I'm not really into malware, so I was just wondering:
- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
One could probably use matrix (perhaps might need account creation?) or session or simplex (their accounts are sort of like addresses, easy to make compartively to matrix)
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
probably not so useful in practise, but still fun and interesting.
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Regarding your first point, extraction of the headers could be trivially automated. Also, using Hinge's CDN (which I think is CloudFlare and/or AWS) is more viable imo, as you don't need to provide headers to GET the files. If that also applies to user-uploaded videos then I do think there's some meat on this bone. But as the other user who replied to you pointed out, this was mostly for nerdy delight.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
In most red team contexts, the implants don't talk directly to the actual C2 - the implants talk to listening posts (often behind redirectors/transient reverse proxies) and then the listening posts request commands from the C2 server.
> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
I think this is one of those things where if you're married (like me) you only have the most peripheral sense of the popularity of these things and if you're single they potentially occupy way too much of your thoughtspace.
Again, why? Nothing on its wiki article or the first page of Google results suggests it should be a household name.
So unless the default assumption is that everyone on HN is dating (I'm married) I genuinely don't understand why it's weird to not have heard of some random ass dating app
Because it used to be the "best" dating app out there for "serious" people wanting long term relationships. Now all the apps are trash and have predatory monetization.
Even if you're married, you've got to know somebody who isn't. It's like referring to Google as "some random ass search engine website" and wondering why people think you're the weird one.
The Hinge app I know of is from my healthcare provider, and reminds me to do stretches. It also has a pretty great TENS device peripheral. I wouldn't expect young single people to know about that app, because it serves a different demographic.
speaking of command and control servers, the best one you can get at the moment is to just to use crypto currencies, plenty of available nodes to auto discover or just rely on explorers to query your own wallet, deposit address can encode quite a bit of information since it's a pretty long address and definitely has enough bytes to encode commands
I want to thank you and the other user (hobofan) for pointing out the use of crypto currencies as C2s. I do bioinformatics for a living, not infosec, so that's another fun little rabbit hole for me to go on...
Hey I actually created something like this when I was once curious. Its called nanotimestamps
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Cool! I wasn't aware of nano; your point about the gas fees is really compelling, as there's a lot of stuff I've wanted to try building on Ethereum et al that I just haven't done because I can't get over the hurdle of paying transaction costs lol.
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
Oh yeah another point, see my other comment as well but if you need to start with nano, all you need is a faucet which you can get for literally free and that's all you need for you to experiment with my project.
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
Have a look at L2BEAT - any L2 EVM in the top 10 is fine (disclosure: I work for an L2). Check their native token price to understand gas price and onboarding complexity. Some L2s use ETH bridged from Ethereum rather than a native token.
if you add non trivial address generation there simply isn't a good way to block it except for hope and prayers. nobody really wants to play wack-a-mole on blocking addresses for c2 servers and then there will always be websites which straight up do not care.
I mean, at that point, why wouldn't you just rely on a DGA? At least then you wouldn't be flooding block explorer sites with millions or potentially tens of millions of requests per day for your C&C traffic.
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.
well you wouldn't really want to use it for botnets that large, modern botnets run off similar systems internet runs off - edge endpoints and crypto currency is just a nice distributed database to rely upon to synchronize everything
I don't think you'd want to go through the trouble for smaller botnets though. It's really only the very big ones that face co-ordinated takedown efforts.
For a very small botnet that doesn't attract attention, you could really use any social media site for C&C if your goal was to avoid network-level detection.
For a slightly bigger botnet that might get abuse reports, you could just get a bunch of domains on different ccTLDs from various bulletproof registrars. There are some huge botnets doing this without much trouble.
It's really only the really big botnets where you want to worry about things like P2P C&Cs for censorship resistance, they're the ones that will face co-ordinated efforts to shut them don.
I feel like the block explorers aren't a really good solution, for small botnets there are less conspicuous options. Here's a (real) botnet C&C that uses Steam, and has been doing so for a long time https://steamcommunity.com/profiles/76561199621451974 It's a rather silly implementation though, not sure why the developer decided to do it this way.
