Digital Dopamine

IntroSup folks, my last completed module was about the basics of Linux, so that’s what this episode will be about. However, I’ll be covering a bit more than we covered in the module. Within TryHackMe, we covered basic commands, working with the filesystem, shell operations, flags & switches, and automation, to name a few. But what I also want to cover is how to get a Virtual Machine booted up using “Kali Linux”, which is a Linux distribution designed for digital forensics and penetration testing. That will involve us getting familiar with UTM, a full-featured system emulator and virtual machine host for iOS and macOS (sorry, Windows users, it might not be a 1:1 comparison on how to start the VM locally). We’ll also go through the entire process of installation of the distribution and even try our hand at a fun lil script 😏. Before we get into the hands-on sections of this episode, let’s go over some Linux basics.Lil Linux LoreThe name "Linux" is actually an umbrella term for multiple OS's that are based on UNIX (another operating system). Thanks to Linux being open-source, variants of Linux come in all shapes and sizes - suited best for what the system is being used for.For example, Ubuntu & Debian are some of the more commonplace distributions of Linux because they are so extensible. For example, you can run Ubuntu as a server (such as websites & web applications) or as a fully-fledged desktop. While the TryHackMe module uses Ubuntu, when we are setting up our own VM, we will be using Debian, since that’s what Kali Linux is based on. When it comes to the commands and execution, though, both distributions should function very similarly."Linux" is often used to refer to the entire operating system, but in reality, Linux is the operating system kernel, which is started by the boot loader, which is itself started by the “Basic Input/Output System”/”Unified Extensible Firmware Interface” (BIOS/UEFI). The kernel assumes a role similar to that of a conductor in an orchestra—it ensures coordination between hardware and software. And no, I did not come up with that analogy myself lol. But enough of the technical jargon, let's get our VMS set up, then dive into some basics.Setting Up Your VMThere are a handful of steps to properly set up both of the VMs we will be using in this episode, so I created a quick video to help walk through each step of the process while notating some of the known bugs when it comes to getting the “Kali Linux” VM set up.Quick Setup SummaryUTM* We will need UTM as our emulator. Download and install it → https://mac.getutm.appKali* Download the ISO image from their site → https://www.kali.org/get-kali/#kali-installer-images. Make sure you are downloading the right image for the architecture you’re on.* Follow their official guide once you have it downloaded → https://www.kali.org/docs/virtualization/install-utm-guest-vm/ParrotOS* Download the pre-configured UTM from ParrotOS - Home → https://www.parrotsec.org/download/* Follow their official installation guide → https://www.parrotsec.org/docs/virtualization/utm-configurationOnce you have both of these VMs installed, we are ready for action!The Basics CommandsNow, when it comes to commands, if you are familiar with macOS terminal commands, you should feel at home with Linux. Apple’s macOS is based on UNIX as well, so a lot of the commands for filesystem management, shell commands, and shortcuts should be identical.Let’s start with the very basic command echo. echo will output any text that we provide. Check out this screenshot below. You can see the simple command input and the output.There are various use cases for using echo from debugging to getting environment variables in a safe manner, and we will for sure be using some of them throughout this series.Another basic command is whoami to find out what user we're currently logged in as. That’s the only function there, lol, a one-and-done command.You can see in the screenshot above that I’m logged in as “mortaniel”. Next we have pwd which stands for “print working directory”, and this just prints out where you are currently in your filesystem within your terminal.The ls command prints out the contents of the directory you’re in.The last command I wanna mention here is cd, which lets you navigate into certain directories. Below you can see me navigate into “Desktop” and I used ls to list out the contents on my VM’s desktop, which is just a custom folder named “Best Folder”.There are TONS of other commands available to use, and we’d be here all day if I tried listing them out with their use cases. For instance, the find command is very useful and worth covering; I just have to spare the time to fit everything under an hour. It would be extremely boring too 😂, and besides, there are going to be commands I use later in this episode and will provide a quick definition of what it is when I reference/use them. So let’s move on to the next section, where I want to discuss SSH.Secure Shell: Operations & DeploySecure Shell (SSH) is the common means of connecting to and interacting with the command line of a remote Linux machine. In TryHackMe, we deploy two machines:* The Linux machine* The TryHackMe AttackBoxWhere we go over common shell operations as well as how to use it to remotely log into the Linux Machine. So, what we’ll do is create 2 VMs locally to emulate what we’re doing in TryHackMe (or at least as close as possible). The main VM we will make should be a standard setup in terms of memory and storage allocation. This will be our “Attack Box”, and it will be using Kali Linux. The second VM we create will be our “Target Linux Machine”, and I’ll use ParrotOS for this one, to change it up a bit. You are more than welcome to use 2 Kali Linux VMs. Ubuntu, being the 2nd VM, is ideal if you can get it set up, but I’m having compatibility issues that I don’t feel like resolving, so I'm stuck with 2 different Debian-based distros. I’ll walk through how to set both up a bit later on, but our Attack Box will be where we get to test out some of these shell commands. I’m also going to walk through a cool and simple exploit to give an idea of what’s capable in the world of pen testing.A few of those operations are as follows:* &: This operator allows you to run commands in the background of your terminal.* &&: This operator allows you to combine multiple commands together in one line of your terminal.* >: This operator is a redirector - meaning that we can take the output from a command (such as using cat to output a file) and direct it elsewhere.* >>: This operator does the same function of the > operator but appends the output rather than replacing (meaning nothing is overwritten).If we want to get into more details on each operator:Operator “&”This operator allows us to execute commands in the background. For example, let’s say we want to copy a large file. This will obviously take quite a long time and will leave us unable to do anything else until the file is successfully copied.The “&” shell operator allows us to execute a command and have it run in the background (such as this file copy), allowing us to do other things!Operator “&&”This shell operator is a bit misleading in the sense of how familiar is to its partner “&”. Unlike the “&” operator, we can use “&&” to make a list of commands to run for example command1 && command2. However, it’s worth noting that command2 will only run if command1 was successful.Operator “>”This operator is what’s known as an output redirector. What this essentially means is that we take the output from a command we run and send that output to somewhere else.A great example of this is redirecting the output of the echo command that we learned in Task 4. Of course, running something such as echo wordsILoveToSay will return “wordsILoveToSay” back to our terminal — that isn’t super useful. What we can do instead is redirect “wordsILoveToSay” to something such as a new file!Let’s say we wanted to create a file, and I’ll name it newFile with the message “sup”. We can run echo sup > newFile where we want the file created with the contents “sup” like so:Now I personally don’t see much use of this other than allowing users to save command results directly to a file for later but I feel that’s something you’d just work on in whatever file you are writing code in. I could be missing the nice use case and maybe it’ll come to me in practice. That leads us to the “>>” operator.Operator “>>”This is pretty much an extension of the previous command. But instead of creating or replacing an entire file with the new command, this operator appends the output.These are just very basic Linux commands, and I’m sure I’ll find more use for them the more I dabble. There is a lot more basic knowledge that I feel is useful but to go into detail on each one would make this a very long episode. So in the next section, im just going to list the command, give a quick definition, and show an example screenshot if applicable.The File SystemNavigating the file system is extremely important, but can be summed up clearly, in which your file system is like your playing field in an RPG, table top, or digital. In that RPG’s playing field/world (the filesystem), there are many paths that you can take once you leave home (different paths like /Home/Desktop/Pictures & /Home/Downloads/cool_img.jpg). But you can always come back home and even further, go back to your root(s)…aka /~. I haven’t seen anyone make a similar analogy, so I’m gonna call dibs on that until further notice 😏. But you want to be able to navigate your file system(s) effortlessly, because sometimes time is not on your side when trying to execute an exploit or defend yourself from one.Terminal Text EditorIf you’re a command-line wizard, you’d probably want to do everything in one location, including code updates. Well, there’s a way for you to do just that by accessing a code editor in your terminal window with Nano or VIM Nano (GNU nano) is a text editor for Unix-like computing systems or operating environments using a command line interface that emulates the Pico text editor. It can be initialized with nano {fileName}. For example lets say in the “Best Folder” I created on my Kali Linux VM, I wanted to create a new file with text and then make a longer edit to the file. Instead of doing a bunch of ”>>” operations, we can just open up the file and make the full text change as needed. Quick little video of me doing just that:This is an oversimplification of Nano’s use, but you get the picture of the capabilities.VIM is a much more advanced text editor. Some of VIM’s benefits, albeit taking a much longer time to become familiar with, include:* Customisable - you can modify the keyboard shortcuts to be of your choosing* Syntax Highlighting - this is useful if you are writing or maintaining code, making it a popular choice for software developers* VIM works on all terminals where nano may not be installed* There are a lot of resources, such as cheatsheets, tutorials, and the like, available to use.VIM, however, needs to be installed on your OS if it isn’t already from your distro you installed (in my case, it was). So, below is another quick video of how to get this installed, and I will make another edit to the file we altered using Nano.This video has a bit of rambling and is NOT shorter than the one for Nano 😅. But after understanding the basics of Nano and VIM, you are well on your way to becoming a command-line hero.General UtilitiesThere are a handful of general utilities at our disposal, but I want to make sure I cover downloading files, secure copy transfers, and serving files from a separate server. Secure Copy (SCP)Secure copy is as it seems, a means of securely copying files. Working with it requires only a SOURCE and a DESTINATION. Unlike the regular cp command, this command allows you to transfer files between two computers using the SSH protocol to provide both authentication and encryption. It goes 2 ways, you can:* Copy files & directories from your current system to a remote system* Copy files & directories from a remote system to your current systemProvided that we know usernames