<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Vitalii Zaiats</title>
    <link>https://personal-website-576.pages.dev/</link>
    <description>Recent content on Vitalii Zaiats</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Sat, 04 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://personal-website-576.pages.dev/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>17 million devices for rent: tracing a residential-proxy botnet from one cracked game</title>
      <link>https://personal-website-576.pages.dev/posts/residential-proxy-botnet/</link>
      <pubDate>Fri, 26 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/residential-proxy-botnet/</guid>
      <description>I got bored on a forum doing arithmetic on &amp;lsquo;millions of residential IPs&amp;rsquo;, ended up reverse-engineering a botnet&amp;rsquo;s C2 from one infected phone, and reported it. The whole messy thread — and where it led.</description>
    </item>
    <item>
      <title>Wire-to-WiFi correlation</title>
      <link>https://personal-website-576.pages.dev/posts/wire-air-correlation/</link>
      <pubDate>Sat, 04 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/wire-air-correlation/</guid>
      <description>A weekend bench experiment: drive a size/timing pattern through a doubly-encrypted, proxied flow and watch it reappear in a device&amp;rsquo;s WiFi frames. The physics held at r=0.9 on my own hardware — and then the real fight was with a cheap monitor adapter that decoded almost none of the frames I actually needed. A lab notebook that ends in a shopping list, false positive included.</description>
    </item>
    <item>
      <title>Chaining SOCKS5 UDP relays: self-loops, SSRF, and the amplification that isn&#39;t</title>
      <link>https://personal-website-576.pages.dev/posts/chaining-socks5-udp-relays/</link>
      <pubDate>Sat, 13 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/chaining-socks5-udp-relays/</guid>
      <description>Final follow-up post debunking the &amp;ldquo;open UDP relay = DDoS amplifier&amp;rdquo; fear: chaining launders origin but de-amplifies at the target, self-looping only DoSes the relay itself, loopback forwarding is a UDP SSRF, and even a paid commercial proxy fails the RFC 1928 §6 source check — every behavior reframed as a single-packet detection fingerprint.</description>
    </item>
    <item>
      <title>Auth on TCP, open on UDP: the SOCKS5 relays scanners can&#39;t see</title>
      <link>https://personal-website-576.pages.dev/posts/socks5-udp-open-relays/</link>
      <pubDate>Thu, 11 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/socks5-udp-open-relays/</guid>
      <description>Final version of the SOCKS5 open-UDP-relay teardown: de-quantified the scan-list phrasing, aligned a log comment to first-person voice, and thinned one forward-reference scaffold, with all tables, numbers, RFC references, and the &amp;ldquo;signals, not weapons&amp;rdquo; defensive framing preserved verbatim.</description>
    </item>
    <item>
      <title>From a proxy pool&#39;s torrents to a booby-trapped game</title>
      <link>https://personal-website-576.pages.dev/posts/from-torrent-to-boobytrapped-game/</link>
      <pubDate>Sun, 31 May 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/from-torrent-to-boobytrapped-game/</guid>
      <description>I chased a residential proxy pool&amp;rsquo;s own download habits down to one cracked driving game, and found a build that&amp;rsquo;s a confirmed ad-fraud carrier hiding an encrypted payload I still can&amp;rsquo;t prove is proxyware.</description>
    </item>
    <item>
      <title>Coordinated disclosure: CCTV cameras selling their owners&#39; bandwidth</title>
      <link>https://personal-website-576.pages.dev/posts/coordinated-disclosure-cctv-proxies/</link>
      <pubDate>Wed, 15 Apr 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/coordinated-disclosure-cctv-proxies/</guid>
      <description>How I passively fingerprinted hacked Dutch CCTV cameras being resold as residential proxy exit nodes — and reported them to NCSC-NL without ever touching a single box.</description>
    </item>
    <item>
      <title>The iOS proxy ghost: why you can&#39;t find an iPhone in a residential pool</title>
      <link>https://personal-website-576.pages.dev/posts/the-ios-proxy-ghost/</link>
      <pubDate>Fri, 03 Apr 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/the-ios-proxy-ghost/</guid>
      <description>Turns out the iPhone on every proxy provider&amp;rsquo;s landing page is the one device that basically can&amp;rsquo;t be in the pool — and that absence is exactly what makes a real iOS fingerprint a trustworthy &amp;ldquo;human here&amp;rdquo; signal.</description>
    </item>
    <item>
      <title>TCP-fingerprinting 300K residential proxy IPs: 98% are Linux</title>
      <link>https://personal-website-576.pages.dev/posts/tcp-fingerprinting-residential-proxies/</link>
      <pubDate>Thu, 26 Mar 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/tcp-fingerprinting-residential-proxies/</guid>
      <description>Probed 319,706 residential-proxy exits by their TCP SYN fingerprints — 98% Linux, two kernel defaults covering 70%+, MSS leaking the real link, and a handful of big ISPs — showing the &amp;ldquo;real user devices&amp;rdquo; are mostly a rack of Linux boxes.</description>
    </item>
    <item>
      <title>Detecting credential stuffing through encrypted traffic</title>
      <link>https://personal-website-576.pages.dev/posts/detecting-credential-stuffing-through-tls/</link>
      <pubDate>Tue, 24 Mar 2026 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/posts/detecting-credential-stuffing-through-tls/</guid>
      <description>Encrypted traffic still leaks its silhouette: near-identical response sizes (CV &amp;lt; 0.05) plus JA3 counts turn a sealed TLS tunnel into a credential-stuffing detector.</description>
    </item>
    <item>
      <title>About</title>
      <link>https://personal-website-576.pages.dev/about/</link>
      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
      <guid>https://personal-website-576.pages.dev/about/</guid>
      <description>Who I am and what I work on.</description>
    </item>
  </channel>
</rss>
