I'm extencil. Brazilian. Security researcher, infrastructure builder.
- x/twitter: x.com/extencil
- bluesky: bsky.app/profile/extencil.me
- mastodon: mastodon.social/@extencil
- github: github.com/extencil
- reddit: reddit.com/user/extencil
- gitlab: gitlab.com/extencil
- telegram: t.me/extencil
- youtube: youtube.com/@extencil-thc
- email:
extencil@segfault.net·extencil@proton.thc.org
If I don't reply to you via emails, I'm dead
A free mail forwarding service. Around 50 domains. No logs. No alias caps. No freemium theater. Unlicense, open source, auditable end to end. Phrack, team-teso/THC, eurocompton, antisec and others route aliases through it.
- service: mail.thc.org (mirror:
reads.phrack.org)
- 2026, iq.thc.org — iq.thc.org (Hall of Fame)
- 2026, dns2tcp-gateway — ohmymex/dns2tcp-gateway (Hall of Fame)
- 2025, Klarna — HackerOne Report (Hall of Fame)
- 2024, NASA — Confidential
- 2024, Qualitor — CVE-2024-44849
- 2023, segfault.net — hackerschoice/segfault (Hall of Fame)
- 2021, LinkedIn — spam delivered through LinkedIn's own SMTP, Premium or not.
- 2021, Brazilian Army enlistment portal — session takeover on Gov.br-connected accounts. Password optional.
- 2021, Enem / INEP — source disclosure plus unauthenticated pivots against government-hosted apps, bypassing the expected proxy path.
- OpenBugBounty quality badge for reports on 10+ named public sites.
- network edge hardening
- email infrastructure and alias flows — abuse surfaces, counter logic, policy
- deployment and service reliability with predictable failure modes
- defensive automation for public-facing systems
- proxy and routing layers with explicit trust boundaries
- developer tooling that cuts repetitive operator work