and passwords for a user on your current system and a user on the remote system. For example, let's copy an example file from our machine to a remote machine, which I pulled from TryHackMe:With this information, we can craft our scp command (remembering that the format of SCP is just SOURCE and DESTINATION):scp important.txt [email protected]:/home/ubuntu/transferred.txtAnd now let's reverse this and layout the syntax for using scp to copy a file from a remote computer that we're not logged intoThe command will now look like the following: scp [email protected]:/home/ubuntu/documents.txt notes.txtDownloading and serving filesTo cover these 2, I made another video clip walking through how to accomplish this.I highly recommend watching the video clip so you can see this in action, but to sum it up how TryHackMe has it:Downloading Files (Wget) The wget command allows us to download files from the web via HTTP -- as if you were accessing the file in your browser. We simply need to provide the address of the resource that we wish to download. For example, if I wanted to download a file named "myfile.txt" onto my machine, assuming I knew the web address, it would look something like this:wget https://assets.tryhackme.com/additional/linux-fundamentals/part3/myfile.txtIn my video example, I show you how to do this between two VMs.Serving FilesUbuntu machines come pre-packaged with python3. Python helpfully provides a lightweight and easy-to-use module called "HTTPServer". This module turns your computer into a quick and easy web server that you can use to serve your own files, where they can then be downloaded by another computer using commands such as curl and wget. In my example video, we create a new server in my ParrotOS VM using the command python3 -m http.server within the directory where the target file lives, and once that’s running in your Linux machine, you’d run the following command → wget http://:8000/myfile.txt. You can get the IP on whatever machine you’re working with by using ip a. That command will print out something like this:The IP address we want to look for is the inet value on ether, which is 192.168.64.2. So if I were to use this IP in the command from before, it would look like wget http://192.168.64.2:8000/myfile.txt. Sometimes you won't have access to make a GET request to servers you don’t have permission to access. But this leads us to understanding our local permissionsPermissions 101The great thing about Linux is that permissions can be so granular that, whilst a user technically owns a file, if the permissions have been set, then a group of users can also have either the same or a different set of permissions to the exact same file without affecting the file owner itself.Let’s put this into a real-world context; the system user that runs a web server must have permissions to read and write files for an effective web application. However, companies such as web hosting companies will have to want to allow their customers to upload their own files for their website without being the web server system user -- compromising the security of every other customer. Below is an overview of the types of permissions:r - Permission to read. This grants permission only to open and view a file.w - Permission to write. This grants permission only to view and edit a file.x - Permission to execute. This allows users to execute a file (but not necessarily view or edit it).To move ownership of a file to a different user so that they can control permissions, we can use the chown (change owner) command. For example:chown ringo /tmp/coolFileSimilarly, you can change ownership from one group to another by using chgrp (change group). In this case, we want to give the security team access to a recently downloaded defensive tool, IDS (intrusion detection system). You would run a command like this:chgrp securityGroup newIDSThis comes in handy if you are working with a team of pentesters, but the defensive/security team only needs full access to certain tools. Switching between users on Linux is easy thanks to the su command. Unless you are the root user (or using root permissions through sudo), then you are required to know two things to facilitate this transition of user accounts:* The user we wish to switch to* The user’s passwordThe su command takes a couple of switches that I think are relevant to this explanation, but definitely check out the manual page for su to find out more. I’m just gonna cover the -l switch.By providing the -l switch to su, we start a shell that is much more similar to the actual user logging into the system - we inherit a lot more properties of the new user, like environment variables and such.For example, in the screenshot below, you can see the use of the -l switch and an instance without it.When using su to switch to "ringo", our new session drops us into our previous user's home directory. Whereas, after using -l, our new session has dropped us into the home directory of "ringo" automatically.Now let’s get back to the permissions. As noted before, every file and directory has a set of permissions that control who can read, write, or execute it. These permissions are often displayed in symbolic format, such as:rwxrwxrwxI find it easier to read as rwx|rwx|rwx. This format is split into three groups:Each permission has a numeric value:To calculate the numeric value, we add the values together for each group.Some common examples are:Understanding numeric permissions is important because:* Many Linux commands use numeric values* You can quickly identify security risks* You can control who can access sensitive filesFor example, we’d use the chmod (change mode) command followed by the numeric permission setting and then end it with the target file or directory, like so:chmod 750 system_overview.txtThis means for system_overview.txt:* Owner: full access* Group: read + execute* Others: no accessI highly recommend getting familiar with reading, granting, and removing permissions and their numeric format. Still trips me up a bit, but I’m sure over time, I’ll get very accustomed to reading it easily. The last major thing I wanted to discuss was automation.Automation and the Cron ProcessUsers may want to schedule a certain action or task to take place after the system has booted. Take, for example, running commands, backing up files, or launching your favourite programs on, such as Spotify or Google Chrome.So I’ll be talking about the cron process, but more specifically, how we can interact with it via the use of crontabs . Crontab is one of the processes that is started during boot, which is responsible for facilitating and managing cron jobs.A crontab is simply a special file with formatting that is recognised by the cron process to execute each line step-by-step. Crontabs require 6 specific values:Let’s use the example of backing up files. You may wish to back up “mortaniel”’s “Documents” every 12 hours. We would use the following formatting:0 */12 * * * cp -R /home/mortaniel/Documents /var/backups/An interesting feature of crontabs is that they also support the wildcard or asterisk (*). If we do not wish to provide a value for that specific field. For example, we don’t care what month, day, or year it is executed -- only that it is executed every 12 hours, we simply place an asterisk.This can be confusing to begin with, which is why there are some great resources, such as "Crontab Generator", that allows you to use a friendly application to generate your formatting for you, as well as the site "Cron Guru".If you need to start cron, you simply run cron. Crontabs can be edited by using crontab -e, where you can select an editor (such as Nano) to edit your crontab. In my example below, I confirmed Cron was running, and I created a new cron job to write out a message in a text file every 2 min. That cron command is:*/2 * * * * echo "🔔 Cron fired at $(date)" >> ~/Desktop/cron_demo.txtAn easy way to follow that cron job is to tail the file and watch it in your terminaltail -f ~/Desktop/cron_demo.txtBash ScriptingNow let’s have a little fun, we’re gonna create a lil script that will just be a series of questions, inputs, and the final echo statement that combines the input into a sentence. That doesn’t sound exactly thrilling lol, but it will give you a general idea on how to create and execute scripts.Scripts can be executed through many methods and languages. Most interpreted languages (Python, Bash, Ruby, etc.) just need the runtime installed, and then scripts for that language can be run directly from the terminal. Compiled languages (C, Go) need a build step first. The shebang line#!/usr/bin/env python3 lets you run scripts directly as ./python_demo.py on Unix systems, after making them executable with chmod +x python_demo.py. The same thing goes for creating a shell/bash script, just slightly different syntax:#!/bin/bash/ From here, we will then start to build out our script. Now I’ve built the same script in both Python and Shell, just so you can see different flavors of the same code.Python#!/usr/bin/env python3 # Second script # Multi line text name = input("State your name, playa.\n") fruit = input("What's your favorite fruit?\n") print(f"Welcome to the Vice City, {name}. We have the finest {fruit} in the country.")Shell/Bash#! /bin/bash/ # Second bash script # Multi line text echo "State your name, playa." read name echo "What's your favorite fruit?" read fruit echo "Welcome to the Vice City, $name. We have the finest $fruit in the country."Here you can see the 2 different ways to prompt users a couple of questions, storing the answer in a variable, and then printing out the last sentence with the variables included. The main difference here is how Python stores variables and how Shell stores them. I’m not an expert on Shell, but from what I learned, the read command takes the user input and splits the string into fields, assigning each new word to an argument. If there are fewer variables than words, read stores the remaining terms into the final variable. The splitting behavior is more advanced, and typically, you will just be using 1 variable at a time.When it comes to Python, it’s clearly much cleaner in terms of being readable from the jump. You see both the name and fruit variables followed by the “=” operator, which is a clear indication that whatever else follows will be assigned to that variable. In our case, the input() function follows the “=” operator, which tells us that there will be a prompt that a user will need to respond to. That input is then stored in the connected variables. Finally, we print out a full sentence with those variables included. One caveat is that with Python, to include variables inside of strings, we need to use F-strings. With f-strings (formatted string literals), you can directly embed variables and expressions inside strings using curly braces {}, and this was introduced in version 3.6 to make string formatting and interpolation easier.Python remains the most versatile language for scripting and automation in ethical hacking, so any type of scripting or exploits I make in future entries will use Python only, unless a different language serves the exploit better. Below is a quick demo on both scripts and how they are executed in the terminal.ConclusionThat about wraps it up for this episode. I’ve only scratched the surface of Linux basics, and there are a handful of other things to look into and get a better understanding of if you want to continue learning the basics:* Flags & Switches* Package management* Logs* Processes I hope that this was very insightful for everyone and that I sparked some interest in folks to invest some time in getting to know Linux a bit deeper ✌🏾.If you want to keep up with my work or want to connect as peers, check out my social links below and give me a follow!* 🦋 Bluesky* 📸 Instagram* ▶️ Youtube* 💻 Github* 👾 Discord Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

