About Vangelis
My name is Vangelis (tix) Stykas and I'm a security researcher based in Thessaloniki, Greece. For the better part of a decade I've specialised in API and web application security — in particular, breaking the cloud back-ends behind connected "things." If a device talks to an app, I'm interested in what its API will hand over that it really shouldn't.
I'm the co-founder and CTO of kumio.ai, where we're building agentic AI for the cybersecurity of critical infrastructure.
My research has uncovered flaws across an uncomfortably wide range of systems — GPS trackers (Trackmageddon), the satellite comms on thousands of ships (Navarino VSAT), smart car alarms, EV and solar chargers, smart locks (Tapplock), IP cameras (Swann), kids' smartwatches (SETracker), and a cross-tenant account takeover in SonicWall's cloud. Lately I've pointed the same API mindset at the attackers themselves — hijacking the web panels that run ransomware and malware command-and-control.
I've shared a lot of this on stage at DEF CON, Black Hat, 44CON, and various BSides, and the work has been covered by TechCrunch, the BBC, BleepingComputer and others. When I'm not breaking things I'm a recovering software developer and a perpetual PhD candidate in web application security (with a machine-learning bent).
You can find my professional profile on LinkedIn or catch me on Twitter — DM me there for an alternate channel.
Security research
- Trackmageddon
- Hackvision
- Navarino VSAT hacking
- Remote smart car hacking with just a phone.
- Totally Pwning the Tapplock Smart Lock (the API way)
- Mimosa cloud
- Sonicwall cloud account takeover
- Swann account takeover
- SETracker takeover
- GDPR Data leak
- EV chargers takeover
- Gone in 60 seconds. Exploiting car alarms
- Cloud-y, with a chance of hacking all the wireless things
- Tic Toc Pwned