Welcome to Meet 1337! Each month, we shine a light on one of the genius minds within our awesome network of hackers!
Today, we would like you to meet Martijn Baalman! Martijn is a hacker and bounty hunter who turned his childhood hobby of hacking video games into uncovering major vulnerabilities for leading companies. On top of that, Martijn is also a founder of Hacksclusive company.
You can watch the interview or read it below. You choose the format!
Edwin: Welcome to 1337. And we have another brilliant hacker here. Introduce yourself, please. What’s your name?
Martijn: My name is Martijn. I’m a hacker. I’m also the founder of Hacksclusive. I’ve been brought up by other hackers in the Bug Bounty community to eventually become this.
Edwin: Can we ask how old you are?
Martijn: Yes, I am 33 years old.
Edwin: Wow, and you’ve been brought up by the other hackers in the community, so you’re probably hacking from your 16th?
Martijn: Something like that, Yeah. I’ve always been hacking, of course, trying to cheat on games, trying to find the easy way to win. And yeah, I’ve also been software developing for half of my life.
Edwin: What do you like better, the development or the hacking?
Martijn: The hacking, of course. But it’s also nice to sometimes just change it up a little bit, start building again, because you need to know what you hack when you build it.
Edwin: That’s true. That’s true. When you were young, did you spend more time on hacking or development?
Martijn: Yeah, a bit of 50/50. Used to develop a lot of stuff, and then I thought, hey, can I break this? That was my initial thought every time.
Edwin: We talked a bit about when you started, but how did you start? Can you remember when you first started hacking, actually? Or was it hacking or playing?
Martijn: No, no. It was mainly just for myself. I thought hacking was criminal, and it basically is.
Edwin: No!
Martijn: Or well, yeah, it depends on what you do with it, of course! But the things I was doing were not very legal. And then eventually I met some guys from HackerOne. I met Jobert and Michiel, and afterward, I met Melvin. And from that part on I just thought, hey, I can make a sandwich out of this. So yeah, then I thought, why not make this my full-time occupation?
Edwin: And when you started hacking, did you know you were hacking or were you just playing? Because that’s, for me, always difficult.
Martijn: I was playing. I thought a computer could do a lot of things, and it could do a lot of things I wanted, and sometimes even more. I was just trying it out first on my parents’ PC and then on my own. I always wanted to find out how far I could bend it until it broke, and it often broke.
Edwin: Nice, nice. You talked about meeting HackerOne guys and Melvin, and was that the first moment that you thought I could make money out of this, or was it before?
Martijn: No, no, I knew there were some cybersecurity companies, but I always thought they were like what you have in CrowdStrike and all the other companies right now, that they were like endpoint detection, they just do like a blue team cybersecurity service, and I never really knew it was a red team exercise as well.
Edwin: Then you got happy from that?
Martijn: Yes, very.
Edwin: Very, very, very cool. But you mentioned cyber. What is your opinion on the word cyber?
Martijn: Yeah, I think it’s part of what we do, of course. I usually tell people I’m in security, IT security, and yeah, cyber has been around, of course. But yeah, it doesn’t really have that much of a meaning to me.
Edwin: Okay, so you’re not like I hate the word or whatever?
Martijn: No, no. Sometimes it’s a bit overused, but I don’t hate it. I don’t hate a lot of things. I’m kind of laid back. “It’s all good” guy.
Edwin: Yeah. Nice. And when you first knew that you could get money, what were some of the challenges you stumbled upon? Because I can imagine it’s not like you OK, I can make money?
Martijn: No, no, of course. And when I started doing this and I talked to the other guys who brought me along, I had to learn a lot. And I like learning, not in a traditional way in school because, yeah, I’m a school dropout, but I do like to learn, and all the things that I’m interested in, I can take it on like a sponge. I like to soak all the information up. And then I go for like 80 hours a week, I’ll go studying and practicing and trying stuff.
Edwin: Less sleep?
Martijn: Yes, yes, less sleep. I think that’s quite common among hackers, even though it’s healthy to sleep like a full night but…
Edwin: It is difficult, sometimes but healthy.
Martijn: Yeah.
Edwin: And and also when you first got, can you remember your first bounty you got or your first payment you got in?
Martijn: No, not really. Actually, I do remember hacking the government as one of the first targets because I knew they had Responsible Disclosure, like the tax administration, because yeah, everyone loves the tax administration, so I thought, why not give it a go, and I hacked them with some leftover back door that I discovered.
Edwin: A leftover back door?
Martijn: Yeah, which they already compromised. And I thought this was one of the first things I’ve discovered. But then I found like three or four other things on a different surface from them. So they sent me out like this trophy.
