But this one is serious and I need you to pay attention, especially if you are the kind of person who clicks on things without reading them first, which based on my analytics is approximately 94% of you.

Someone posted the following code into our Substack chat this week:

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
unsigned long kbase = 0;
int main() {
    FILE *f = fopen("/proc/modules", "r");
    if (!f) { perror("no /proc/modules"); return 1; }
    char line[256];
    while (fgets(line, sizeof(line), f)) {
        unsigned long addr;
        if (sscanf(line, "%*s %*s %*s %*s %*s %lx", &addr) == 1) {
            kbase = addr - 0x123456;
            break;
        }
    }
    fclose(f);
    if (!kbase) {
        puts("no leak, tighten your asshole");
        return 1;
    }
    printf("kernel base: 0x%lx\n", kbase);
    printf("now go smash cred struct at 0x%lx like the degenerate you are\n",
        kbase + 0xdeadbeef);
    return 0;
}

If you looked at that and thought “what the hell is that,” congratulations, you are a normal human being. If you looked at it and thought “oh that’s a KASLR bypass proof-of-concept targeting Linux kernel module address leaks through /proc/modules,” congratulations, you are me at sixteen years old and you should probably reconsider your life choices.

In plain English: that code is a piece of a hacking tool. It’s written in a programming language called C. It reads a file on a Linux computer that tells it where the operating system’s brain is stored in memory, calculates the exact location of the security system that controls who has permission to do what, and then tells the attacker where to aim so they can give themselves full control of the machine. It is the digital equivalent of someone mailing you a map to your own house with a note that says “your back door is unlocked.” The code itself doesn’t work as-is because what you’re seeing is the output of an automated tool that is blasting messages into Substack chats by the thousands every hour. The person running it doesn’t even realize their bot isn’t cloaking the payload behind a clickable link. It’s just vomiting raw source code into public chats like a broken fire hydrant spraying the sidewalk. This is almost certainly some script kiddie who grabbed the code off a Russian hacking forum and is trying to phish Substack accounts to spread more bad code, more hacked links, building up a stockpile of compromised accounts until they have a few hundred thousand of them so they can spam the entire platform into the stone age. How do I know that? Because that is EXACTLY what sixteen-year-old me would have done.

When I was a teenager, I was hacking millions of MySpace accounts. Not for money. Not for some grand ideological purpose. Because I was sixteen and bored and it turned out I was really, really good at breaking into things that other people thought were secure. I thought I was untouchable right up until the day my burner phone rang and a man named EJ Hilbert, who happened to be the former head of the FBI’s cybercrime division, politely explained to me that he knew who I was, he knew what I was doing, and if I didn’t stop immediately he would personally ensure that my next bedroom had bars on the window and a roommate named Consequences.

I straightened up. I went legit. I became a freelance investigative journalist, which in terms of financial life decisions is like quitting your job at a casino to become a street mime, except the street mime doesn’t get sued by billionaires like I do. Meanwhile, my friends who were hacking MySpace alongside me? Several of them are now worth more money than I will ever see in my lifetime. Some of them work in Silicon Valley. Some of them work for three-letter agencies.

What Is Actually Happening Right Now

Substack is being targeted by bots. These bots are running on compromised accounts (accounts that have already been hacked) and they are posting in Substack chats trying to get you to click on links. When the bot works correctly, you see a normal-looking message with a link. You click the link. The link takes you to a page that looks like Substack but isn’t. You enter your login information because the page asked you to. Now the attacker has your username and password. They use your account to spread more links. They use your stored payment information to make purchases. They sell your credentials in bulk on the dark web. Your one click just became somebody else’s payday.

When the bot DOESN’T work correctly, which is what happened in our chat, it dumps raw source code into the conversation instead of hiding it behind a pretty link. The hacker’s bot is broken. The code you saw was the payload that was supposed to be invisible to you. Think of it like a pickpocket who accidentally drops his tools in your lap instead of getting his hand in your pocket. The intent was theft. The result was embarrassment. But the next bot might not be broken.

How to Protect Yourself (Even If You Think Computers Are Witchcraft)

I am going to write this for the people who call their grandchildren when the TV remote stops working, because you are the people these hackers are targeting. They are not going after tech-savvy 25-year-olds. They are going after you. Here is how to not be a victim:

1. DO NOT CLICK ON LINKS IN SUBSTACK CHATS THAT TAKE YOU OFF SUBSTACK. If someone posts a link in a chat and it takes you to a website that is not substack.com, close the tab immediately. Do not enter any information. Do not download anything. Do not pass Go. Do not collect 200 dollars. Close the tab. If the link looked interesting, Google the topic yourself and find it on your own terms. Never follow a stranger’s link. This is the internet equivalent of “don’t take candy from strangers” and it applies whether you are 8 years old or 80.

2. ONLY ENTER YOUR SUBSTACK PASSWORD ON SUBSTACK.COM OR IN THE SUBSTACK APP. Nowhere else. Ever. Not on a page that looks like Substack. Not on a page that says it’s Substack. ONLY on substack.com or the official app you downloaded from the Apple App Store or Google Play Store. If a page asks you to log in, look at the address bar at the top of your browser before you type anything.

3. CHECK THE URL CAREFULLY. Hackers create fake websites that look identical to the real thing but have slightly different addresses. They are counting on you not noticing. Here are examples of FAKE addresses that are NOT Substack: Subsstack.com (two S’s). Subbstack.com (two B’s). Substack.org (wrong ending). Substack-login.com (extra words). Substck.com (missing a letter). The ONLY real Substack address is substack.com. Period. If it says anything else, it is a trap.

4. IF YOU GET RANDOMLY LOGGED OUT, BE SUSPICIOUS. One of the oldest tricks in the book is to send you a link that shows a fake “you’ve been logged out” page. You panic, you type your password, and now they have it. If you get logged out unexpectedly, do NOT type your password into whatever page you’re on. Close everything. Open a new browser window. Type substack.com yourself, manually, with your own fingers. Log in there. If you were actually logged out, this will fix it. If you weren’t, you just avoided getting hacked.

5. TURN ON TWO-FACTOR AUTHENTICATION. This means that even if someone steals your password, they can’t get into your account without also having your phone. Go to your Substack account settings and turn this on. It takes two minutes. It is the single most effective thing you can do to protect yourself. If you don’t know how, ask your grandchildren. They owe you for all those birthday checks.

6. DO NOT REUSE PASSWORDS. If your Substack password is the same password you use for your email, your bank, and your Amazon account, then when a hacker gets your Substack password they also get everything else. Use a different password for everything. If you can’t remember them all, write them down in a notebook that you keep in a desk drawer. Yes, a physical notebook. In 2026, a piece of paper is more secure than most people’s digital lives. A hacker in Romania cannot break into your desk drawer.

7. IF SOMEONE IN A CHAT POSTS SOMETHING THAT LOOKS LIKE COMPUTER CODE, DO NOT INTERACT WITH IT. Do not click it. Do not copy it. Do not paste it anywhere. Report the account to Substack. What you saw in our chat was a broken bot dumping its guts in public. The next one might not be broken. The next one might be a link that looks perfectly normal and takes you somewhere that isn’t.

What These People Want

They want your credentials. Your username and password give them access to your account. From your account they can see any stored payment information. They can use your account to send more spam and phishing links to other people who trust YOU, which makes the scam spread faster. They can sell your login in bulk on dark web marketplaces where stolen Substack credentials go for a couple of dollars each, which doesn’t sound like much until you realize they’re selling ten thousand of them at a time.

They are not sophisticated. The person who deployed the bot in our chat is almost certainly a script kiddie, which is hacker slang for someone who uses tools written by smarter people without understanding how they work. It is the criminal equivalent of a guy who buys a lockpick set on Amazon and then can’t figure out which end goes in the lock. The fact that their bot is broken tells you everything you need to know about their skill level. But a dumb criminal with a working tool is still a criminal, and the next one might not be dumb.

The Short Version

Don’t click links from strangers in Substack chats. Don’t enter your password anywhere except substack.com or the official app. Look at the URL before you type anything. Turn on two-factor authentication. Don’t reuse passwords. If you see code or weird text in a chat, report it and move on. And if anyone in a chat tells you that you need to “verify your account” or “update your payment information” by clicking a link, that is a scam. Substack will never ask you to do that in a chat. Nobody legitimate will ever ask you to do that in a chat. The only people who ask you to do that in a chat are people who want to steal from you.

I spent my teenage years on the wrong side of this equation. Then a man from the FBI called me on a phone I thought was untraceable and explained the concept of federal prison in terms that a sixteen-year-old could understand. I have spent every year since trying to use what I learned from that life to protect the people I write for instead of preying on them. The hackers targeting this platform are amateurs. But amateurs with a working phishing link can ruin your day, drain your bank account, and steal your identity. Don’t let them. You survived this long. Don’t get taken out by a guy who can’t even get his bot to work right.

Stay safe. Stay paranoid. And for the love of God, stop using your dog’s name as your password. They can see your cat’s name on your Facebook profile. The hackers know about Mr. Whiskers. Use something else.

Help keep the Wise Wolf howling.

Get 50% off for 1 year