How I Hacked Denmark

Brief overview of my first 2 years in Denmark

year
2026
w/
ITU, Lagkagehuset, Danske Bank, Ordbogen, UNIwise, ETC...
role
ethical hacker
at
Denmark

Right as I was looking for the best type of paper for printing the Prompt Injection Handbook for my bachelor thesis defense, I got the email telling me I got a full-ride scholarship and stipend for IT University of Copenhagen. This marked the start of this short compilation of what I did since I arrived to Denamrk, without breaking any NDA(s) or listing technical details for pages on and on. There’s also a big chunk of work not in here at all, some private bug bounty engagements and a couple of other projects I don’t have the privilege to discuss publicly. What’s below is everything I can actually stand behind with my name attached. Huge thanks to professors Carsten Schürmann and Alessandro Bruni for advising me on the legal end of most of my projects.

Looking back, what stands out isn’t the CVSS scores. It’s that these projects actually went somewhere. Bugs got fixed, research turned into open-source tools, companies reached out afterward, and in one case I literally walked out with free cake because a payment bug worked exactly as expected.

Free cake

In my firt year I took the the course Ethical Hacking where we were encouraged to actually contact and hack a real company (legally). This was my second semester in Denmark and I was still a big shut-in who didn’t know much about the country yet, so I went on Google Maps to look at what companies even existed around me. Not thinking much about it, I stumbled across Lagkagehuset (part of the Ole & Steen group) and just shot them an email about collaborating. I was surprised how quickly they responded. They were super chill during the whole thing. I had a signed vulnerability disclosure agreement and an NDA with Lagkagehuset, scope was their public site and ordering flow, and I was given about two months to find whatever I could.

Testing took around a few hours. I presented four solid findings, but the ones they cared about most were a request replay bug and a price manipulation bug. The app calculated prices client side and trusted whatever number came back in the request, so you could intercept the checkout and drop the price to basically nothing before it hit the payment processor. On top of that, a legitimate purchase request could just be replayed with a different order number to generate additional “paid” orders in the system without any actual payment going through.

PoC of the replay attack POST request
Receipt of replay attack

This wasn’t just proven on paper either. In the course we were actually looking at Danish criminal law, and between that and some legal reading I’d already done on my own in the past, I knew how to structure the signed VDP so it explicitly covered “ordering and/or picking up items in reasonable amounts” as in scope. That let me actually test it in real life and walk out with free cakes and matcha coffees. Going to physically pick it up felt like a legal spy mission. All of this got reported to the company, and once it was confirmed and fixed, they rewarded me with a few thousand DKK worth of gift cards, “so you can get your cakes legally now” as they joked when handing them over.

Breaking bank

Same semester, right as I was putting together the presentation for the Ethical Hacking exam, a message popped up in the ITUnderground Discord: “Danske Bank Jailbreaking.” I already had quite some experience with jailbreaking and had been jokingly called “head of jailbreaking” in the club, so when I saw it while procrastinating on studying for an algorithms exam the next day, I figured why not.

I can’t go into the specifics of what I did there since I work there now and it involves their chatbot, but the short version is it was a system prompt extraction that chained into other problems from there. My jailbreak ended up winning the hackathon and eventually led to a job offer. I still had an algorithms exam the next morning and somehow managed to pass it too.

If you want to test your jailbreaking skills heres a CTF challange I created for the 2nd Hack for drinks called Analyst https://analyst.chall.itunderground.dk/

LinkedIn OSINT

Ordbogen, usually known for the Danish dictionary, has collaborated with MIT, Oxford, and a few other big names over the years. This time they’d built chat.dk, meant to be a private LLM handling Danish data securely. They didn’t have a security.txt or any listed way to report vulnerabilities, so after an email went nowhere for a few weeks I just messaged their AI team lead on LinkedIn directly. Turned out to work better than the email.

Getting the system prompt and jailbreaking it was straightforward, but from there I looked into what else could be done. Chat.dk rendered LLM output as unsanitized HTML, which meant a crafted link could get arbitrary JavaScript to execute in the browser. First I’d trick the model into rendering malicious JavaScript inside a chat, which made it a stored XSS. Then I’d use the share chat feature, which produces a link that looks like a standard, trusted-domain share URL, so anyone who opened it would execute that JavaScript in their own browser. Neither step needed anything exotic, just patience with how the chat rendered what the model gave back.

