Estimated reading time: 9 minutes
Most corporate security leaders are doing compliance, not security. That is the blunt assessment of Mitchell Amador, CEO of Immunefi, the leading crowdsourced cybersecurity platform for blockchain, with over $25 billion in hack-related damage averted and more than 90,000 registered white-hat researchers. And he argues that the arrival of AI-powered cyber attacks has made that distinction not just important but existential.
“Most traditional CISOs were really doing a version of compliance, not security,” Amador told the Cyber Insurance News and Information Podcast. “They were securing against crime, not war.”
That framing, defense versus security, sits at the heart of a conversation that covers nation-state attackers, AI-multiplied hacking armies, quantum encryption risk, and what the crypto industry learned about survival that the rest of the world has not yet grasped.
The conversation also covers the culture of coopetition that crypto security built, with rival platforms sharing threat intelligence in real time, the mechanics of bug bounty programs and why 90,000 crowdsourced researchers outperform any internal team, the dramatic fall in smart contract loss rates and what that means for insurers, and why quantum computing is not just a crypto problem but a simultaneous threat to every bank, government, and military communication system on earth.
Get The Cyber Insurance News Podcast At These Spots
YOUTUBE
SPOTIFY
APPLE
AMAZON
The Dark Forest
Amador opens with a concept borrowed from Liu Cixin’s science fiction novel The Three-Body Problem. In it, the universe is a dark forest. Predators prowl constantly. Silence is survival. Exposure is death.
Crypto, he says, is the same, but with one critical difference. The blockchain is transparent by design. There is no hiding.
“In crypto, a hack is not just a breach of personal information,” Amador explains. “The hack allows you to steal real money.”
The numbers bear that out. The largest single crypto hack last year netted $1.6 billion in under 15 seconds. Two separate attacks in March each exceeded $300 million. North Korea’s military intelligence division, running what Amador estimates at 300 to 1,000 operatives, is responsible for some of the largest financial thefts in human history. They are, Amador stresses, just one player in a much larger field.
AI Changed The Economics Of Attack
For years, the pool of hackers capable of causing material damage to major enterprises was limited. Amador puts the number at roughly 500,000 globally, most of them working for large corporations or governments. The criminal subset was comparatively small.
That calculation is now obsolete.
“Everybody can have a nation-state cyber-attacking army now,” Amador says. “The world’s just beginning to realize that.”
AI has multiplied the number of effective attackers by at least a factor of ten. Where there were once perhaps 500 to 2,000 hacking groups capable of serious harm, Amador estimates that figure has jumped to between 5,000 and 25,000. The barrier to entry, once defined by years of specialist training, has collapsed. A moderately competent hacker with access to advanced LLM agents can now do what once required a 300-person military unit.
The analogy Amador uses is precise. Preparing for the last war. He compares it to drone and missile systems transforming warfare in Ukraine and the Middle East. The technology did not just improve existing capabilities. It redistributed them. And then handed them to everyone.
Corporate security budgets have not caught up. Most CISO infrastructure, Amador argues, was built around the economics of human-paced, crime-scale attacks. That world is going.
What Crypto Already Figured Out
Immunefi operates at the intersection of that threat and a working response to it. The platform aggregates over 90,000 registered security researchers and white-hat hackers and deploys them against the smart contracts and blockchain protocols of its clients. The model is called bug bounty: a prize contract that pays researchers for finding vulnerabilities before attackers do.
The logic is one of scale. North Korea’s most feared hacking unit runs fewer than 1,000 operatives. Immunefi alone outnumbers them by a factor of ninety. Add the broader white hat community, and the ratio becomes, in Amador’s words, “a thousand to one.”
“We can give you an army that’s infinitely larger than theirs,” he says.
The culture that supports this model is, Amador argues, the crypto security industry’s most underrated achievement. Security leaders across competing platforms share threat intelligence freely. They tip off each other to known attackers. They route information to Interpol. When North Korea stole $300 million in one recent incident, coordinated action froze $90 million of those funds before they could be moved.
This is what Amador calls “coopetition.” It runs counter to conventional C-suite instinct, where sharing information with a competitor feels like a concession. In crypto security, he says, the shared threat is simply too large for any other posture to make sense.
The Cyber Insurance Problem And The Opportunity
The cyber insurance market, Amador notes, is still learning to price software risk. The central challenge is that software was never designed to be safe. It was designed to be fast and cheap. The internet inherited those compromises. The entire global economy is now built on top of them.