It's also worth noting that most botnets aren't targeting networks where they'd really have to worry about network-level detection, so in almost all cases using your own domain names is by far the easiest and most reliable option.
I'd also guess the most common malware these days is of the often short-lived "stealer" type, where the operator doesn't necessarily really care about keeping their bots alive as the malware just immediately grabs all the interesting data from your computer and uploads it.
enlighten me how a non trivially generated address that is only known by malware can be implemented in every single blockchain explorer?
you would have to extract the keys from the malware, you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
I'm not 100% sure I understand what you're saying, but I guess you're asking how this could be censored?
> you would have to extract the keys from the malware
Yeah? That happens all the time. If you're designing mechanisms like this, it's presumably specifically against adversaries which are doing exactly that.
> you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
Someone would only have to do this once and all your bots would be gone.
Usually the whole point of these mechanisms is C&C resilience, and usually that only matters for really big botnets which face co-ordinated attacks.
Any good C&C system for a bigger botnet would seek to eliminate all meaningful external points of failure for C&C. Using a block explorer, or HN comments, does not achieve that.
that's why you have large lists, fallbacks and rolling updates to said fallbacks. it isolates you as the c2 owner to the c2 malware. once you have that you can just query from any kind of server and publish it anywhere else, you can have it act as an indirect proxy, not the primary contact point - it's a globally available database for a low low cost of transaction fees.
but explorers are the easiest since there's so many of them and so many of them that do not give two shits about blacklisting addresses.
because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
>because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
There are lots of ways to disguise p2p traffic to make it indistinguishable from common, legitimate software.
You don't have to do that? I touched upon it in the first section of the post. All you need is a valid phone number, which you can use throwaway trial SIM cards for.
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
Interesting! Well, I'm definitely not in whatever those regions are. Presumably if a threat actor was motivated enough this would be fairly easily circumvented :]
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
They don't let you upload facefusion videos. The video has to come from the front-facing camera on a phone.
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
https://www.au10tix.com/
Most apps use device attestation (derived from secure boot) to make sure the video stream is really coming from a front-facing camera on a physical device. If Hinge isn't doing this yet they surely will be in 5, 4, 3, 2...
I know, but you need to think like someone trying to get around the limitation with the lowest effort possible.
They don't feed it a video clip. They hold the camera in front of a screen playing the video. Use a low-end phone with a blurry camera to increase your chances.
Front-facing paired with IR depth map would map it an order of magnitude harder, but I don't know what the standards are around that or what the installed base is on Android.
The purpose of command and control servers is to send and receive data to victims devices.
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.
I'm not really into malware, so I was just wondering:
- Isn't this really non-viable in practice? The "few headers" that were shown include an Authorization header, that would presumable rotate every ~24 hours and would have to rotate for all the malware clients as well.
- Are centralized Command and Control Severs still a thing in the malware space? I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
One could probably use matrix (perhaps might need account creation?) or session or simplex (their accounts are sort of like addresses, easy to make compartively to matrix)
I have built dead simple bots on both session/simplex trying both of them out and session was the more ergonomic one to build on but simplex is more decentralized considering session's more crypto related and wants to ask you for money for node whereas simplex doesn't
Although on the other hand, simplex wants to do client side verification on their official client and their bot creation was really painful to start with so but I do feel like its more decentralized but not sure, Both have consequences but honestly I just really end up shilling signal in the end for most people's usual use cases which is communication but its super great to know that there are alternatives.
Matrix is really cool as well. especially cinny's ui (https://cinny.in)
probably not so useful in practise, but still fun and interesting.
Yes, centralised C2 is definitely still a thing in the malware space, for commodity malware it works well enough that there's little real incentive to move to anything more complex.
Regarding your first point, extraction of the headers could be trivially automated. Also, using Hinge's CDN (which I think is CloudFlare and/or AWS) is more viable imo, as you don't need to provide headers to GET the files. If that also applies to user-uploaded videos then I do think there's some meat on this bone. But as the other user who replied to you pointed out, this was mostly for nerdy delight.
Also thanks for bringing up the blockchain C2 use, that's cool and news to me.
In most red team contexts, the implants don't talk directly to the actual C2 - the implants talk to listening posts (often behind redirectors/transient reverse proxies) and then the listening posts request commands from the C2 server.