Blockchain and Tokenization Popularity BoomTokenization has become one of the new buzzwords in the world of finance. Your 401(k) may already be invested in assets you've never heard of, through technology you don't understand — and the people making those decisions didn't ask your permission.There are a lot of people who barely know much about blockchain, and it’s been around even before cryptocurrency was a thing, and tokenization is just an extension of digital assets. So I feel like I should go over both just a bit.BlockchainA blockchain is a digital ledger, which is a record-keeping system, that stores information across a network of computers rather than in a single centralized location. Think of it as a shared spreadsheet that thousands of computers maintain simultaneously, where every entry is permanent, time-stamped, and visible to participants on the network.Some key features and benefits are:* Decentralization: No single institution (no bank, no government, no company) controls the ledger. It’s maintained by a distributed network of computers (called “nodes”).* Immutability: Once a transaction is recorded, it cannot be altered or deleted. Every entry is cryptographically linked to the one before it, forming a “chain” of “blocks” — hence the name.* Transparency: On public blockchains, every transaction is visible to anyone who looks. This is a feature for accountability, but also a concern for privacy, since financial activity becomes traceable.* Smart contracts: Blockchains can execute automated agreements — code that says “if X happens, then do Y.” For example, a smart contract could automatically distribute rental income to token holders every month without a human intermediary.TokenizationTokenization is the process of creating a digital token on a blockchain that represents ownership of real-world assets like real estate, art, or stocks, as well as intangible assets such as intellectual property or voting rights. Tokenization enables easier asset transfers, ownership verification, and fractional ownership. Imagine a commercial building worth $10 million. Traditionally, you'd need millions of dollars and a team of lawyers to buy it. With tokenization, the building's ownership can be divided into 10 million tokens worth $1 each. An investor could buy 100 tokens for $100 and own a tiny fraction of that building, receiving proportional rental income and being able to sell those tokens on a digital marketplace. Now this may sound like a scenario where the average Jamal has a seat at the big dawg table, but that fractional piece of ownership will never outweigh the millions or billions of dollars the elite will put in all at once, maybe even taking ownership of all available tokens for that digital asset themselves.How Tokenization Connects Real-World Assets to the BlockchainLet’s cover a bit on exactly how Tokenization Connects Real-World Assets to the Blockchain:* The asset exists in the real world — a piece of real estate, a corporate loan, a Treasury bond, shares in an ETF, etc.* A legal structure is created that ties the digital token to legal ownership rights over that asset. This is the critical (and often fragile) link, because the token is only as good as the legal framework backing it.* Tokens are then issued on a blockchain, where they can be bought, sold, held, or used as collateral — 24 hours a day, across borders, without traditional intermediaries like brokers or clearinghouses. But this presents its own issues with cyber criminals and hacking.* Last but not least, Smart contracts automate functions like interest payments, dividend distributions, compliance checks, and transfer restrictions.But what is being tokenized right now, you ask?* U.S. Treasuries and money market funds (~$12 billion tokenized) — led by BlackRock’s BUIDL fund and J.P. Morgan’s MONY fund* Private credit (~$9 billion tokenized) — corporate loans that were traditionally opaque and illiquid* Real estate — commercial and residential properties fractionalized for smaller investors* Commodities — tokenized gold and trade receivables* ETFs and fund shares — increasingly being explored for on-chain issuanceWho Is Leading The Financial Tokenization ChargeLike I just mentioned, tokenization converts ownership of physical or financial assets into digital tokens on a blockchain (real estate, loans, Treasury bonds, ETFs), and we have big players like BlackRock, J.P. Morgan, Goldman Sachs, Franklin Templeton, and Apollo Global Management, leading the charge. The tokenized real-world asset market surpassed a staggering $26 billion by early 2026, which is a fourfold increase from early 2025, with private credit and U.S. Treasuries dominating.The Private Credit Problem Large lenders, including BlackRock, Blue Owl, and J.P. Morgan, have restricted investor withdrawals from private credit funds amid rising interest rates and borrower distress. Businesses that took on these loans are struggling to service their debt, and what most people don’t know is that tokenization is being positioned as a solution. The plan is to create secondary markets for these illiquid loans, fractionalize them, and potentially offload the risk to a broader pool of investors. Some might call this a genuine innovation in the digital landscape of finance, but I call it transferring risk from institutional balance sheets to less sophisticated investors. The private credit market is sitting at a staggering $3 trillion, and investors want out, which could cause major ripple effects in the broader markets. Now I can go deep into a rabbit hole on the issues in the private credit market alone, but let’s stick to our focus on the tokenization of all these connected issues.The 401(k) PipelineBack in August 2025, President Trump signed an executive order directing the Department of Labor to open 401(k) plans to alternative investments, including private equity, private credit, and digital assets. Essentially, just giving America’s $13.9 trillion in defined-contribution retirement plans to private-asset giants like Apollo, Blackstone, and BlackRock. Target Date Funds — where most workers’ 401(k) money sits by default — were designed for daily liquidity, transparency, and public markets. They were never built to house illiquid private equity or gated real estate. As one longtime fiduciary advisor put it: “This quiet push isn’t democratization. It’s risk transfer.”And a lot of workers typically have little or no say in how their plan providers allocate funds. The risks are substantial on multiple fronts: * You have higher fees than traditional index funds. * Your money is locked up for years. * It’s less transparent in terms of knowing which companies took out these risky loans.* And there’s no guarantee of performance.Legal experts warn that many plan committees lack the expertise to evaluate private market investments, and attorneys are already watching for ERISA fiduciary violations — ERISA being the 1974 federal law specifically designed to protect workers in retirement plans like these.The Security Problem No One Wants to Talk AboutTokenization’s promise depends entirely on the security of the systems holding these assets. And right now, those systems are under siege from every direction — nation-states, organized crime, AI-powered scam operations, and even physical violence.State-Sponsored Theft: The North Korea ProblemNorth Korean hackers, operating under the umbrella group known as Lazarus Group, stole $2.02 billion in cryptocurrency in 2025 alone — a 51% increase from the prior year and their all-time record. Their cumulative total now exceeds $6.75 billion. The single largest heist was the February 2025 Bybit hack: $1.5 billion in Ethereum stolen by compromising a third-party wallet provider’s developer through social engineering. The FBI formally attributed the attack to North Korea’s TraderTraitor unit.What makes this especially relevant to tokenization is that these hackers aren’t breaking the blockchain itself. They’re targeting the human and operational layers around it — the developers, the wallet software, and the interfaces people actually use. When real-world assets like Treasury bonds, real estate, and private credit are tokenized and held in similar infrastructure, the attack surface for nation-state hackers grows enormously. We’re no longer talking about stolen cryptocurrency; we’re talking about the potential theft or manipulation of tokenized deeds, loan obligations, and retirement fund shares.North Korea is the only country in the world known to use state-sponsored hacking primarily for financial gain, and the proceeds fund its nuclear and missile programs. A senior Biden administration official estimated that roughly 50% of North Korea’s foreign-currency earnings come from cybercrime. Now, just think about your 401(k) assets becoming tokenized on the same kind of infrastructure these hackers are already systematically exploiting; the risk is no longer theoretical.The AI-Powered Fraud ExplosionAI is becoming embedded in everything and is becoming more of a security risk for our everyday lives today, without even considering tokenization. Crypto scam losses hit an estimated $17 billion in 2025, according to Chainalysis. These AI-powered scams — using deepfake video calls, cloned executive voices, and automated social engineering — extracted 4.5 times more money than traditional scams. Impersonation scams surged 1,400% year over year. One investor lost $284 million in a single phishing attack after scammers impersonated hardware wallet support staff.As tokenized assets become more mainstream, these same techniques will be weaponized against retail investors, plan administrators, and the platforms managing tokenized 401(k) assets. Imagine AI-generated deepfakes impersonating your retirement plan administrator, or phishing campaigns targeting the custodians holding tokenized private credit. The technology for these attacks already exists and is being used at industrial scale.Physical Violence: “Wrench Attacks”Here’s one most people don’t think about. As crypto values have risen and adoption has spread, criminals have increasingly turned to physical violence to steal digital assets. In 2025, verified physical attacks on crypto holders surged 75% year over year — kidnappings, home invasions, armed robbery, even torture. In one Canadian case, a family was held hostage overnight, waterboarded, and sexually assaulted for their Bitcoin. In France, the co-founder of crypto wallet company Ledger had his finger severed by kidnappers demanding ransom. A crypto entrepreneur and his wife were murdered in the UAE during a staged business meeting.These aren’t isolated incidents. Security firm TRM Labs documented roughly 60 reported physical assaults on crypto holders in 2025, and the actual number is likely significantly higher since many go unreported. Organized crime groups are outsourcing the violence to local gangs, and it’s not just the crypto millionaires but teachers, construction workers, and firefighters — anyone whose crypto holdings become visible.As tokenization expands and more people hold digital representations of real-world assets, the risk of physical targeting will grow alongside it. KYC databases that link real identities to wallet addresses, crypto ATMs, and regulated exchange accounts all create new vulnerabilities if breached.The Quantum Computing HorizonAnother area we need to consider is quantum computing. Current blockchain security depends on mathematical problems that are impossible for today’s computers to solve. A sufficiently powerful quantum computer could theoretically derive private keys from public keys, enabling signature forgery and asset theft.Blockchain developers are working on post-quantum cryptography, and NIST has already standardized new signature schemes. But the transition will be slow and complex, and tokenized assets sitting on blockchains that haven’t migrated to quantum-resistant cryptography will be vulnerable. An IBM study estimated that quantum computing could compromise up to 40% of current cryptographic systems without preparation.The Institutional Trust GapA recent survey of asset managers found that nearly half (48%) who don’t yet offer tokenized funds ranked cybersecurity resilience as their single top concern. Among asset owners, 63% selected cybersecurity as one of their most important