NO DMARCEXPOSED .ENVOPEN .GITMALWAREDATA THEFTDDoS THREATSEO SPAMWEAK TLSMISSING HSTSPAY UP OR ELLSENO DMARCEXPOSED .ENVOPEN .GITMALWAREDATA THEFTDDoS THREATSEO SPAMWEAK TLSMISSING HSTSPAY UP OR ELLSE
☣ Swamp's most wanted

Meet the bad actors

A cigar-chomping crime boss and his three-bug crew crawl out of the swamp to shake down vibe coders. Most of them are bluffing. Here's the whole operation, ranked by how hard they can actually hit.

The Extortioner — a cigar-smoking mob-boss bug in a suit, holding a Bitcoin money bag over a pile of cashThe boss
Runs the whole operation

The Extortioner

a.k.a. “The Big BS”

He never gets his claws dirty. He sends the crew below to run the shakedown — a menacing email, a screenshotted “critical vulnerability,” a Bitcoin wallet address. His entire business runs on you not knowing your DMARC record is missing.

Pay him $500… or pay us $5 and put him out of business.

Put him out of business →

The crew

His muscle — ranked by how hard they can actually hit.

The Kingpin, a bug armed with attack chopperThreat: Critical
Wanted · armed with attack chopper

The Kingpin

a.k.a. “Air Support
Danger

The one you actually fear. When your domain is spoofable or your .env is sitting out in the open, he's got real leverage — your API keys, your database, your customers' inboxes. This is the difference between a $5 fix and a five-figure incident.

Known for
  • No DMARC — your domain is spoofable
  • Public .env / .git folder
  • Leaked API keys & credentials
  • Expired or broken TLS certificate
Typical demand: “Name your worst number.”
The Enforcer, a bug armed with mounted machine gunThreat: Medium
Wanted · armed with mounted machine gun

The Enforcer

a.k.a. “Drive-By
Danger

Rolls up and sprays every header and cookie looking for a soft spot. One missing HSTS or a cookie without HttpOnly, and he writes it up as a “critical vulnerability” — invoice attached.

Known for
  • No HSTS / weak HTTPS
  • Missing Content-Security-Policy
  • Cookies without Secure / HttpOnly
  • Outdated TLS versions
Typical demand: “$250 or it goes public.”
Scrapper, a bug armed with a slimy baseball batThreat: Low
Wanted · armed with a slimy baseball bat

Scrapper

a.k.a. “The Script Kiddie
Danger

All noise, no bite. Runs a free scanner, screenshots whatever it spits out, and fires off a scary email hoping you panic and pay. Harmless — as long as your low-severity hygiene is buttoned up.

Known for
  • No security.txt to report bugs
  • Missing CAA record
  • DNSSEC switched off
  • Leaky referrer policy
Typical demand: “$50 and an apology.”

Which one has something on you?

Run a free scan. In ~20 seconds you'll know exactly which of these clowns is bluffing — and which one actually has leverage.

https://

Free scan, no signup. See every problem in ~20s — pay $5 only if you want the fixes. Only scan a domain you own.