About

I reverse-engineer APIs that don't have docs.

If there's no SDK, no docs, and no official way in — I figure it out anyway. Intercept the traffic, map the endpoints, build the integration.

I've been building small tools and scripts since before I had a real job — automating tedious stuff, poking at APIs, figuring out how things work under the hood.

01/2020 — 2023

— IT security engineer

I spent three years as an IT Security Engineer at a Jakarta-based tech company. My job was to find what's broken before attackers do — auth bypasses, IDORs, misconfigured APIs, the stuff that keeps CTOs up at night. It taught me how production systems are supposed to work, and more importantly, how they fail.

During this time I also did independent security research — reported vulnerabilities to Google (recognized in their Bug Hunters program), and found bugs in e-commerce platforms, hosting providers, and DeFi protocols.

02/2023 — present

— independent

In 2023 I left to go independent. I went deep into crypto/web3 — building tools to automate everything: managing hundreds of wallet addresses, automating on-chain transactions across protocols, running social accounts (Farcaster bots for posting & replying), NFT trading bots, and multi-chain airdrop workflows. All custom-built, no off-the-shelf solutions.

That's where the bulk of my actual reverse-engineering chops came from. You learn fast when there's no fallback to "just call support."

03/Now

— what I do

Now I'm building developer tools, still hunting bugs, and open to project work. What I can help with:

API reverse engineering & integration (no SDK needed)
security assessments (web & API)
automation & scraping that lasts
developer tools & internal dashboards

stack.yml

lang: node, python, +adapt
tools: burp, mitmproxy, curl, +oss
security: web, api
approach: direct API, no low-code
mode: remote

04/Selected work

— anonymized

HR attendance bot

problem ·: Manual clock-in/out every day. Tedious and easy to forget.
approach ·: Reverse-engineered auth flow + attendance API, built a VPS daemon.
outcome ·: Ran for ~1 year until I resigned. Never late again.

Web3 automation suite

problem ·: Hundreds of wallets, multi-chain tasks, social accounts — all manual.
approach ·: Custom tooling for on-chain txs, Farcaster bots, NFT trading, airdrop workflows.
outcome ·: Full automation across 30+ protocols. No off-the-shelf tools used.

Security research

scope ·: Web and API security testing across multiple platforms.
targets ·: Google, analytics platforms, hosting providers, DeFi protocols.
recognition ·: Recognized in Google Bug Hunters program.

05/Contact

— let's talk

Best way to reach me is email. I read everything, I reply within 1–3 days. Tell me what you're building and I'll let you know if it's something I can help with.