criteria for choosing a tokenized services provider.The fundamental tension: blockchain’s immutability — the very feature that makes it trustworthy — becomes a liability when a breach occurs. Unlike in traditional finance, reversing or correcting a fraudulent transaction on a blockchain is far more complex, and in many cases, impossible. A bad loan on paper can be restructured. A stolen token is usually gone for good.If the financial industry is going to tokenize trillions of dollars in assets — including the retirement savings of millions of ordinary workers — the security infrastructure needs to be built to a standard that doesn’t yet exist. And until it does, every tokenized asset sitting on these systems carries a risk that most investors will never be told about.The Dollar, Stablecoins, and The Debt QuestionStablecoins and the GENIUS ActNow that leads us to discuss the broader monetary backdrop and the huge issue with our national debt. President Trump banned federal CBDC development in January 2025, but the administration simultaneously championed private stablecoins via the GENIUS Act, signed into law in July 2025. Stablecoins are private digital currencies pegged to the dollar and typically backed by U.S. Treasuries and, in some cases, commodities — they've surged to a $312 billion market. Let's not forget, Trump called Bitcoin 'a scam' and 'a disaster waiting to happen' on national television in 2021. He said crypto was 'based on thin air.' Then, once he realized there was money to be made — NFTs in 2022, $1 million+ in Ethereum by 2024, and a $TRUMP meme coin in January 2025 — he did a complete 180 and declared himself the 'crypto president.' So when this same administration bans a government-issued digital dollar while signing the GENIUS Act to hand the digital payments infrastructure to private stablecoin companies, you have to ask: who is this really for? That's a rhetorical question — we know who it's for: the elite and billionaires of this country. The ban was framed as protecting Americans from government surveillance. But the practical effect is that the dollar is going digital regardless — the only question is whether public accountability or private profit drives it. Just to be clear, scammers are in most industries, and crypto is not a special place where only scammers benefit. There are good actors and great technology + services within the industry that have been overshadowed by scammers for quite some time.We also have to understand that the dollar is getting weaker and weaker as our debt grows. Folks want to act as if dollar dominance will last forever, but we need to give up that pipe dream. Empires don’t last forever, especially when the people who control the money and legislation creation continue to exploit anyone who isn’t in the top 1% of wealthy individuals. Capitalism is, in a lot of ways, cannibalistic. It’s also worth noting that the Senate voted 89-10 this month, March 2026, to extend that ban on a government-issued digital dollar through at least 2030. However, Washington is still backing private stablecoins, and the ban extension, which was included in the “ROAD to Housing Act” bill, is still not signed into law. So no one knows if the extension will become a reality.The Dollar and the Debt Problem39 trillion dollars……We just surpassed 39 trillion dollars in national debt, and our interest payments are 900 billion a year, and we the taxpayers, are footing that ginormous. The strategic logic is clear as day: widespread stablecoin adoption creates artificial demand for U.S. Treasury securities, helping the government service its enormous national debt by pushing borrowing costs down. Stephen Miran, a former top economic adviser to Trump and now a Federal Reserve committee member, has argued stablecoins could lower interest rates by as much as 0.4 percentage points. But critics argue this amounts to privatizing the monetary system — handing the infrastructure of digital payments to private companies (like Tether and Circle) that face far less oversight than banks, while creating a parallel financial layer where instability could cascade into the real economy.Leading economist Adam Posen of the Peterson Institute has warned that he is “fundamentally very worried about financial stability in the United States,” citing stablecoin issuers’ insufficient regulation, potential cross-selling of risky crypto products, and the danger of a run if trust collapses. The dollar fell 9% in 2025 — its worst year since 2017 — driven by Fed rate cuts, tariff chaos, and broader uncertainty about U.S. economic management. If stablecoins or tokenized products destabilize, the ripple effects could reach the savings and retirement accounts of millions who never chose to be exposed to these instruments. Whether through a CBDC or stablecoins, the risk to savers is similar: if the underlying monetary system is being restructured to service national debt rather than protect purchasing power, the people holding dollars — in savings accounts, in 401(k)s, in paychecks — are the ones who absorb the cost.The Average Person/Investor Gets Left Holding The BagI wanna be annoyingly clear about this: The people most at risk are those least involved in the decision-making. Workers whose 401(k) providers quietly allocate their retirement savings into private credit and alternative assets without meaningful disclosure, and savers whose purchasing power deteriorates as the dollar weakens and monetary policy contorts to service national debt. I mean, who the hell reads crypto whitepapers other than nerds like me? And even I have only read a few of them; S**t is overwhelming 😂. Your average Jamal doesn’t monitor blockchain ledgers; they just expect their retirement to be there when they need it or are ready to cash out.Why All of This Is Important to KnowThe promise of tokenization is real in theory: lower costs, faster settlement, broader access, and greater transparency. But the crucial issue is who benefits and who bears the risk. When major financial institutions tokenize their private credit portfolios, they gain liquidity and new distribution channels. When those tokenized products get funneled into workers’ 401(k)s through Target Date Funds, the risk is silently transferred to people who never asked for exposure to speculative, illiquid, complex assets — and who most likely won’t know they have it.Tokenization doesn’t eliminate the underlying risk of an asset. A bad loan is still a bad loan whether it’s on paper or on a blockchain. What tokenization does is make that loan easier to slice up, repackage, and sell to someone else. If this sounds familiar and worrisome, it should because it echoes the mortgage-backed securities that fueled the 2008 financial crisis, where complex instruments were distributed widely before anyone fully understood the risks embedded in them. The difference this time is that the packaging is digital, the plumbing is blockchain, and the people holding the bag may not even know what a token even is.If you want to keep up with my work or want to connect as peers, check out my social links below and give me a follow!* 🦋 Bluesky* 📸 Instagram* ▶️ Youtube* 💻 Github* 👾 Discord Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

So What Is the Coruna Exploit?The Coruna iOS exploit framework is a new and powerful exploit kit targeting Apple iPhone models running iOS 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). It was identified by Google Threat Intelligence Group (GTIG) and iVerify. The exploit contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.GTIG has been tracking this exploit since 2025, and at first, that threw me off a bit. Like, you mean to tell me this has just been out in the wild for a whole year without any major reporting on it? But that’s exactly what they do. There’s another report from 08-29-2024 from Google that states, “Today, we’re sharing that Google’s Threat Analysis Group (TAG) observed multiple in-the-wild exploit campaigns, between November 2023 and July 2024, delivered from a watering hole attack on Mongolian government websites.” Now I’m still new to cyber security and threat intelligence, so I don’t know if there are procedures around exploit discovery that require monitoring to understand them. To be honest, that kinda makes sense as I say it out loud, so maybe there’s some truth to that assumption. But these specific campaigns first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then, later, a Chrome exploit chain against Android users running versions from m121 to m123. These were n-day exploits for which patches were available, but would still be effective against unpatched devices. They assessed that, “with moderate confidence, the campaigns were linked to the Russian government-backed actor APT29”.This leads me back to the Coruna exploit, because it seems like security vendors that are goverment backed have increasingly become more and more careless with who they sell the exploits to. That’s right folks, commercial spyware is sold to the government and other brokers. And it’s becoming more common that once spyware or an exploit capability is sold, control over the end customer is lost. Brokers can’t be trusted with these capabilities, and business-to-business transactions over the spyware market are highly unregulated. Now, this lack of control helped launch discussions about responsible use of spyware and aligning on a formal voluntary framework for its use called the Pall Mall Process. But those discussions are ongoing, and the economic pressures for spyware companies to return a profit mean these tools are being sold to a broader array of organizations. Some things just should’t be based on the constant need for a return on investment, and at the end of the day, Capitalism is to blame for this industry getting sloppy with its handling of exploits.Google is actually more on the forefront of reporting the slippery slope we are in when it comes to the unchecked commercial surveillance industry, and there is a great report you can read here → “Buying Spying”. I highly recommend the read regardless of your interest in CS, because whether you like it or not, these leaks or unethical sales of spyware affect all of us. So I want to elaborate on the definition of these attacks and exploits.0-day ExploitsA 0-day is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit or zero-day attack.The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually, the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. Vendors who discover the vulnerability may create patches or advise workarounds to mitigate it, though users need to deploy that mitigation to eliminate the vulnerability in their systems. Zero-day attacks are severe threats.Watering Hole Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization's users frequently use and then uses one or more of the websites to distribute malware. Eventually, some member(s) of the targeted users will become infected. Attackers looking for specific information may only target users coming from a specific IP address. This also makes the attacks harder to detect and research. The name is derived from a strategy of predators in the natural world, who wait for an opportunity to attack their prey near watering holes. The attack strategy was named in an RSA blog in 2012.These are just 2 of many different types of attacks and exploits that threat actors use to gain confidential information or credentials from their targets. If you’re interested in learning about more common attacks, you can check out this article from Fortinet → https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks, where they go over the 20 most common attacks and exploits.Initial Discovery: The Commercial Surveillance Vendor RoleIn February 2025, GTIG captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques.The framework starts a fingerprinting module, collecting a variety of data points to determine if the device is real and what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the appropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass as seen in Figure 2 from the deobfuscated JavaScript.At