> I would have assumed that this function mainly migrated onto one of the popular blockchains with clients using one of thousands of available gateways for reading.
Why would you want to use blockchains for this? DHT has been used for distributed c&c for ages and is generally a much lighter option.
But no, P2P C&C is still not really typical. In practice, there's mostly not that much need for it. Also, FWIW, for practically all use-cases P2P C&C discovery is a vastly better option.
I think the Hinge being referred to is a dating app? I have no idea.
https://hinge.co/
I think this is one of those things where if you're married (like me) you only have the most peripheral sense of the popularity of these things and if you're single they potentially occupy way too much of your thoughtspace.
[flagged]
Apparently I have. Is this particular dating app particularly noteworthy?
I envy the fact you had to google it
Again, why? Nothing on its wiki article or the first page of Google results suggests it should be a household name.
So unless the default assumption is that everyone on HN is dating (I'm married) I genuinely don't understand why it's weird to not have heard of some random ass dating app
Because it used to be the "best" dating app out there for "serious" people wanting long term relationships. Now all the apps are trash and have predatory monetization.
I know Hinge because of the HN post about the data leak a few months ago.
Even if you're married, you've got to know somebody who isn't. It's like referring to Google as "some random ass search engine website" and wondering why people think you're the weird one.
Ok
I don't think you're wierd for not knowing. I also didn't know
The Hinge app I know of is from my healthcare provider, and reminds me to do stretches. It also has a pretty great TENS device peripheral. I wouldn't expect young single people to know about that app, because it serves a different demographic.
speaking of command and control servers, the best one you can get at the moment is to just to use crypto currencies, plenty of available nodes to auto discover or just rely on explorers to query your own wallet, deposit address can encode quite a bit of information since it's a pretty long address and definitely has enough bytes to encode commands
I want to thank you and the other user (hobofan) for pointing out the use of crypto currencies as C2s. I do bioinformatics for a living, not infosec, so that's another fun little rabbit hole for me to go on...
Hey I actually created something like this when I was once curious. Its called nanotimestamps
I found it when I realized that nano had 0 fees and I realized that by using a nano vanity address generator, I can embed data into a series of transactions and then basically embed data into the chain (for free) since there is 0 gas fees
Now I created it as a way of getting timestamps of any data onto the chain but you can embed any information and create c2c's on top of that
There is also a way that I vibe coded once to embed data directly into the vanity address and so you can lose 10^-32 nano or basically negligble which is more efficient as well
If you have any questions, I'd love to answer (also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest)
Cool! I wasn't aware of nano; your point about the gas fees is really compelling, as there's a lot of stuff I've wanted to try building on Ethereum et al that I just haven't done because I can't get over the hurdle of paying transaction costs lol.
Is this you? https://github.com/Koeng101/nanotimestamps
> also even if I like the tech, I think that crypto's fundamentally really really volatile and I prefer things like index funds being honest
At the risk of derailing the thread, I agree. However, I think "tokenization" is probably crypto's killer app if the messy problem of legal finality rectifying assets on the blockchain with their real-world counterparts can be solved. I touched upon this in a separate post on my blog.
Oh yeah another point, see my other comment as well but if you need to start with nano, all you need is a faucet which you can get for literally free and that's all you need for you to experiment with my project.
You really don't need to spend any money at all and that's actually how I built it. I recommend you to contact me if you wish to run it locally for experiments purposes as it requires bao and nano-vanity-generator, you can take the look at the code
Also I would like to disclose that the code is AI generated. I have no expertise in this field but I found this idea fascinating and saw nobody doing it so did it. But still, I am just proud of my idea and I get good reception whenever I mention this idea (which is quite a lot, tbh I am proud of it a little) so yeah, I love talking about this project's idea fascinating as well and I have expanded upon this work privately to even build ways of creating ones own tokens on top of nano etc. but creating wallet etc. and more abstractions felt wrong and I just wanted to prove it was possible
To be honest, you creating a c2 server on hinge was similar to this feeling of "proving" as well.
To me, its just that if I can prove something, then I can figure out the practical uses of it later (like discussing it right now) etc.