PI + XSS chain

I sent the full writeup with a video POC, followed up when it went quiet, and about five weeks later they’d patched it and let me know (turned out to be a dependency that broke on an update). The team lead was straightforward about it and thanked me for pointing it out. This is one of those cases where having no formal program didn’t mean no communication channel, you just had to find the right person through a bit of OSINT.

The MCP research paper

By third semester it felt like things were starting to snowball. MCPs were becoming a big thing, so I’d been messing with Claude Desktop’s MCP integration as a side project, mostly out of curiosity about how much trust gets extended to a local server just because it’s speaking the protocol correctly. That curiosity turned into a full research paper, “Living Off the Land with Model Context Protocol: Visibility, Consent and Privilege Escalation Risks in Claude Desktop,” which ended up getting the max grade.

The core idea is that MCP servers are becoming the AI equivalent of living off the land binaries. The same properties that make a compromised PowerShell or curl dangerous (trusted, pre-installed, blends into normal activity) apply just as well to a compromised local MCP server, except now the “system” it’s living off is an LLM client with a user’s full local permissions behind it.

Hypothesized attack chain

We built a full case study around it, mapping out a realistic attack chain from delivery to persistence to a working backdoor, all staying inside a controlled research setup rather than anything deployed against real people. What made it interesting wasn’t the payload itself, that part is fairly standard by security research standards, it was how invisible the whole chain was from inside the actual chat UI. The tool name and description are the only things surfaced to the user, nothing about the code underneath ever gets shown, so a tool with an innocuous sounding name can just as easily be running something malicious in the background.

We mapped the whole thing to MITRE ATT&CK and the Cyber Kill Chain, then spent the second half of the paper on what Claude Desktop’s UI does and doesn’t surface (permission prompts, tool toggles, request/response summaries) and proposed both enterprise level fixes (locking down the config file, monitoring it for tampering) and application level ones (UI alerts when a server changes, resetting trust flags when a tool’s underlying code changes). From this, an open source project was started: Claude Defender.

Heimdall hero

thesis

On November 5, 2025, Jens Myrup Pedersen gave a talk at the Danish Tech Summit titled “Hybrid War: The Top Cyber Threats to Danish Industry.” He talked about how adversaries target critical infrastructure, the systems a society depends on to function: energy grids, hospitals, transportation, financial services. His argument was that offensive security testing of these systems isn’t optional, it’s a necessity, because when they fail the consequences reach the public that depends on them.

That talk put a question in my head: what about education? Universities are infrastructure too, not in the traditional sense of power lines and water treatment, but in a functional sense. They certify competence. A medical degree from a Danish university tells the health system that a person can practice medicine. If the systems underpinning those certifications are compromised, the signal becomes meaningless. Despite how important exam platforms are, offensive security research targeting them is sparse. The most notable prior work is Burgess et al.’s 2022 paper, which reverse engineered four U.S. proctoring suites and found all their anti-cheating measures could be trivially bypassed.

My thesis was originally going to be titled “How to Cheat on an Exam.” The plan was genuinely to sit an exam using techniques I’d find, film the whole thing as a bit of a vlog, and turn it into research with a stunt element, partly because I thought it would be funny and partly because exam security felt like a topic nobody was taking seriously enough to actually poke at properly. My supervisor said no to the exam-taking part, for reasons that in hindsight are extremely fair, so it turned into a straight vulnerability research project on exam and LMS infrastructure instead, working with UNIwise on their platform.

I’m not disclosing anything about the actual testing here, that’s covered under a separate agreement with UNIwise and stays between me, my supervisor, and my assessors. What I can say is what UNIwise put in writing themselves: I did penetration testing on their platform as part of my thesis, and in their words I proved to be “a very competent pentester, identifying several critical vulnerabilities that had not been identified in their regular penetration tests carried out by professionals.” Communicative, transparent, and quick to understand the business domain, according to them.

The timing ended up meaning more than I expected. Not long after, the Canvas Hack happened, actual criminals breaching a learning platform used by thousands of institutions worldwide, CBS included. I had no involvement in that and no advance knowledge of it, it’s a completely separate platform and a completely separate incident. But it landed in the middle of the same stretch of time I’d spent taking exam and LMS security seriously while most people treated it as a non-issue, and it made the whole “started as a joke” thesis title feel a lot less like a joke in hindsight.

In conclusion

Looking back, I’m happy that none of these projects ended as PDFs sitting in a folder somewhere. They led to fixes, conversations, research, and opportunities I never expected when I first moved to Denmark. The nature of security work usually keeps me from talking about most of it, so I’m glad I could at least put this chapter down properly. Many more adventures to come!

also see