that time, GTIG recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in iOS 17.3 without crediting any external researchers. The image below shows the beginning of the RCE exploit, exactly how it was delivered in-the-wild with GTIG’s annotations.I’m gonna throw in a shameless plug from my Hack w/ Me Episode 2: Search Skills:Because I used one of the specialized databases I learned about, the Common Vulnerabilities and Exposures (CVE) database, to pull up the record of this exploit. As previously mentioned, the record is CVE-2024-23222, and as you can see below, this exploit was fixed with the iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, and tvOS 17.3 updates.The last update on the record states 2024-06-12, so I’m not sure if that is when the OS updates came out or if that was the last fix forward from the initial releases of the OS patches. Either way, most people I can assume are safe from this attack moving forward. But there are apparently still many users within the US and outside of the country who still have an older OS version, for one reason or another.The Coruna Exploit Kit is In The WildThis is a huge issue, and the fact that these exploits that are being funded by and built for government entities should be concerning to all of us. Google’s report doesn’t explicitly mention the original CSV customer that deployed Coruna, but iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as “Triangulation” that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. The US government didn’t respond to Russia’s claim and you can be damn sure that if they DIDN’T have any involvement in “Triangulation”, they would make it known.iVerify also noted that the code appears to have been originally written by English-speaking coders, saying “It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government." Adding, “This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.”So here we are again, another extremely sophisticated exploit, leaked by the US government. I say another because this isn’t the first time this has happened. Back in 2017, EternalBlue was a Windows-hacking tool stolen from the NSA (National Security Agency) and leaked to the world, leading to its use in catastrophic cyberattacks, including North Korea's WannaCry worm and Russia's NotPetya attack. We can most certainly expect something of the same caliber to be developed and deployed over the next couple of years. Even Google stated, “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.”The loosely regulated industry is a problem within itself. iVerify’s cofounder, Rocky Cole, points to the industry of brokers that may pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive of US government contractor Trenchant, was recently sentenced to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governments—the US, UK, Australia, Canada, and New Zealand. So they are just double-dipping in contracts and reselling these dangerous toolkits to whoever is willing to shell out the money for them. You can imagine how slippery this slope can actually get.Spyware Kill Chains ExplainedHere is a good explanation of what exploit chains are and the reason these are the main ways an attacker tries to succeed with their spyware.As the security design of devices has progressed, attackers have to use exploit chains rather than a singular exploit to remotely install spyware onto a target’s device. An exploit chain is made up of several exploits “chained” or linked together, and often includes three or four different 0-day exploits. Generally, the exploits fall into three types: initial remote code execution (RCE), sandbox escape (SBX), and local privilege escalation (LPE). Information leaks are sometimes used to help with the exploitation within the chain as well. For spyware to be successful, it has to gather data without alerting the user. Government customers want to gather data from a user’s device, such as reading messages on their phone or accessing their browser history. However, by design, a single application on a mobile device does not have the privileges needed to access all other applications or data on the device. Each application requires the user to explicitly grant permission to access data, otherwise any downloaded game would be able to access all messages or even the browser history of the device. This barrier between applications is referred to as a sandbox. An application requesting permission to access data could alert the users to unusual activity, and possibly reveal the presence of the spyware. Instead, CSVs have to exploit vulnerabilities in the device to break out of sandboxes and gain additional privileges. Technology companies have added additional layers of security to increase the difficulty of exploitation. Installing spyware and accessing all the data on a device requires the highest level of privilege, referred to as “root privilege”. Exploit chains often contain local privilege exploits to gain the root privilege needed to install the spyware and access the users’ data. Below is a good visualization of how exploit chains/spyware kill chains work from top to bottom.ConclusionI highly recommend reading both Google’s published article & iVerify’s published article about this mass iOS exploit. Google, in particular, goes into the technical detail of all of the used exploits in this particular exploit chain and how it works exactly. It isn’t understated that the framework surrounding the exploit kit is extremely well-engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks. They dissect the kit and explain all the unique actions it performs from start to finish. This article was just to explain the issue at hand and the exploit that got out of hand. Hopefully, we don’t have to experience another WannaCry catatrophe but from how it’s looking, we most likely need to prepare for the worst.If you want to keep up with my work or want to connect as peers, check out my social links below and give me a follow!* 🦋 Bluesky* 📸 Instagram* ▶️ Youtube* 💻 Github* 👾 Discord Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

IntroSup folks! Today, we will be discussing what was learned after finishing the Search Skills room in TryHackMe. Honestly, I went into this room thinking, “This is gonna be a bunch of filler that I already know, I should just skim through it.” But I quickly realized that there were plenty of VERY useful tips, tricks, and resources that I never knew. So with that, here’s a quick overview of the learning material within this room:* Evaluation of information sources* The use of search engines efficiently* Exploring specialized search engines * Reading technical documentation* Making use of social media* Checking news outletsMost of these topics are things I do regularly, especially reading technical documentation, considering that’s a required skill as a software engineer. But others, like the use of specialized search engines, were topics I’ve never really touched (or maybe I have in the past and didn’t realize it). Even some of the tips and tricks with search queries for the typical search engines like Google or DuckDuckGo were new to me, so I definitely learned a good amount from this section, aka “room”. I’ll try to make this article a quick read and sum up everything I went over and learned.Evaluation of Search ResultsFor this task, we just went over how to effectively evaluate the information we ingest from our searches. Here are a handful of things to consider when evaluating information:* Source: Identify the author or organization publishing the information. Consider whether they are reputable and authoritative on the subject matter. Publishing a blog post does not make one an authority on the subject.* Evidence and reasoning: Check whether the claims are backed by credible evidence and logical reasoning. We are seeking hard facts and solid arguments.* Objectivity and bias: Evaluate whether the information is presented impartially and rationally, reflecting multiple perspectives. We are not interested in authors pushing shady agendas, whether to promote a product or attack a rival.* Corroboration and consistency: Validate the presented information by corroboration from multiple independent sources. Check whether multiple reliable and reputable sources agree on the central claimSearch EnginesMost people reading this will be familiar with Google or Bing, and some will be keen on DuckDuckGo, like myself. However, I found out about the many search operators that you can use to refine your search results. Each browser has its own set of operators, and some do overlap. It’s not isolated only to browsers either; many operating systems have their own subset of search operators as well. Here is a GitHub repo that has collected a ton of direct links to platform documentation of their respective search operators → https://github.com/cipher387/Advanced-search-operators-list.Since I use DuckDuckGo, let’s take a peek at a screenshot of that one:Here, you can see a variety of search operators that may come in handy for searching for specific items. One I find particularly useful is the filetype parameter. This will be extremely useful when trying to search for research papers and whitepapers. This actually partially disproves a statement I made in my latest article/podcast, which was that search queries these days were starting to produce less and less valuable results. Now that I’m no longer ingnorant to more advanced ways to search for information, I might be able to limit the trash articles I get in my queries 😅. I encourage people to play around with some of these search operators and confirm if your results are more refined and useful for what you’re searching for.Specialized Search EnginesCompleting this task was my “oh, word?!” moment when completing the room. There are SO many very specific search engines that provide fantastic information and context depending on what you’re looking for. I find that this is more useful for IT and Cyber Security engineers/enthusiasts, though. The example engines presented seem to be focused that way, at least. The first one we cover is Shodan.ShodanShodan is a search engine for devices connected to the Internet. It allows you to search for specific types and versions of servers, networking equipment, industrial control systems, and IoT devices. For example, you may want to see how many servers are still running Apache 2.4.1 and the distribution across countries. To find the answer, we can search for apache 2.4.1, which will return the list of servers with the string “apache 2.4.1” in their headers.CensysNext up is Cynsys. Cynsys is similar to Shodan but focuses on Internet-connected hosts, websites, certificates, and other Internet assets. Some of its use cases include enumerating domains in use, auditing open ports and services, and discovering rogue assets within a network. They have a good doc on Introductory Use Cases that’s worth checking out. Some key use cases are:* Investigate indicators of compromise (IoCs): Find and track threat actors on the internet via the infrastructure they set up.* Enrich internal threat feeds with host and certificate data: Augment network logs with the most accurate, up-to-date public profile of the entities within and connecting to your network.* Create a timeline of adversary infrastructure: Investigate how and when an adversary weaponized infrastructure. See the history of a compromised or suspicious host.* Understand the global impact of vulnerabilities across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange.* Map your external attack surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating them for vulnerabilities.The Introductory Use Cases doc goes into deeper detail of the key use cases with some examples as well, but I won’t go over that in this article. I’m sure we will be utilizing this tool in the future for assignments.VirusTotalVirusTotal is a website that provides a virus-scanning service for files using multiple antivirus engines. It allows users to upload files or provide URLs to scan them against numerous antivirus engines and website scanners in a single operation. They can even input file hashes to check the results of previously uploaded files.The screenshot above shows the result of checking the submitted file against 67 antivirus engines. Moreover, one can check the community's comments for additional insights. From time to time, a file might be flagged as a virus or a Trojan; however, this might not be accurate for various reasons, and that's when community members can provide a more in-depth explanation.Have I Been PwnedLast but certainly not least, is “Have I Been Pwned” (HIBP). HIBP does one thing: it tells you if an email address has appeared in a leaked data breach. I’ve used this a couple of times over the past couple of years due to the increased data breach reports that have been sprouting up with apps I used, like Discord and the National Data Breach that exposed 3 BILLION PEOPLE!!Finding one’s email within leaked data indicates leaked private information and, more importantly, passwords. Many users use the same password across multiple platforms; if one platform is breached, their password on other platforms is also exposed. So please, for the love of god start using a password generator and manager lol. While passwords are usually stored in an encrypted format, many passwords are not that complex and can be recovered using a variety of attacks.Vulnerabilities & ExploitsThis task was pretty damn cool. We went over 2 main tools/databases: The Common Vulnerabilities and Exposures (CVE) program and the Exploit Database.Common Vulnerabilities and Exposures (CVE)It’s said to think of CVE as a dictionary of vulnerabilities. It provides a standardized identifier for vulnerabilities and security issues in software and hardware products. Each vulnerability is assigned a CVE ID with a standardized format like CVE-2024-29988. This unique identifier (CVE ID) ensures that everyone from security researchers to vendors and IT professionals is referring to the same vulnerability, CVE-2024-29988 in this case. The MITRE Corporation maintains the CVE system. For more information and to search for existing CVEs, we can visit the CVE Program website. Alternatively, we can visit the National Vulnerability Database (NVD) website. The screenshot below shows CVE-2014-0160, also known as Heartbleed.The Heartbleed bug is a critical security vulnerability in the OpenSSL cryptographic software library that allows attackers to exploit improperly implemented TLS heartbeat functions to access sensitive data in memory, such as private keys and passwords. This vulnerability was publicly disclosed in April 2014 and has since been patched in newer versions of OpenSSL.Exploit DatabaseThere are many reasons why you would want to exploit a vulnerable application; one would be assessing a company’s security as part of its red team. Needless to say, we should not try to exploit a vulnerable system unless we are given permission, usually via a legally binding agreement.Once we have permission to exploit a vulnerable system *wink wink*, we might need to find a working exploit code. One resource is the Exploit Database. The Exploit Database lists exploit codes from various authors; some of these exploit codes are tested and marked as verified.Technical Documentation & Social MediaI want to combine these two tasks as they are pretty straightforwardTechnical DocsFrom coding languages & Framework docs like Python and Svelte to hardware ecosystem docs for Apple hardware, you will find well-organized documentation of its software or hardware. These official docs provide a reliable source of information about the software or product features and functions. These docs should be the first stop shop for getting started with new software or a new piece of hardware. You can typically expand what you learn within those docs by supplementing them with 3rd part resources if you need a different point of view in explaining what’s already in the official docs.Social MediaThere are billions of users registered on social media platforms such as Facebook, Twitter, and LinkedIn. At this point, it’s expected to be familiar with these popular platforms, and if you aren’t, I highly recommend you get up to speed. Ideally, one would want to explore a platform without creating an official account; however, this severely limits your experience with diving into the app. Instead, a recommendation is to use a temporary email address to learn about these platforms without linking them to your real email addresses; once done, you can terminate the accounts and associated email addresses. One reason for not using your primary account is that you don’t want your contacts to start connecting with you there when you are only temporarily exploring a platform.ConclusionThis lesson focused on the most common sources of information for cyber security professionals. There are plenty more. As the information landscape keeps changing, it is impossible to cover all the sources. However, by subscribing to relevant cyber security groups, you can stay ahead and be aware whenever new interesting sources arise.If you want to keep up with my work or want to connect as peers, check out my social links below and give me a follow!* 🦋 Bluesky* 📸 Instagram* ▶️ Youtube* 💻 Github* 👾 Discord Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

Let's dive into how OpenAI and AI in general is hemorrhaging money, our environment, and the economy.Check out my Substack for the full video & full written article that contains all of the sources: https://open.substack.com/pub/digitaldopaminellc/p/open-season-on-openai-and-the-crumblingFollow Me on IG: https://www.instagram.com/digital_dopamine_llcPeep the Linktree for all other socials: https://linktr.ee/digital_dopamineIf YouTube is your preference for watching, catch me over there and give me a subscribe: https://www.youtube.com/@DigitalDopamineLLC Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

Intro (2 minutes)[Music Intro] What’s up, folks, and welcome to the second episode of the Digital Dopamine podcast! One of these days, I’m gonna get a sponsor lol and have a quick standard intro for everyone. In due time, in due time 😂. But people who follow me on IG have already seen what today’s episode is gonna be about, and that’s the AT Protocol, or Authenticated Transfer Protocol, atproto. All names are used in the space of decentralized digital identities.Alright, so we will be covering:* What the AT Protocol is at a basic-intermediate level so that developers and, more importantly, non-devs can understand what it is and how it works.* The key features of the AT Protocol and its benefits.* The Challenges and Limitations of the AT Protocol as of today.* Why apps built on the architecture (Bluesky, Flashes, and Pinksky) are superior to centralized social apps like IG, TikTok, and X, and what is capable within those apps.* Discussing a bit about Fanbase and UpScrolled.* Then, ending the show with a new project I’m starting up related to these apps and content distribution.After more research on the core tech and architecture of Bluesky, there are some concerns that I actually learned about and will give my honest frustration with it, but they pale in comparison to the issues I have with the likes of IG, TikTok, and X, and I personally see more benefits of using these apps over the others. So let’s get right into it.Main StoryThe At Protocol Overview*Skip to minute 30:00 if you want to skip the technical deep dive*So I’ll just start with a quick definition of the AT Protocol: “is a protocol and open standard for distributed social networking services.[3] It is under development by Bluesky Social PBC, a public benefit corporation created as an independent research group within [Twitter, Inc.](https://en.wikipedia.org/wiki/Twitter,_Inc.) to investigate the possibility of decentralizing the service.[4]A distributed social network (not to be confused with a decentralized or federated social network) is a network wherein all participating social networking services can communicate with each other through a unified communication protocol, and all participants are equal.Okay, technical definitions are over. What is the purpose of switching, and why should you care? depending on what you’re looking for in your social apps and identity will determine if any of this is of interest to you. So far, monetization is the only frustrating challenge I see with these apps, and in a world where influencers are the biggest proponents for people who might want to switch. If they don’t have a way to make money on these new platforms, it’s gonna be hard to get people to transition. That being said, creators can take the extra step and use external revenue channels like Substack, Patreon, or Fanbase in order to generate income from the traffic they get through the platforms. But Bluesky IS planning to add revenue streams to the platform, like a tipping system as well as subscriptions in future feature releases, so hopefully that comes sooner than later. AT Protocol also doesn’t support private content yet. If you need a private account or encrypted DMs, this isn’t your platform yet. But it’s coming. For public discourse and community building, it’s great.Now this next section is about to get a bit technical and into the weeds so if any of this starts to confuse you or you don’t really care about the good and the bad of the protocol, I’ll try to have a timestamp of where you can skip to and we talk about the apps that stand to be a 1:1 alternative and what they offer.AT Protocol’s Key FeaturesThe “Speech vs. Reach” FrameworkSo the core concept of apps built on ATP is “Speech vs. Reach”. This is the heart of what makes AT Protocol different, and it’s the fundamental architectural philosophy of its creation.AT Protocol deliberately separates two layers: “speech” and “reach” and explains both in detail.* Speech Layer = permissive, distributed authority. It’s the data repository level where everyone has a voice. Your posts, data, and identity are all stored in signed repositories that you control.* Reach Layer = moderation and algorithmic curation. This is where platforms decide what you see. It’s about limiting the visibility/reach of content based on preferences, algorithms, moderation policies, etc.You are basically able to curate what you see on your feed without a central algorithm showing you what it thinks you might like, or force-feeding you rage bait or thirst traps because it tracked how long you paused on the “Suggested Reels” section…Which, for some reason, always has something you’ve clearly stated “See Less” or “Not Interested” multiple times.You’re able to literally choose moderation services and custom feed algorithms built by community developers. For instance, I have a handful of coding feed algorithms I’ve subscribed to, and my feed rarely shows posts that I wasn’t interested in. IfIi start to see a trend in the wrong direction, I can search for a new algorithm to swap to OR use none if my followers and likes are vast enough for the standard algorithm to know what I actually like. And for context, there are over 50,000 custom feeds that exist on Bluesky. So there’s bound to be a feed that fits your preferences.Moderation DiveTo dive a bit deeper, Bluesky uses a two-tier moderation system: baseline protections (violence, exploitation, fraud) that everyone follows, then user choice on top.What this means: Bluesky maintains community standards, but you decide which additional moderation filters you subscribe to. Community-run labelers create custom labels (”Spoilers,” “Political Content,” etc.), and you choose which ones affect what you see.This is fundamentally different from Instagram, X, and TikTok:* Instagram bans you with no explanation or appeal* X’s moderation is inconsistent and unilateral under Musk* TikTok’s algorithm removes content opaquelyBluesky gives you transparency—you know why you were flagged, can appeal, and can choose your own moderation standards.The key insight: Moderation is part of the “reach” layer (who sees what), not the “speech” layer (whether content exists). This means if you block someone on one AT Protocol app, that block carries across all apps. Your moderation rules