Global Speaking Events

I am an experienced conference speaker, delivering complex technical content in an easy-to-comprehend way. I love to tell a compelling story about the research I've done. Check out where I've been and where to find me next!

Upcoming Conferences

Past Conferences

REcon - Montreal, Canada - June 27-29, 2025

Guerilla Reversing: Runtime Shenanigans

In an ever evolving arms race against the Google Play Store, threat actors increasingly capitalise on advanced malware capabilities to target smartphones. Yet, with modern malicious APKs deploying sophisticated obfuscation and anti-analysis tactics, static analysis alone often falls short. In this workshop, we’ll demystify how Android threats operate—from a broad threat-landscape overview down to the nitty-gritty of dynamic analysis on malicious code in action. By reverse engineering real-world Android malware samples and monitoring their runtime behavior, participants will gain the cutting-edge skills necessary to detect, dissect, and defend against these attacks. Whether you’re a beginner or a seasoned analyst, you’ll...

View Agenda

FIRSTCON25 - Copenhagen, Denmark - June 22-27, 2025

The Party Isn't Over: Uncovering Konfety's novel Evil Twin Technique

Evil twins can be the topic of science fiction, tales of mystery and... advertising fraud? We uncovered a sophisticated ad fraud campaign, that we dubbed Konfety, involving over 250 Android apps in which each benign app distributed via the Play Store had an ‘evil twin’ adware app counterpart - and its corresponding infrastructure. We will explain how Konfety was able to effectively create its own malicious ecosystem, from their ad SDK to their malicious infrastructure that could be started and scaled to support the ‘evil twins’ at the press of a button to reselling ad inventory to make money, and...

View Agenda

FIRST TC Amsterdam - Amsterdam, Netherlands - March 25-27, 2025

How to Surf the Dark Web Like a Boss (or Eastern European)

Oh no, your infrastructure is getting attacked and worsening by the day. The attacks seem highly coordinated, but where do you even begin when trying to hunt down the attackers? Roll up your sleeves and get ready to slip down the rabbit hole into the shadowy corners of the internet. In this 4 hour, one-of-a-kind OSINT and large-scale data-collection workshop, we'll show you how to become the cyber-sleuth you never knew you could be - minus the trench coat and fedora (unless that's your style). We'll demystify the Dark and Dark Web, debunk those spooky legends, and give you tips...

View Agenda

DMEXCO - Cologne, Germany - September 18-19, 2024

Unmasking 'Evil Twin' Apps: The Next Frontier in Mobile Ad Fraud

Cybercriminals are advancing, posing new threats to digital marketing through sophisticated fraud operations. HUMAN Security, Inc. has uncovered the Konfety campaign, a mobile ad fraud operation that uses a novel 'evil twin' method. Over 250 Google Play apps have malicious counterparts that drive up to 10 billion fraudulent bid requests daily by mimicking legitimate traffic. This session will delve into how Konfety exploits an ad SDK to evade detection and generate massive fraudulent ad traffic. We'll explore the implications for digital marketers and ad tech platforms, highlighting HUMAN’s strategies for detecting and mitigating such threats. Attendees will gain key insights...

View Agenda

REcon - Montreal, Canada - June 28-30, 2024

Guerilla Reversing: SMALI steps towards Android reversing

As consumers move to using their phones as their primary device, the financial opportunity for threat actors to deploy mobile malware becomes more appealing. People store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high level threat landscape, down to the nitty gritty of the implementation of mobile malware TTPs, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This workshop will take people from zero to hero in order to give them a more thorough understanding of the Android malware landscape through...

View Agenda

Insomni'hack - Lausanne, Switzerland - April 25, 2024

An Uninvited House Guest: How PROXYLIB Overstayed its Welcome on Android Devices

Cybercriminal threat actors sell access to residential proxy networks to other threat actors who are looking to hide malicious behavior behind residential IPs, including credential stuffing attacks, password spraying or large-scale ad fraud. In May 2023, we identified a cluster of VPN apps available on the Google Play Store that transformed the user’s device into a proxy node without their knowledge. We’ve dubbed this operation PROXYLIB after the common library in each of the apps. Researchers at IAS identified this malicious behavior in a single free VPN application — Oko VPN— on Google’s Play Store, and projected that the operators...

View Agenda

FIRST TC - Amsterdam, Netherlands - March 5, 2024

One SMALI Step for Man, One Giant Leap for Researchers

With more and more people using their phones as their primary device, mobile malware's prevalence skyrocketed. People nowadays store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high-level threat landscape down to the nitty-gritty of every specific actor, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This is what this workshop wants to deliver: taking people from zero to hero in order to give them a more thorough understanding of the Android malware landscape.

View Agenda

SEC-T - Stockholm, Sweden - September 13, 2023

Started from the Bottom, Now We’re Here: The Evolution of ESXi Ransomware

Ransomware targeting Linux/ESXi has existed since 2015, but since then has gained popularity and become more sophisticated; what was once a niche tool was later adopted by groups focused on “Big Game Hunting” and later became a key piece of ransomware threat actors’ toolkits. Ransomware targeting ESXi has become substantially more popular, and is now used by high-profile groups such as ALPHV, BlackBasta, Royal and LockBit. The shift towards ESXi stems from the virtualization of entire organizations’ infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into...

Watch Video

FIRST Conference - Montreal, Canada - June 9, 2023

Till There Was Unix: Defending ESXi Against Ransomware Attacks

Over the past 18 months, ransomware targeting ESXi has become substantially more popular, with several high-profile groups such as ALPHV, BlackBasta, Hive, and LockBit developing their own lockers. The shift towards ESXi stems from the virtualization of entire organizations' infrastructure, with minimal defensive capabilities available. As a result, this provides more incentive for a threat actor looking to extort the organization into paying the ransom.Our talk will provide a technical discussion and overview of the specific TTPs ransomware operators employ to target ESXi systems prior to dropping ransomware. We will also discuss techniques we can use to detect and defend...