Edwin: Yeah, the cup.
Martijn: The cup, yeah, which was not a monetary reward, of course, but it was quite cool!
Edwin: But that was the first one. And the first monetary. Remember that one?
Martijn: It goes back quite a while. I think it was on HackerOne.
Edwin: And it was a big one?
Martijn: No, just a small one, like €400 or €500 or something. And then, quickly after that, I found some stuff on the Zerocopter platform.
Edwin: It’s a nice platform!
Martijn: Yeah, I agree! But just on one of the programs.
Edwin: And did you make a really, really big one that you can share?
Martijn: Yeah, made a $30,000 bounty on Microsoft, which was really nice. I can remember the day like it was yesterday.
Edwin: Probably can talk about it, right?
Martijn: No, I can’t talk about it in detail, but I can talk about everything that’s surrounded it and some things that led to it. But I still remember being hacked at 2:30 on a Tuesday night. I was still working as a solo hacker during COVID, and I got the e-mail. And Microsoft they have always just really plain and boring emails. And they said, oh, congratulations, you got a $30,000 bounty.
Edwin: What did you do?
Martijn: I woke up my girlfriend. And said Y’ou’re not going to believe this.: And well, yeah, it was standing there, black and white.
Edwin: And then the tax administration came.
Martijn: Then the tax administration came. No, no, no, I have a bookkeeper that does my Bug Bounty tax administration.
Edwin: And that works?
Martijn: That works, Yeah.
Edwin: So tip for the hackers – get a bookkeeper.
Martijn: Get a bookkeeper. Yeah, for sure.
Edwin: Good one.
Martijn: Especially one that’s also a bit in IT might help a little bit, or one that has experience with this kind of stuff.
Edwin: Because it can sometimes be hard, right?
Martijn: Yeah, it can. Especially if the bounty was from America, it’s a bit more challenging. And for example, at Zerocopter you get a nice invoice, you can just hand it over to the tax guys. But America doesn’t do that, even if you’re like, ZZP (self-employed). That’s sometimes challenging, but in the end, it was all good.
Edwin: And next to the Bug Bounty stuff also work a regular job?
Martijn: I started as a junior pentester in 2016 in IT SEC, which later became Cubit and was later sold on to another party. I left in 2020, the day when COVID started. So I was a solo entrepreneur from then on, and I also started working and doing some stuff for Zerocopter, which was even better because I had all the freedom that I could imagine. I was hacking, I was doing some triage stuff, and in the meantime, I was still doing some pen tests on a free basis.
Edwin: And did you learn anything in the pen test that you used in Bug Bounty and vice versa?
Martijn: Yeah, both ways. Yeah, for sure. There’s more out-of-the-box thinking with Bug Bounty, which I also use in my pentest. And in pentest, because you need to have a lot of coverage, you want to have every single thing of an application or mobile application that there is to find, you want to bring up. So I combine them. That’s my methodology. I hear a lot of Bug Bounty people saying that they will never do pentests or whatever, but you’re saying it might be good.
Martijn: Yeah, we have one of our guys at Hacksclusive who is who also originated from the Bug Bounty scene, was doing pen test and he actually loved it. Also because we have a lot of clients that are first time pen test clients, so their application is sometimes like a juice shop, so you can really find some cool stuff.
Martijn: But we also have companies as a client that have like five or six years of experience in pentesting and we have to dig a little deeper and those are the ones that are really showing some results, more fun you can really collaborate on.
Edwin: Cool! And at some point, you started Hacksclusive, right?
Martijn: Yes, in 2020.
Edwin: So you’re still the owner?
Martijn: I am the founder and I’m a shareholder at the moment and I’m doing it with my companion and an investment party.
Edwin: And regarding hacks. What is, in your opinion, one of the coolest ones you did? If you can talk about this of course.
Martijn: Yeah, it’s probably going to be the Microsoft one. There’s also a lot of other ones, but the bounties were a lot less.
Edwin: Do bounties connect to a fun hack?
Martijn: No, no, no, no. But they were all critical. But one pays more than the other. And to be honest, when I’m hacking, I don’t really care about the money. I care about the challenge and how to hack a company. But these days, the higher the bounty, the tougher the target. So yeah, that’s kind of one of my comparisons. But I did find a lot of cool stuff. And one of the things I really love to find is blind XSS. I popped a lot of admin panels with that and more, of course.
Edwin: And if you find a bug, do you continue on the bug, or is it mostly I find a bug and then quit?
Martijn: Yeah, it depends because I’ve also hacked on Synack Red Team, and they had like a very strict rule of stop and report, and sometimes you’re bounty even gets discarded if you continue on the bug. So when I was hacking for them, especially in 2020-2021, I was doing that a lot. I would just find it, stop, and report because I had a collaboration..