work at the protocol level, not just one platform.You’re not at the mercy of one company’s moderation philosophy, and you set your own standards.DIDs (Decentralized Identifiers)Another awesome feature is DID, or Decentralized Identifiers. Instead of your identity being @username.instagram.com, which is tied to Meta’s servers, your identity on AT Protocol is a cryptographic DID that looks like a hash. Example: did:plc:7iza6de2dwap2sbkpav7c6c6 I’ll explain did:plc a bit later.This DID can have multiple human-readable handles (@alice.example.com, @alice.bsky.social), but the DID stays the same and is portable.And I think this is one of the most, if not THE most important features within this ecosystem. And that’s the fact that you can’t get banned or straight-up deleted from the devs/company that built the app.With Instagram, your account exists at the pleasure of Meta. And we have seen how they’ve been moving on IG recently. I’ve experienced it myself, and I’m a nobody on that platform lol. If they ban you, you lose everything—followers, posts, history, pretty much your whole digital identity.With AT Protocol, your DID (your actual identity) is cryptographically yours. Your posts are signed by you. If Bluesky shuts down, you move to another AT Protocol app and bring everything with you: all followers see your posts, your history is intact, and your identity persists.Now, how this works is:Your DID contains your public cryptographic keys, and your posts are signed with your private key. This means you can prove ownership of your account without asking permission from any company, and if it comes to it, you can migrate servers without the old server’s involvement.So imagine if a big name like IShowSpeed could leave Instagram, take 100% of his followers and posts him to Snapchat or TikTok (if they were on AT Protocol), and his username and followers would be transferred as well and they would still be able to verify it’s him AND he would still be able to have his own verified status come along too. That’s what the AT Protocol enables.So getting control and freedom of your digital identity would be a great thing for us as a society to do, in my opinion. But that leads us back to some of the major drawbacks and bottlenecks I discovered while researching this.The Challenges and LimitationsSo, currently, the most common DID method is did:plc “Public Ledger of Credential,” and Bluesky runs the single directory service that manages it. There’s no redundancy or independent backup, so if the directory goes down, critical network functions break. Which then raises the theoretical concern of you being banned at the protocol level by Bluesky if they really wanted to be petty 😩 cause that wouldn’t only ban you from Bluesky, it would ban your DID from all apps you’re using with DID. It also contradicts the whole decentralization narrative. But I’m not too concerned about this for a few reasons:* That would ruin the reputation of Bluesky and the Protocol they built,t which will encourage people to go back to the mainstream apps or switch to a different, more raw decentralized protocol, like Nostr. I won’t dive into Nostr, but I will leave links to the Wiki (https://en.wikipedia.org/wiki/Nostr), the white-paper it released in 2020 (https://fiatjaf.com/nostr.html), and it’s Github README (https://github.com/nostr-protocol/nostr/) in the script. Also. Very cool protocol, but not as feature-rich to build on as AT Protocol.* They are already taking steps to migrate away from this single point of failure by supporting the creation of an independent organization to operate the directory. The organization will set policies and rate-limits, hold any related intellectual property, and coordinate future evolution and development of the system. And it looks like this organization will be formed as a Swiss association, which is positive since Swiss law provides good protection for neutral, independent organizations. But this is still a single organization running a single directory. So we kinda get back to the same “single point of failure,” but don’t have to worry about the corrupt systems of America.* There is already an alternative to did:plc and that’s did:web . This is the best way to go if you are technically savvy and have the time and resources to set up your own PDS (Personal Data Server). did:web, is an alternative identity system that uses HTTPS and DNS instead of a central directory. To set this up, you’ll need to* Set up your own PDS (Personal Data Server)* Configure DNS records to point to your PDS* And if you started with did:plc, migrate your identity from did:plc to did:web (which would break your followers since you will technically get a new DID)Most people won’t go that route, and I don’t blame them.* Then there is Operation Log Verification. The did:plc registry has a global operation log API endpoint, which can be used to poll for identity updates. Apps can independently verify the entire operation log and rebuild their own cache of DID state. But again, if the directory goes down, you still can’t make new changes. You can just verify old ones.This is why we should watch AT Protocol’s progress on governance. If the independence handoff happens smoothly, that’s a strong signal they’re serious about decentralization. If it drags on indefinitely, then we might have been got.The App EcosystemMost AT Protocol apps are Bluesky clients, not independent services. They use Bluesky’s data firehose and serve the same data in different interfaces.Which includes 2/3 of the apps I’m gonna talk about. Those apps are:* Flashes (photo interface for Bluesky’s data),* Pinksky (another photo interface),Skylight, on the other hand, which is a video interface for Bluesky’s data/TikTok alternative, is a standalone app that isn’t dependent on Bluesky’s data firehose. But the drawback to that is, if your followers are not also using Skylight, they won’t see the post you publish via Bluesky. I’m sure they are working on a way to resolve that issue, but I didn’t find anything to support that. theory.BlueskyBluesky is the main course, the original and largest AT Protocol app with 36.5 million users.Bluesky is what Twitter could have been—a microblogging platform that prioritizes user control and community. Where X has become a megaphone for the wealthy and/or ignorant, and algorithmically optimized for engagement via rage bait or sexually explicit content.Bluesky gives you back the chronological timeline and lets you choose your algorithm. X is, without a doubt, bigger and more feature-rich with Spaces, Trending Topics, native scheduling, and monetization. If you need reach and advanced tools, X wins.But Bluesky is simpler and more intentional. It's growing rapidly, mainly with reputable journalists, creators, and politicians who are burned out from the chaos on X or, from a moral standpoint, don’t want to be involved with anything related to X or Elon.I find myself getting better reports from journalists and updates from campaigning politicians via Bluesky these days. Zohran Mamdani, Aaron Rupar, and Kat Abughazaleh are a few very respectable people who are regularly on Bluesky, and Kat has even completely separated from X.Most creators are not exclusively on Bluesky. They’re maintaining presence on both X and Bluesky, but posting with more frequency and energy on Bluesky.So folks are mainly playing both apps: major creators maintain presence on X for reach, but they’re investing emotional energy and engagement on Bluesky because it feels mentally healthier. That should be a good sign of more to come in terms of people hopping over.Flashes & Pinksky (Dual IG Alternative.)Flashes — Built by Sebastian Vogelsang and launched publicly at the end of February, Flashes grabbed 30,000 downloads in its first 24 hours as an Instagram alternative (TechCrunch). Users can upload up to four images or a video per post, with videos now supporting up to three-minute clips following a recent update (TechCrunch). Key differentiator: posts on Flashes appear on Bluesky and vice versa.Pinksky — Built by developer Ramon Souza and available on both iOS and Android, focusing mainly on photo-sharing with user profiles, a feed of photos and videos, and a Stories section TechCrunch. Similar to Flashes but with a slightly different UX philosophy. Both solve the same problem: Instagram users want a photo-first interface, not a Twitter clone.* Flashes: Portfolio mode, trending feeds, minimalist UI, part of Vogelsang’s app suite* Pinksky: Stories feature, chronological only, Instagram-familiar UI, standaloneIf you ask ‘which should I use?’—it depends. Pinksky if you want the Instagram feel. Flashes if you want the Instagram experience but with the flexibility and customization that comes from being built on an open protocol. But I just suggest using both since you can cross-post automatically within the two apps.SkylightUnlike Bluescreen, which is another Bluesky client app with limited TikTok-like features, Skylight is a true TikTok alternative that is standalone from Bluesky and does not depend on Bluesky’s data firehose. It’s got a bit of a longer developer timeline, but it’s had a good start so far. Albeit backed by the likes of Mark Cuban, the app is still open source, and the code is readily available for scrutiny if they start to veer to the wrong side of things. That being said, the app is pretty damn clean for how short a timeline it’s been in development, and if folks are looking for a decentralized alternative to TikTok, this is it!Founders Tori White and Reed Harmeyer were inspired to create Skylight when they first heard that TikTok was getting banned in the U.S. White, who used to be a travel influencer and is now a self-taught software developer living in Seattle, had backed up her TikTok videos but worried about losing access to her community and comments.So, White began documenting Skylight’s development on TikTok, which helped bring exposure to the product and build a following of potentially interested users, and her @buildwithtori TikTok profile has nearly 50,000 followers.Skylight proves you can build a full-featured alternative to TikTok on AT Protocol without being limited by a single company’s infrastructure decisions. By leveraging the AT Protocol, Skylight is nearly impossible to ban or shut down — a significant advantage as regulators around the world scrutinize centralized platforms.Bluescreen vs Skylight:* Bluescreen: Bluesky client, uses Bluesky’s firehose, 1-minute video limit, dependent on Bluesky* Skylight: Standalone app, own video infrastructure, 3-minute videos, independentPostKit - Creating My Own Distribution ToolSo for the content creators out there, once I’m building up to be at this point, there are plenty of tools that you can use to manage the social profiles that help you ship them all in one go. None of these tools is free, though, and they all fall back onto a centralized server controlled by a company whose main goal is to make its shareholders money. That’s why I’ve decided for my next project, I’m going to build my own synchronous distribution tool 😄.PostKit will be a tool built with Python for synchronous content distribution across multiple AT Protocol-based platforms, as well as Substack. Once I get it working i plan to extend it to also publish to Fanbase and UpScrolled. Unlike the AT Protocol apps, these are easier alternatives to switch to as they offer the monetization solutions for creators, well, Fanbase does at least. UpScrolled is just a more privacy-focused IG replacement for those who don’t want to make the jump into the ATP apps.In phase 1, I’m building PostKit to solve a real AT Protocol creator problem: managing content across a decentralized ecosystem. Instead of post-and-pray hoping your followers see you everywhere, PostKit lets creators schedule and distribute content intelligently across Bluesky, Flashes/Pinksky, and Skylight from one dashboard. It’s coming soon and will be open source.Then, in phase 2, I’ll be expanding beyond AT Protocol. We’re adding Fanbase—which has immediate monetization—and UpScrolled—which has private messaging and features AT Protocol doesn’t yet