I guess we both are similar in the "proving" way reading your article which is nice to hear, Let me know if you have any questions as I would love to answer!
> Is this you? https://github.com/Koeng101/nanotimestamps
No its not, I have the domain nanotimestamps.org but its not really doing much (its called laziness from my side)
https://github.com/SerJaimeLannister/nanotimestamp/blob/main...
Here you go! (the video starts as a gif but there is also a .mp4)
Ended up finding that the best way to upload videos is probably github wiki pages
https://github.com/SerJaimeLannister/nanotimestamp/wiki
So let me know how you like this project, Y'know making this project had to make me build some abstractions which you might be interested to look at as well and could be used for multiple purposes.
Create an issue in my github repo if you want to talk to me if you have any questions as well and I would love to answer there and here as well if you wish! Glad my project could be of interest to ya! If you have any use cases for my project, then let me know as well
have a nice day! Looking forward to talk to ya
If you want the Ethereum VM but with lower tx costs, try one of the L2s.
Any L2 you'd recommend? The last time I dipped my toe in that world I only bothered with L1s like Ethereum, Solana, etc.
Have a look at L2BEAT - any L2 EVM in the top 10 is fine (disclosure: I work for an L2). Check their native token price to understand gas price and onboarding complexity. Some L2s use ETH bridged from Ethereum rather than a native token.
If you are interested in cheap L1's which aren't restricted like nano, I can recommend stellar, (sei?) etc. although these are L1's
If you are interested in L2's, polygon's cheap as well fwiw
+1 for Polygon. Very cheap.
Many networks block non-http/s traffic.
Block explorer websites expose blockchains over http/s.
Yes, and can easily be blocked if they are commonly used for c&c, like many other sites are (such as gists and pastebins) for the same reason.
if you add non trivial address generation there simply isn't a good way to block it except for hope and prayers. nobody really wants to play wack-a-mole on blocking addresses for c2 servers and then there will always be websites which straight up do not care.
I mean, at that point, why wouldn't you just rely on a DGA? At least then you wouldn't be flooding block explorer sites with millions or potentially tens of millions of requests per day for your C&C traffic.
Essentially the exact approach you propose has been attempted in far cleverer ways, it did not work very well.
well you wouldn't really want to use it for botnets that large, modern botnets run off similar systems internet runs off - edge endpoints and crypto currency is just a nice distributed database to rely upon to synchronize everything
I don't think you'd want to go through the trouble for smaller botnets though. It's really only the very big ones that face co-ordinated takedown efforts.
For a very small botnet that doesn't attract attention, you could really use any social media site for C&C if your goal was to avoid network-level detection.
For a slightly bigger botnet that might get abuse reports, you could just get a bunch of domains on different ccTLDs from various bulletproof registrars. There are some huge botnets doing this without much trouble.
It's really only the really big botnets where you want to worry about things like P2P C&Cs for censorship resistance, they're the ones that will face co-ordinated efforts to shut them don.
I feel like the block explorers aren't a really good solution, for small botnets there are less conspicuous options. Here's a (real) botnet C&C that uses Steam, and has been doing so for a long time https://steamcommunity.com/profiles/76561199621451974 It's a rather silly implementation though, not sure why the developer decided to do it this way.
It's also worth noting that most botnets aren't targeting networks where they'd really have to worry about network-level detection, so in almost all cases using your own domain names is by far the easiest and most reliable option.
I'd also guess the most common malware these days is of the often short-lived "stealer" type, where the operator doesn't necessarily really care about keeping their bots alive as the malware just immediately grabs all the interesting data from your computer and uploads it.
There are much lighter alternatives though, why would you want to bother with cryptocurrencies when you could just use DHT?
I mean, even just shipping a Tor client embedded in your malware seems like a much better idea.
>just rely on explorers to query your own wallet
This kind of defeats the point, you get exactly 0 censorship resistance like this.
enlighten me how a non trivially generated address that is only known by malware can be implemented in every single blockchain explorer?
you would have to extract the keys from the malware, you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
I'm not 100% sure I understand what you're saying, but I guess you're asking how this could be censored?
> you would have to extract the keys from the malware
Yeah? That happens all the time. If you're designing mechanisms like this, it's presumably specifically against adversaries which are doing exactly that.