Edwin: But isn’t this frustrating?
Martijn: Yeah, it is because I had a collaboration with Nathaniel years ago, and he found some really cool stuff that he also used on some other programs that that did allow him to continue on it. But at that point, we were stopped, and basically, we were cut off by thousands and thousands.
Martijn: Yeah, that was bad and also quite sad, of course, because it was also my first collaboration with him and we, yeah, bumped against that wall.
Edwin: Yes, it’s a shame. And did you also have like a really funny one where you laughed your ass off basically because of what you found?
Martijn: Basically, anytime, it’s like a juice shop kind of thing. When you find an application that’s so ancient or broken that you just say like this can’t be true.
Edwin: Because you also do a lot of mobile hacking, and is that way different than the normal web you think?
Martijn: Well, yeah, basically because if you think about it like the workflows and that kind of stuff and how application works, it’s kind of the same. The only thing you have to do is just put the phone in between where you normally have like your web browser and that kind of stuff. You also have to set up your phone and you have of course the static analysis. So you have the actual source code of the the application. But yeah, basically in the end, I don’t think it’s, it’s a lot different in in that kind of stuff. But you can of course reverse engineer it a lot easier and find very different stuff.
Edwin: Yeah because you have the app?
Martijn: Exactly. Yeah. And you also have a phone which is very different from a laptop.
Edwin: But a lot of hackers, I think, look maybe not look up to phonics, but stay away from it because they don’t know it. But would you say go for it?
Martijn: Of course, yeah, if you like a challenge, you should definitely go for it. And everything that’s new, you should try it.
Edwin: Do you think there’s more to find on mobile?
Martijn: Yeah, I’m not sure if it’s more, but it’s different. And different is usually better, also a bit more challenging sometimes. But yeah, everyone these days is running Recon and running Nuclei and all that kind of stuff. So you have a very high chance of finding duplicates. And the amount of people that are actively looking at mobile applications, because there’s some other people who really reverse engineer all the stuff, they really find cool stuff. There’s not a lot of competition there. Of course, it’s growing because, there are more and more hackers coming into this, but.
Edwin: Still, you think it’s a field that, if you want to expand and make a difference now, you might want to look at that maybe?
Martijn: For sure.
Edwin: Cool. And what are some of the tools and resources you used in your career that you would like advice to ‘starting’ hackers, or starting in a mobile maybe?
Martijn: Yeah, for mobile, it’s quite straightforward. I’d say just get a bit of an older phone, like I still use a Samsung S8, which is quite ancient at the moment. I think we’re at the S23 at the moment?
Edwin: Something like that. Also, is there an old OS on it, then?
Martijn: No, I’m running Linux OS on it, like a custom ROM, but that’s it. There’s no, yeah, of course it’s rooted, but that’s the only modification I made to it. So you don’t need that much, but you need time and patience for it because first of all, you have to prepare the phone. But once it’s all setup, it’s quite cool to do.
Edwin: Okay. And for web, what are your favorite tools?
Martijn: For web of course I also use Nuclei for some Recon stuff, but I use my own custom templates. So that’s I think where the difference is in, because Nuclei is a very good tool made by the community for the community and now expanding. But other than that I use Burp suite.
Edwin: Do you have a license for Burb?
Martijn: Yes, of course.
Edwin: Get a license!
Martijn: Get a license! I’ve done triage. Of course, I was really strict. I’m sorry for the guys that I punished for it. But I actually banned people from the platform for it.
Edwin: It’s good!
Martijn: I’m very strict in it.
Edwin: Get a license.
Martijn: Yeah, if you’re finding bugs for two, three, or four thousand euros and you still don’t want to buy a license.
Edwin: Yeah, it sucks. So you first bought a license and then you did all the tattoos probably, right?
Martijn: Yeah. Some of the bug bounties have gone into tattoos.
Edwin: You have a “hacker” one, do you also have one that reminds you of a bug?
Martijn: Not particularly, because at one point, that went pretty fast with some tattoos. But no, the only recent one is this good boy from Fallout. Which reminds me of the games I grew up with. So yeah, it’s just good memories.
Edwin: And do you have a Zerocopter logo tattooed somewhere?
Martijn: No, not yet.
Edwin: Oh, it might be an option?
Martijn: Yea, why not?
Edwin: But why are you hacking on Zerocopter, by the way? Do you have like a preference?