support.The creator economy is fragmenting. AT Protocol is great for reach and algorithmic choice. Fanbase is great for revenue. UpScrolled is great for privacy and DM-based community building. Instead of forcing creators to pick one, PostKit bridges all three. You’ll be able to write one post, optimize it for each platform, set monetization gates on Fanbase, schedule it across all three, and track performance in one dashboard. That’s infrastructure for the decentralized creator economy.I’ll briefly touch on both of these apps, but will link their web pages in the script for more context if you need.FanbaseFanbase is a next-generation social creator hub that allows any user to earn money from day one, with diverse monetization options including subscriptions, tipping, and exclusive content.Monetization Model:* Subscriptions range from $2.99 to $99 per month for exclusive access* Love (tips) with real-world value of half a penny per love* Live audio rooms for direct fan engagement* Creator subscriptions with direct monthly recurring revenueIn January 2026 alone, due to the major censorship and banning on TikTok, Fanbase added 400K+ net new accounts (22% increase compared to all of 2024), 350% spike in monthly active users reaching 589K, and 142% increase in unique creators to 110K. And with their migration feature, you can migrate all of your IG content over, and they recorded 7.2 million pieces of content migrated to Fanbase during this surge.Fanbase is like an all-in-one tool that shares similarities with IG, TikTok, and OnlyFans, allowing monetization from day one + discovery in a creator-focused community.UpScrolledNot much to say about UpScrolled other than it exists to put some fairness back at the center of social media, with no shadowbans, no hidden throttling, and no pay-to-play favoritism, while offering clear rules applied evenly and explainable ranking systems.Unlike ATP apps, they DO have private content sharing and features* Private accounts ✅* Direct messaging ✅* DM media sharing ✅No monetization yet, but they are planning to add that in the future.OutroSo that about wraps up this episode, and hopefully nothing got too boring for y’all in the middle section of the show. I’m figuring out the best ways to keep the technical stuff digestible, but ultimately, I did say this was going to be a podcast for the tech-savvy and dev community. Nonetheless, I hope you learned something and will consider checking out these new apps that can help us break away from the grip these big players have on us. I know I plan to use these apps for pushing my content more and will still stick with the solid centralized apps like Substack, Fanbase, and UpScrolled. I’ll probably do a video podcast next to showcase the completion of phase one and how it works in a live demo. So make sure to follow me on your preferred platform….or all of them, to stay informed on when that will drop. As always, take care of yourself and take care of your loved ones. Until next time, Peace.Editors Note Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

Intro (2 minutes)* *[Music Intro]Welcome everyone, to the first podcast of Digital Dopamine! Where I’ll be delivering a weekly dose of tech news, app demos, tips, and tricks, tailored to tech enthusiasts and developers of all levels. On today’s Episode we’re gonna focus on the Tech Billionaire’s wet dream…” Greenland”.As a lot of you probably know by now, there’s this feverish push to “buy” Greenland, which is pretty much another invasion, and they want to make it seem like it’s for national security. While that claim may be partially true. I’m gonna dive into the real culprits behind this push, and that’s all the tech billionaires, specifically the “PayPal” Mafia.Main StoryWho’s the PayPal Mafia, you ask? Well i’ll get into that in a bit, but first, let’s go back to 2016, where a man named Ronald Lauder made the first move of this long game plan. I’ll keep this briefing quick, Lauder, in 2016, made a huge investment in , a luxury water bottling company founded by Svend Hardenberg and Jørgen Wæver Johansen, both of whom are well-connected in the political sphere.Now Ronald is the person who floated the idea during Trump’s first term to make Greenland part of the US (Source-1, Source-2), with some analysts describing his investments in Greenlandic businesses asa political strategy rather than purely commercial (Source). Ronald’s business partner, Jørgen, is married to Greenland’s current foreign minister, which is for sure a conflict of interest, but that’s never stopped the ultra-wealthy from doing business. But the same individuals negotiating foreign investment policy are also investment recipients.Now that’s just a bit of context for how this all started, and I recommend diving deeper into Ronald Lauder when you get some free time. But let’s hop ahead a few years to talk about some other Billionaires that didn’t wanna miss out on the exploitation.In 2019, when traction started to pick up on the “idea” of buying Greenland, Jeff Bezos, Bill Gates, and Michael Bloomberg all invested in a company called KoBold Metals through Breakthrough Energy, an organization founded by Bill Gates himself (Source). KoBold Metals is a company that explores and develops mineral resources essential for clean energy technologies, which consists of Ev Vehicle wind turbines, etc, and the minerals they are in search of include lithium, nickel, copper, and cobalt, which are critical for batteries and other renewable energy solutions. How they search for these rare earths is through AI-powered exploration of the island.And in 2022, guess who decided to join the party, Sam Altman, and since then, more and more investments have poured into KoBold Metals, valuing the company today at around 2.96 billion dollars.Speaking of muddied interests, Howard Nutlick….I mean, Lutnick… has been investing in a different Greenland Mining company called Critical Metals Corp……..for over 3 decades through Cantor Fitzgerald. He’s since divested in cantor but his stake was just handed over to his children……and I’m SUREEEE they will have a moral compass and not be a conflict of interest in the area moving forward. (Forbes)And then we have Ken Howery, a former venture capitalist and associate of Peter Thiel, who Trump appointed as US ambassador to Denmark…..like how is no major outlet reporting about this?!?!…. That’s rhetorical, of course.There are a couple more folks in the weeds of all of this, but for the sake of time, I’m gonna now get to the PayPal Mafia, and how they plan to create a “Freedom City”…which in reality will be an internet-native/technocratic nation, testing AI surveillance tech before bringing it back home here in the US.Let’s start at Praxis, which is a company founded by Dryden Brown and Charlie Callinan, with Howard Hughes Corporation founder David Weinreb, who is the current vice chairman. Praxis describes itself as an “internet-native nation” [1] and has stated plans to create a 10,000-person city in the Mediterranean. Brown is designing a theoretical “city-state” aiming to “restore Western Civilization,” and has had his sights on Greenland specifically. Who backs this concept???? PayPal Mafia members, including Peter Thiel and Ken Howery, Trump’s pick for Denmark ambassadorSo how do they play to test surveillance?? Praxis plans include “AI-augmented governance” and will feature “employer-friendly labor laws” described as “Elon-compatible.” The company’s manifesto describes creating all infrastructure—contracts, governance—on blockchain, creating a “tax-free enclave, governed by free-market principles and managed by a king-CEO leading citizen-shareholders.” (Source)The argument for why they are desperate for Greenland is that it’s a small, contained population (Greenland has under 57,000 people) where these billionaires with their shady political connections could experiment with governance, AI integration, and surveillance systems. All while being free from existing regulatory frameworks and the consequences that come with breaking them. These tech billionaires envision unregulated “freedom cities” in Greenland, free from democratic oversight, environmental laws, and labor protections. La Voce di New YorkGreenland’s cool climate is ideal for hosting massive AI data centers. Wikipedia—combining computational power with a controlled population creates something like a real-world laboratory.The PayPal Mafia’s collective vision is “a state stripped down to its bare bones, with only one objective: maximize shareholder value.”(Source: New Arab). These people include Elon Musk, Thiel’s minion JD Vance, Ken Howery, and other members across Trump’s executive branch, like David Sacks, who is Trump’s advisor on AI and cryptocurrencies. This group has unprecedented political access and, from their past actions, will surely stop at nothing until they get their greasy, greedy hands on Greenland. Peter Thiel and Elon Musk see Greenland not just as a source of rare earths, but as a laboratory for their libertarian economic and social experiments. ( The Irish Times )The crazy part is, this is all being experimented with NOW in Próspera. “What’s Próspera?” you ask…..well, Próspera is a charter city on the island of Roatán in Honduras, operating as one of three Zones for Employment and Economic Development (ZEDEs) with autonomy from the national government. It’s backed by venture capitalists, including none other than Peter FUCKING Thiel, Marc Andreessen, and Balaji Srinivasan (buh-LAH-jee sree-nee-VAH-sun)…I literally had to add how to pronounce his name in the script lol. But the investment is through Pronomos Capital, and has recently attracted Coinbase CEO Brian Armstrong as an additional investor.So this is pretty much a libertarian experimental zone designed to test free-market principles at scale.According to historian Quinn Slobodian, Próspera is part of a broader trend of projects aimed at implementing these theories in practice. The model features:* Minimal taxation: Tax rates are 1% on business revenue, 5% on wages, and 2.5% sales tax, with 5% personal income tax as of 2025.* Corporate governance: Honduras Próspera Inc. has veto power over the governing council’s nine-member body, with four members appointed by the company itself.* Crypto integration: Bitcoin is recognized as legal tender within the city.* Private arbitration and custom law: Businesses can select regulations from approved foreign jurisdictions or propose custom regulations subject to Próspera’s approval. (The Irish Times)And this is already negatively affecting the local populations of neighboring villages.The village of Crawfish Rock expressed fears about land expropriation, and funds earmarked for Honduras development haven’t reached nearby communities, while Próspera uses the island’s infrastructure (electricity, airports, garbage) with inequities.Honduras’ leftist President Xiomara Castro repealed the ZEDE law in 2022, citing sovereignty concerns, but Próspera didn’t stop operations…….they instead decided to sue Honduras for $10.7 billion—equivalent to one-third of the country’s GDP. (The Irish Times)This is the atrocity: create a private city with minimal regulation, extract wealth from the land and locals while ignoring their communities, and use international legal mechanisms to override national sovereignty if a government tries to stop it. Greenland would be where this model scales globally.OutroSo really quick: we have mining companies searching for rare earth minerals (Bezos, Gates, Bloomberg via KoBold), water extraction (Lauder), and a libertarian city-state with AI governance (Thiel, Howery, Altman via Praxis), an ongoing experiment in Próspera testing these theories of libertarianism, minimal income and business revenue tax while at the same time, horrid wages for workers & being a haven for crypto fraud and laundering by the GOV—all connecting to the same island, all connected to PayPal alumni, all with Trump administration alignment.Editors NoteAll sources in the article are bolded with links. Feel free to correct any of my sources in the comments. Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe