BREAKING
Sylvain Kerkour - Professional Troublemaker Author of Black Hat Rust - 4,300+ GitHub Stars Rust Supply Chain Security Watchdog "Async Rust: The New Billion-Dollar Mistake?" - Hacker News Front Page ChaCha20-BLAKE3 AEAD Cipher - Open Source Cryptography (Ab)using technology for fun and profit since day one Bloom - Open Technologies for a De-Googled Life Newsletter: kerkour.com - Programming, Hacking, Entrepreneurship GitHub: @skerkour - Twitter: @z0mbie42 Sylvain Kerkour - Professional Troublemaker Author of Black Hat Rust - 4,300+ GitHub Stars Rust Supply Chain Security Watchdog "Async Rust: The New Billion-Dollar Mistake?" - Hacker News Front Page ChaCha20-BLAKE3 AEAD Cipher - Open Source Cryptography (Ab)using technology for fun and profit since day one Bloom - Open Technologies for a De-Googled Life Newsletter: kerkour.com - Programming, Hacking, Entrepreneurship GitHub: @skerkour - Twitter: @z0mbie42
Sylvain Kerkour - Professional Troublemaker, Rust Security Engineer
Profile // Engineer & Author

SylvainKerkour

"(Ab)using technology for fun & profit"

French software engineer, security researcher, and author who builds offensive-security tools in Rust, ships open-source cryptography, and then writes about all of it without pulling punches.

Rust Engineer Security Researcher Author Open Source
4.3K
GitHub Stars (Black Hat Rust)
430
Forks on BHR Repo
1.5K
Bloom Stars
3
Core Languages (Rust, Go, TS)
PROFILE
Who He Is

The Troublemaker With a Compiler

Sylvain Kerkour arrives in any technical conversation the way a well-aimed bug report arrives in a production deploy: direct, specific, and impossible to ignore. He is a French software engineer who has built a career at the intersection of Rust, offensive security, and outspoken technical writing - three fields that reward exactly the kind of person who would describe himself as a "professional troublemaker" without even a trace of irony.

His work lives at kerkour.com, where the tagline reads "(Ab)using technology for fun & profit." That framing is deliberate. Kerkour does not separate the constructive from the adversarial - he treats understanding how systems break as the most honest route to building ones that hold up. The result is a body of writing that security teams bookmark and nervous product managers quietly read at night.

The handle @z0mbie42 tells you something. The z0mbie is hacker culture shorthand for persistence after compromise. The 42 is the answer to life, the universe, and everything from The Hitchhiker's Guide to the Galaxy. Put them together and you get someone who finds both deep meaning and dark humor in systems - a person who writes about backdooring Rust crates and citing Douglas Adams in the same breath.

He writes across three core registers: Rust programming (deep, opinionated, technically rigorous), security research (actionable, sometimes alarming, always sourced), and entrepreneurship (earned from building and shipping real things, not from reading about it). That combination is rarer than it sounds. Most security researchers cannot build products. Most entrepreneurs do not understand cryptography. Kerkour does both, and he writes about both, which is why his newsletter draws readers who would otherwise have nothing in common.

"Tireless troublemaker on a mission to empower the world with open technologies." - Sylvain Kerkour, on himself
💀
BLACK HAT RUST
Applied Offensive Security

Black Hat Rust

Applied Offensive Security with the Rust Programming Language

The book that put Kerkour on the map in two communities at once. Security practitioners got a hands-on guide to building offensive tools - scanners, exploits, phishing toolkits, implants - written in a language that doesn't forgive memory errors. Rust developers got a legitimate reason to learn adversarial thinking. The companion code repository has over 4,300 GitHub stars, which is a significant number for a niche-within-a-niche technical book on a topic that most publishers would have declined.

The Security Work

When He Says "Supply Chain Problem," Listen

In July 2024, Kerkour published "Rust has a HUGE supply chain security problem." The title is not clickbait - it is a thesis statement. He followed it with specifics: how Rust crates can be backdoored, what the ecosystem's current defenses do and do not cover, and what practical mitigations exist. The article circulated on programming.dev, Hacker News, and LinkedIn within days.

This is not a one-off. Kerkour has published multiple pieces on supply chain security in Rust, including "Backdooring Rust crates for fun and profit" and the longer analysis "Supply chain nightmare: How Rust will be attacked and what we can do to mitigate the inevitable." The consistent thread is that he writes from a position of demonstrated capability - he is not warning about theoretical attacks, he is describing attacks he has already studied in detail.

CONTEXT
The supply chain security concerns Kerkour raises in Rust parallel the XZ Utils backdoor incident (2024) that shook the broader open-source world. He had been raising these concerns before that incident made headlines.

The other major piece - "Async Rust: The new billion-dollar mistake?" - landed on Hacker News and sparked a thread that ran well into the hundreds of comments. The argument: async Rust introduces complexity that costs more in developer time and bugs than it saves in performance for most use cases. Whether you agree or not, the piece is written by someone who has actually shipped async Rust in production and has the scars to prove it.

Past Project

Bloom: Before De-Googling Was Trendy

Before Kerkour became known for security writing, he built Bloom: an open-source, end-to-end encrypted alternative to Google Workspace. Notes, files, calendar, contacts, newsletters - a full productivity suite built on open technologies. The legacy repository sits at 138 GitHub stars; the main Bloom repository has 1,500+. It is now deprecated, but its existence says something important about the sequence of Kerkour's career: he built a complete product first, then pivoted to writing and research.