Martijn: Well, like I told you Melvin introduced me to the real pentesting world and also bug bounties, where I also met Olivier, and they were all active on Zerocopter and even working with Zerocopter. So that was my introduction. The company I was working for also did some work for Zerocopter every now and then. So that’s my entry point to Zerocopter, and I have always sticked with it.
Edwin: And do you like it?
Martijn: Yes, sure!
Edwin: Thank you. And we like having you there! One other thing that is, of course, always hot in the scene is swag. What’s the favorite swag you ever got?
Martijn: I have to say the DEF CON Zerocopter T-shirt was pretty cool, which I got from you, but I also got Microsoft security research or response center stuff. It was like a complete swag pack. When I went to Devcon, I also got an invite from Microsoft as one of the MVPs, because I found the critical bug. So when I was in Vegas, they got like a luxury cab to the hotel, picked me up and we went to area 15, qhich was amazing. And I saw everyone from Microsoft tech team and their CISOs, and the people were actually handling the bugs, fixing them. I also got a little bit of one-on-one time with the people and they even told me like, oh, you have to check this out and this out and this out because no one ever looked at that. So that was quite cool.
Edwin: Oh, cool. Did it help?
Martijn: Yes, but at that moment I was also starting up or well, forming up exclusive. So I had a lot of less time to do some hacking and Bug Bounty. But yeah.
Edwin: But you’re still running Hacksclusive, so do you have a lot of time still?
Martijn: I actively make time to do Bug Bounty.
Edwin: Yeah, so you now make time slots to do Bug Bounty.
Martijn: Yeah, yeah. And sometimes I do a full weekend of Bug Bounty, when I feel like it. And sometimes I just go for a beer.
Edwin: Do you do it now alone or more in teams?
Martijn: No mostly alone. And I know collaboration is paying off. You can really see it. In the last few years, it’s been rising, which I think is really cool, but I haven’t really found anyone to collaborate with on a steady basis. So yeah, if anyone’s up…
Edwin: It’s like Tinder for hackers now. nice. But we were talking about DEF CON. Is there any favorite conference for you to go to?
Martijn: Well, I really liked the Hack in the Box one in Amsterdam.
Edwin: But it’s never in Amsterdam anymore, I think, now, right?
Martijn: No. That’s a bit of a shame. Of course, I’ve been to DEF CON, which is something you have to do as a hacker at least once.
Edwin: Go there, die, come back.
Martijn: Right, Yeah. And there is a couple of cool ones coming up in Asia. And as I’m quite a big fan of Asia, I would like to combine it. So that’s that’s something that’s in the planning.
Edwin: Nice. And is it a holiday or work?
Martijn: No both.
Edwin: So you get your days off to go there?
Martijn: Yeah.
Edwin: Nice. And you’re a fan of Asia, what country specifically?
Martijn: Mainly Thailand.
Edwin: And the cool cons in Thailand, then?
Martijn: I think I just missed one. I think Lennaert went to to one as well there in Thailand, can’t recall the name. I’m not very good at names I’m.
Edwin: And if you look at what you learned in the past, it’s a lot. I can imagine because you’re a hacker, as you said, you never will stop learning. What’s something you are really keen in on learning in the future still? Is there anything that you want to focus on?
Martijn: Yeah, for sure. I’m quite a big fan of cryptocurrencies and even more about how it works. So I’m really digging into the web free and the smart contract stuff. There’s a lot of money to be made there.
Martijn: There is a lot of money there. But yeah, like I said before, I’m more in for a challenge and a nice bounty is always welcome. But being able to, for instance, stop like a blockchain or an entire digital bank, that would be really cool. If you can steal like 70 million from a chain, that would be really cool in theory, because I’m going to report it.
Edwin: But then do it ethically of course?
Martijn: Of course! And so that’s very interesting. I also find the code like Solidity and that kind of stuff for smart contracts very interesting. So that’s where I’m spending a lot of my free time lately. And I’m interested in AI model hacking and like the prompts injection and that kind of stuff. Yeah. I just want to go with the flow because we had the web free stuff, the AI models, something that’s really upcoming and there’s a lot of money and people in tech and involved so.
Edwin: And any hardware hacking, did you do that?
Martijn: No. Besides my my phones, no.
Edwin: No interest?
Martijn: Well, yeah, I’m more of a software guy.
Edwin: But there is software in there, you know?
Martijn: Yeah, that’s where I usually come in. But I’m a bit clumsy. So I tend to break some stuff beyond repair. So it’s also not where my interest is. So it’s mainly on software and that kind of stuff.
Edwin: Cool. Well, is there anything I think you want to shout out to the other hackers who are listening or the people who are viewing this?
Martijn: Keep on learning and hack the world.
Edwin: Hack the planet!
Martijn: Yeah, hack the planet!