Bio

I’m a professional computer security researcher with an extensive background in Linux systems administration, computer networking, applied cryptography, and programming. Since childhood, I’ve enjoyed taking things apart and learning how they really work. Deep understanding allows me to push the boundaries of what is possible.

My career started at a small ISP, where I did everything from taking help desk calls to systems administration. Progressing through various roles at several companies helped me understand the needs of different parts of IT organizations and how they fit together.

The focus of my work shifted to bot detection and mitigation in 2014 when I joined HUMAN Security (formerly known as White Ops), a startup co-founded by my friend, Dan Kaminsky. I created a lot of their foundational technology and was quickly promoted to Principal Security Researcher. About a year after Dan’s death, I left HUMAN, but I continue to do similar work as a Principal Security Engineer at Amazon.

I have lived in London with my partner since 2019.

Please use gender-neutral language when writing about me. My pronouns are they/them, and further details are available for reference.

My family name is pronounced “kas-teh-LOO-chee”.

Presentations

• Cracking Cryptocurrency Brainwallets
• Stealing Bitcoin with Math with Filippo Valsorda
• A Nickel Tour of the Ad Fraud Ecosystem
• Optimizations for Bitcoin Key Cracking
• Measuring the Use and Abuse of Brain Wallets with Marie Vasek
• Modern TCP/IP, Simplified
• Hacking Gender: Transition à la Carte

Publications

• The Bitcoin Brain Drain: Examining the Use and Abuse of Bitcoin Brain Wallets with Marie Vasek, Joseph Bonneau, Cameron Keith and Tyler Moore
• Speed Optimizations in Bitcoin Key Recovery Attacks with Nicolas Courtois and Guangyan Song
• The Methbot Operation uncredited
• The Hunt for 3ve uncredited

Press

• Wired — Brainflayer: A Password Cracker That Steals Bitcoins From Your Brain
• Ars Technica — Password cracking attacks on Bitcoin wallets net $103,000
• Fast Company — Researchers Find A Crack That Drains Supposedly Secure Bitcoin Wallets
• DARKReading — Russian Hackers Run Record-Breaking Online Ad-Fraud Operation
• Kerbs on Security — Report: $3-5M in Ad Fraud Daily from “Methbot”
• BuzzFeed News — Killing 3ve: How The FBI And Tech Industry Took Down A Massive Ad Fraud Scheme
• The Register — C’mon, if You Say Your Device Is ‘Unhackable’, You’re Just Asking for It: Bitfi Retracts Edgy Claim
• Ars Technica — How 3ve’s BGP hijackers eluded the Internet—and made $29M
• BleepingComputer — Russian ‘King of Fraud’ sentenced to 10 years for Methbot scheme
• i — Non-binary American Living in UK Stuck in Legal Limbo After Gender Recorded as ‘Not Specified’
• The Independant — Why this Californian is suing the British government for refusing to legally recognise non-binary people
• Ars Technica — 512-bit RSA key in home energy system gives control of “virtual power plant”