hacked in the real world is catastrophic. You lose your data, your money, your reputation. The "tuition fee" for learning by experience in the wild is far too high.

"Who cares about my data?"

At this point, there’s always that one person who shrugs and says:

"Well, what's someone gonna do with my info?"

I love this question, because it reveals the core problem: most people dramatically underestimate the value of their own identity. Your data is not just "photos from vacation" or "some boring emails". It's an entire attack surface wrapped in a human name.

So, let's play a little thought experiment and invoke our inner demon.

Imagine, for a moment, that you could become somebody else online. Not in a sci-fi, face-off way, but in a very boring, terrifyingly effective way:

  • You have access to their email inbox.
  • You can reset their passwords.
  • You can see their bills, invoices, subscriptions.
  • You know where they bank, what they use for cloud storage, which services they log into with "Sign in with Google/Microsoft".

What can you do with that? Use email access to reset passwords everywhere. Log into their banking apps, payment providers, marketplaces. Order stuff, move money, drain balances, or abuse "buy now, pay later". Open fraudulent accounts in their name, take loans, sign contracts. Message their friends, family, colleagues. "Hey, can you pay this invoice for me?" "Can you share that private repo?" If that person uses the same laptop or browser profile for work, suddenly you’re not just "inside a person", you're inside a company.

That’s what "just my info" really means. Not because you’re a celebrity, but because being a boring, ordinary person in a digital system is enough to be valuable.

Who are we up against?

So who is actually doing this? Who are these "hackers"?

Just think for a second, can you imagine:

  • Building a botnet to launch a DDoS attack?
  • Generating a successful phishing campaign?
  • Constructing ransomware that evades all modern firewalls?

Why not? Because who would do such a thing?

Simple!

  • The botnet guy started with a cracked Minecraft server and realized 100k compromised IoT cameras pay better than a day job.
  • The phisher began spamming "free Robux" links as a bored teenager.
  • The ransomware author was a broke reverse-engineer who got tired of consulting gigs.

These criminals are mostly opportunists. They discovered the barriers are lower than anyone pretends, the payoff is instant, and the risk feels theoretical. That's who does it! A bunch of greedy individuals with a keyboard, one small escalation at the time.

In no shape or form am I condoning or endorsing this behavior. You're a piece of *** as far as I'm concerned. I have no sympathy for criminals.

The Hacker Mindset

When you work in cybersecurity, your entire mentality shifts. The default is no longer:

"How do we make this work?"

It becomes:

"How can we break this?"

You stop assuming that systems are friendly puzzles trying to help you. You assume you're sailing uncharted territory, on your own, with nothing handed to you on a silver platter. If something is unclear, you don't wait for a figure of authority to pop up and explain it. You poke it. You push it. You try to make it fall over.

It sounds pessimistic, and in a way, it is. You're constantly thinking about:

  • How can this be abused?
  • What happens if this input is weird?
  • What if this one box on the network is lying?

It’s a job for contrarians and pathological "why?" people.

If you're the kind of kid who always tried to jump out of bounds in video games, or climb over the fence with the "do not cross" sign just to see what's there: congratulations, you already understand the vibe. The fun part is: in security, that impulse is not only allowed, it’s required.

You’re essentially invoking your inner devil, the part of you that enjoys breaking rules and finding loopholes; but you point it at something useful.

Lawyers do something similar for a living. They’re trained to find loopholes in the law, or construct airtight arguments that stick within the law. Security people are doing the same thing for technology:

  • Where does the spec say "must" vs "should"?
  • What did the developer assume a user would never do?
  • What combination of features produces something no one thought about?

If there’s a special place in hell for lawyers, there’s probably a table reserved for security people as well; especially the ones who decide to cross the line and join the criminals. The difference is whether you use that mindset to protect systems, or to burn them down.

A good cybersecurity person today can’t just "know a bit about antivirus". You need, at minimum:

  • Enough software engineering to read and reason about code.
  • Enough networking to understand how packets flow and where they can be intercepted, spoofed, or dropped.
  • Enough people skills to explain all of this to non-technical humans without sounding like a condescending prick.

Most of us end up specializing: red teaming, blue teaming, incident response, application security, governance, and so on. But under all of that, the core engine is the same:

  • Curiosity.
  • Discomfort with "it just works".
  • A slightly unhealthy enjoyment of watching things break in controlled conditions.

I’m not going to pretend this is some noble, sacrificial calling. This is not a fucking political speech. I do what I do because, deep down, I managed to channel a very simple desire:

"I like watching the world burn, but I’d rather do it in a lab, on purpose, for a good reason."

Some people go to the gym to deal with anger. I break things, mentally and technically, and think through all the nasty ways they can fail. That process-the puzzle of taking something apart and understanding exactly why it breaks—is ridiculously satisfying.

It's not for everyone. You have to be okay living in worst-case scenarios in your head. But if you recognize yourself in this description, if you’re the kind of person who can’t leave a weird edge case alone, or who gets a hit of dopamine when a messy bug finally makes sense: then honestly, this line of work is a dream job.

Lucky You, Unlucky You

This brings us to the crux of the matter.

Lucky for you, you are here. You are about to experience these attacks in a safe environment. I have built a laboratory where we can simulate the chaos without the consequences. We can watch a botnet rise, see a phishing email deceive, and watch ransomware devour a system. All from behind the safety glass.

Unlucky for you, statistically speaking, you are very likely to be a target of these exact attacks in the future. And the real world is not a laboratory. The attackers out there are not running simulations. They are sophisticated, they are automated, and they are relentless.

So, we have a choice. We can keep listening to the noise of the politicians and the salesmen. Or we can stop talking, and start seeing. See you in the next part.

End of article