> you would then have to implement the logic and announce it - then rely on blockchain exploreres actually using that data to block addresses in real time.
Someone would only have to do this once and all your bots would be gone.
Usually the whole point of these mechanisms is C&C resilience, and usually that only matters for really big botnets which face co-ordinated attacks.
Any good C&C system for a bigger botnet would seek to eliminate all meaningful external points of failure for C&C. Using a block explorer, or HN comments, does not achieve that.
that's why you have large lists, fallbacks and rolling updates to said fallbacks. it isolates you as the c2 owner to the c2 malware. once you have that you can just query from any kind of server and publish it anywhere else, you can have it act as an indirect proxy, not the primary contact point - it's a globally available database for a low low cost of transaction fees.
but explorers are the easiest since there's so many of them and so many of them that do not give two shits about blacklisting addresses.
And what do you gain from all this extra complexity designed to compensate for fundamentally unreliable c&c channels?
You could've just used DHT, or even bundled Tor.
because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
>because a c2 mechanism isn't that useful when you can't even send the packets out to the internet to use it when t1's get off their ass and actually do something useful.
There are lots of ways to disguise p2p traffic to make it indistinguishable from common, legitimate software.
[dead]
Um, use an app that requires you submit to video facial recognition to make an account?
So that you can then use that account, which is tied to your biometrics, for lawbreaking?
Wut?
You don't have to do that? I touched upon it in the first section of the post. All you need is a valid phone number, which you can use throwaway trial SIM cards for.
> Our first hurdle is the account creation setup
Account creation requires biometric face-scan.
[flagged]
Tons of posts on Reddit disagree with you:
https://redlib.catsarch.com/r/SwipeHelper/search?q=hinge+sel...
Maybe you're getting lucky and not tickling their risk-based nonsense, but now that this article has been posted they'll certainly crank that knob up to 11.
Ah, I see, you're referring to this: https://help.hinge.co/hc/en-us/articles/10303221435539-What-...
You probably don't use Hinge. The verification is not necessary at all. It's merely used to "verify" your identity to other users. It has no bearing on what I cover in the post.
> Note: In certain regions, Hinge requires users to complete a biometric Face Check™
Interesting! Well, I'm definitely not in whatever those regions are. Presumably if a threat actor was motivated enough this would be fairly easily circumvented :]
Edit: e.g. via residential proxy IPs and a bunch of cheap Android phones
In 2025/2026 it’s not hard to generate fake videos that bypass these security gates.
They don't let you upload facefusion videos. The video has to come from the front-facing camera on a phone.
There is an extremely profitable company (whose data hoard keeps geting hacked but why should they care?) built around this:
Most apps use device attestation (derived from secure boot) to make sure the video stream is really coming from a front-facing camera on a physical device. If Hinge isn't doing this yet they surely will be in 5, 4, 3, 2...I know, but you need to think like someone trying to get around the limitation with the lowest effort possible.
They don't feed it a video clip. They hold the camera in front of a screen playing the video. Use a low-end phone with a blurry camera to increase your chances.
> They hold the camera in front of a screen playing the video.
Neural networks are very, very, very good at detecting this.
It's much easier than detecting "liveness" (for whatever definition of that term you subscribe to).
Can someone not just have an additional device and play a video on top of it?
Fundamentally no amount of front facing camera on a physical device or other shenanigan a company might do can really do anything about it?
Front-facing paired with IR depth map would map it an order of magnitude harder, but I don't know what the standards are around that or what the installed base is on Android.
Could someone ELI5 what this does?
Command and Control Server (C2) refers to the infrastructure required to command and control malware of various forms.
The author basically found a creative use of Hinge’s infrastructure and proved it could be used to control malware.
But the malware was encoded as an image, how is it runnable on the target's smartphone?
The purpose of command and control servers is to send and receive data to victims devices.
A secondary goal is to do so while evading detection. This is why many threat actors piggy-back off of legitimate services, it disguises the malware communications and avoids directly exposing the upstream C2 instance.
> Congratulations! You're now using Hinge to distribute unassuming abstract expressionist pixel art.
creative platform use
[dead]