View Agenda

FIRST Technical Colloquium - Amsterdam, Netherlands - April 18, 2023

Harder, Better, Faster, Locker: Ransomware Groups Flex On Defenders

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...

View Agenda

Insomni'hack - Lausanne, Switzerland - March 23, 2023

Turn and Face the Strange: Ch-Ch-Changes In Ransomware Techniques

Everyone makes mistakes - including threat actors who deploy ransomware. Sometimes, “technical innovation” on the locker goes sideways and makes it easier to track or reverse engineer, or a false flag operation doesn’t quite pin enough blame on the intended party. We will highlight some interesting examples of ransomware techniques, such as PLAY’s usage of ROP, LockBit’s acquisition of BlackMatter code, ALPHV’s Morph obfuscation tool, and the myriad of threat actors who use custom-designed crypto or hard-coded, cryptographically insecure keys, and the opportunities they presented for us as defenders to signature and detect their malicious behavior. We will present technical...

Watch Video

Disobey - Helsinki, Finland - February 18, 2023

Turn and Face the Strange: Ch-Ch-Changes in Ransomware Techniques

Ransomware actors continue to evolve their tools and TTPs; innovation by cybercriminals in response to global and local events is nothing new. However, recently we have observed several interesting innovations - some very successful for the threat actors, some not so much. We will present case studies, including technical deep-dives on a few of these, including: ALPHV’s Morph AV-evasion tool, usage of an access token to prevent chat hijacking, ARM locker and blog of indexed victim files, LockBit’s adoption of the BlackMatter code, PLAY ransomware’s evolution to use ROP, and multiple actors’ implementations of intermittent file encryption. We will also...

Watch Video

GreHack - Grenoble, France - November 18, 2022

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Watch Video

GRRcon - Michigan, United States - October 13, 2022

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

View Agenda

Recorded Future Predict - Virginia, United States - October 5, 2022

Pop, Log, And Drop It: Credential Access to Ransomware

Ransomware remains a looming threat to organizations in nearly every industry, and we see the specific groups themselves frequently evolve their tools, disband, rebrand and reemerge. Outside of all this change, what remains consistent is the need for ransomware threat actors to gain initial access to organizations in order to conduct these attacks, and largely, the key methods in which they do so. Infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces are key sources of initial access for these actors. Other attack vectors,...

View Agenda

FIRST Conference - Dublin, Ireland - June 28, 2022

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...

Watch Video

REcon - Montreal, Canada - June 4, 2022

Malware Wars: DarkSide Strikes Back as BlackMatter

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Watch Video

BSides Charm City - Maryland, United States - April 28, 2022

Malware Wars: DarkSide Strikes Back as BlackMatter

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

Watch Video

FIRST Technical Colloquium - Amsterdam, Netherlands - April 13, 2022

Malware Wars: DarkSide Strikes Back as BlackMatter

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as...

View Agenda

ATT&CKCON 3.0 - Virginia, United States - March 29, 2022

It’s Just a Jump To The Left (of Boom): Prioritizing Detection Implementation With Intelligence and ATT&CK

Many organizations ask: 'Where do I start, and where do I go next' when prioritizing behavior-based detections. We often hear 'use threat intelligence!', but goals must be qualified & quantified in order to properly prioritize relevant TTPs. A wealth of open-source resources now exists, giving teams greater access to detections & red team tests, but intelligence is essential to ensure that efforts are focused. This session covers a new prioritization approach, starting with an analysis of the current defensive landscape (measured by ATT&CK coverage for more than a dozen repos and technologies) and guidance on sourcing TTP intelligence. We then...

Watch Video

Recorded Future Predict - Virtual - October 13, 2021

Detecting Cobalt Strike Across the Enterprise

Cobalt Strike is a commercial post-exploitation tool designed to aid penetration testers and red team operators in conducting authorized intrusions. Despite its original goal, since its release in 2012, Cobalt Strike has gained widespread popularity among state-sponsored threat actors and financially motivated threat actors. sing adversarial emulation to recreate scenarios of the tool’s use, Insikt Group analyzed Cobalt Strike to identify detection opportunities from the earliest stages of its use across the enterprise. Come hear from the team behind the research in a panel discussion on taking a multifaceted approach to combat the use of Cobalt Strike by threat actors...

View Agenda

BSides Dublin 2021 - Virtual

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...

Watch Video

BSides Tampa 2021 - Virtual

Egregor Awakens: Taking a Tour Of A Threat Actor’s New Digs

Egregor ransomware made its debut in September 2020 and has since been used against several organizations across many industries while also employing anti-analysis techniques that complicate reverse engineering and in some cases, make it impossible. With connections to the threat actors behind Maze and Qakbot at the infrastructure, technical and contextual levels, Egregor presents a fascinating case study of how a ransomware threat actor morphs their operations. This talk will cover what we know about the threat actors behind Egregor, including a technical deep dive on the ransomware and discussion of TTP overlaps with other related ransomware threat actors. We...

Watch Video

BSides Kobenhavn - Virtual - September 18, 2020

Dump Me If You Can: Malware Hide and Seek with Obfuscation

When a new piece of malware is discovered, some of the first questions an incident responder asks are: What does it do? What command and control infrastructure is involved? What is the impact on my organization? How can I detect it using commonly used tools?. With the rise in the use of code obfuscation by malware authors, answering these questions becomes significantly more complicated - taking apart sophisticated malware that employs obfuscation is often more time and resource-intensive and can require a more skilled analyst. In this talk, we will provide current, real-world examples of malware employing obfuscation techniques and...

Watch Video