That sequence matters. The engineering judgment visible in his writing is not theoretical - it comes from someone who has designed systems, shipped them to users, watched them fail in unexpected ways, and rebuilt them. The pivot to writing was not a retreat from building; it was a different kind of building.

The Newsletter

kerkour.com: A Technical Newsletter Without Hedging

The newsletter at kerkour.com runs under three headers: Programming, Hacking, and Entrepreneurship. Each post reads like Kerkour has a specific thing to say and has decided to say it without the throat-clearing that fills most technical writing. Articles land in Rust internals, Go benchmarks, security concepts, and the occasional entrepreneurship observation drawn from building Bloom and running PHASER SECURITY.

The Go work deserves mention alongside the Rust work. The go-benchmarks repository provides reproducible performance benchmarks for Go developers. The combination of Go expertise alongside deep Rust knowledge is unusual - most developers in one of these communities treat the other with mild suspicion. Kerkour uses both, writes about both, and appears to enjoy the cross-pollination.

He also maintains ChaCha20-BLAKE3: an AEAD cipher combining ChaCha20 stream cipher with BLAKE3 hashing, implemented with SIMD acceleration. It has 93 stars - a niche project that signals where his curiosity goes when he is not writing or consulting. Cryptographic primitives are not a casual interest; they require a level of care and precision that most engineers avoid.

AT A GLANCE
Quick Profile
  • Nationality: French
  • Role: Independent Engineer & Author
  • Org: PHASER SECURITY
  • Focus: Rust, Offensive Security, Cryptography
  • Handle: @z0mbie42
  • Languages: Rust, Go, TypeScript
Rust Go Security Crypto Open Source Newsletter
Achievements
  • Author of Black Hat Rust - 4,300+ GitHub stars
  • Created ChaCha20-BLAKE3 AEAD cipher with SIMD acceleration
  • Built Bloom open-source platform (1,500+ stars)
  • Published supply chain security research cited across the Rust community
  • Sparked major Hacker News debate on async Rust patterns
Character Profile

How He Operates

Contrarian
Security-minded
Pragmatic
Outspoken
Builder
Timeline
  • 2019-2021 Built Bloom - open-source Google Workspace alternative with end-to-end encryption
  • 2021 Published "Black Hat Rust" - applied offensive security with Rust
  • 2022-2023 Built kerkour.com newsletter audience; launched ChaCha20-BLAKE3 cipher
  • 2024 "Async Rust: The new billion-dollar mistake?" hits Hacker News front page
  • 2024 Published Rust supply chain security research widely cited in developer communities
z0mbie42 = zombie + 42 = undead curiosity
4.3K
Stars on Black Hat Rust

The companion code repository for his offensive security Rust book - one of the most starred niche security books on GitHub.

3
Topics He Covers

Programming. Hacking. Entrepreneurship. Three fields, one newsletter, zero filler.

42
In His Handle

The answer to life, the universe, and everything. The z0mbie part is on you to figure out.

Fun Facts

Things Worth Knowing

01

He runs his own Mastodon/ActivityPub instance at social.kerkour.com - not just advocating for decentralization but actually hosting it on his own infrastructure. That is the difference between believing something and doing something.

02

Built Bloom - an end-to-end encrypted Notes, Files, Calendar, and Contacts alternative to Google - before the "de-Google your life" movement became a consumer trend. He saw it coming and built the tool before the demand existed.

03

The kerkour.com website source code is public on GitHub at 483 stars. The site itself has more stars than most developers' entire GitHub output. He open-sourced the thing that makes the other things possible.

04

He has written about backdooring Rust crates in enough detail that you would want him writing your threat models and not writing code for your competitors. That level of published adversarial knowledge is both rare and deliberate.

What He's Building Toward

Open Tech, Real Security, No Gatekeeping

Kerkour's stated aspiration is to empower developers and organizations with open, privacy-respecting technologies while raising the bar for secure software development - with the Rust ecosystem as the current proving ground.

The through-line across Bloom, Black Hat Rust, the supply chain research, and the newsletter is consistent: he wants software to be more honest about what it does, more resistant to the attacks that are actually coming, and more accessible to developers who want to build things that last.

That is not a product pitch. It is a worldview. The troublemaker label is the packaging; this is the content.

Notable Work
  • "Async Rust: The new billion-dollar mistake?"
  • "Rust has a HUGE supply chain security problem"
  • "Backdooring Rust crates for fun and profit"
  • "Supply chain nightmare: How Rust will be attacked"
  • ChaCha20-BLAKE3 AEAD cipher implementation
Latest Activity
  • Jul 2024 - Supply chain security piece goes viral in Rust community
  • Jul 2024 - Async Rust article hits Hacker News front page, hundreds of comments
  • 2024 - Active newsletter publishing at kerkour.com
Find Him Online

Profiles & Resources

🌐
Website kerkour.com
💻
GitHub @skerkour
🐦
Twitter / X @z0mbie42
💼
LinkedIn Sylvain Kerkour
🐘
Mastodon @z0mbie42
📝
Dev.to sylvainkerkour
💀
Black Hat Rust GitHub Repo
📖
Buy the Book kerkour.com/black-hat-rust