Blockchain took a different path. Built on the direct knowledge of what inadequate security costs, crypto protocols embedded risk reduction into their architecture from the start. The results are measurable.
Six years ago, losses from code and logic errors across decentralized finance ran at two to four percent of assets annually. Last year, that figure was 0.6 percent. Amador believes the industry will reach sub-ten basis points by 2030, approaching parity with, or better than, the security profile of traditional financial systems.
“We are on the cusp of a new kind of insurance in the blockchain markets,” Amador says. “We can reliably predict and price smart contract insurance.”
That capability, he argues, will become one of the key conditions for moving large traditional financial markets onto blockchain infrastructure. It also represents something exportable. The formal verification and fuzzing tools that crypto developed to produce objectively secure code can, in principle, be applied across the broader internet. Amador intends to give them away.
The Quantum Question
No conversation about the future of encryption ends without quantum. Amador does not minimize the risk. A sufficiently capable quantum computer could simultaneously break the cryptographic foundations of every blockchain, every bank, every government, and every military communication system.
“It’s not just game over for us,” he notes. “It’s also game over for every bank and financial institution in the world.”
The crypto industry is already building quantum-resistant cryptographic solutions. The honest caveat, Amador admits, is that no one can yet prove which algorithms will actually hold. The entire field is, in his phrase, going to have to “YOLO this together.” But crypto, he argues, is better positioned than most to navigate that transition, both technically and culturally.
The Takeaway For Security Leaders
Amador’s message to CISOs and board-level executives is, by his own admission, uncomfortable. For most organizations, the rational calculation is still to do nothing. The stakes are high enough that governments and large institutions will absorb the cost of defense, while smaller players free-ride on the results. That logic, he acknowledges, is mathematically sound.
But the window in which that calculation holds is closing. AI has democratized attack capabilities at a speed that defensive budgets and organizational cultures have not kept pace with. The question is not whether the threat model changes. It already has. The question is whether security leaders will acknowledge that before an incident forces the point.
Amador’s closing provocation is characteristically direct. Five years from now, he predicts, it will seem obvious that individual use of technology needs to be heavily controlled for health and well-being. The implication runs wider than personal screen time. It is a statement about a world in which the tools of large-scale harm are now freely available, and in which the culture, the economics, and the institutions of security have not yet caught up.
FAQ – AI-Powered Cyber Attacks
Immunefi is the leading crowdsourced security platform for blockchain. It connects over 90,000 white-hat security researchers to crypto protocols, blockchains, and decentralized platforms. Researchers are paid bounties for identifying vulnerabilities before attackers can exploit them.
A bug bounty program is a prize contract. An organization specifies the types of vulnerabilities it wants found and sets a payment scale for each. Researchers, typically independent security professionals, attempt to find those vulnerabilities and report them in exchange for the reward. The model gives organizations access to far more security expertise than any internal team could provide.
AI has dramatically lowered the barrier to entry for sophisticated attacks. Tasks that previously required years of specialist training can now be performed by moderately skilled hackers using large language model agents. Attack capability that once required a nation-state program is now accessible to individuals.
Coopetition describes the practice of sharing threat intelligence across competing organizations. In the crypto security sector, rival platforms routinely exchange information about known attackers, active threats, and emerging vulnerabilities. The shared threat is considered large enough to override competitive instincts. Amador argues that this culture, already standard in crypto, will become necessary across the broader economy as AI raises the scale and sophistication of attacks.
Smart contract insurance is an emerging market. Loss rates from code and logic errors in decentralized finance have fallen from two to four percent of assets annually six years ago to 0.6 percent last year. Amador projects losses will reach sub-ten basis points by 2030, at which point he argues the risk becomes reliably priceable and the conditions for a functioning smart contract insurance market will exist.
A sufficiently advanced quantum computer could break current cryptographic encryption, undermining the security of blockchains and, simultaneously, every major bank, government, and military communication system. The crypto industry is developing quantum-resistant cryptographic solutions, but no one can yet prove which approaches will hold. Amador regards crypto as better positioned than most sectors to navigate this transition, given its existing technical depth and culture of open collaboration.
Transcript – This has been checked. But confirm elements against recording to be certain.
Related Cyber Insurance Posts
- Pen Underwriting Doubles SME Cyber Cover Limit to £10M, Brings Claims In-House
- AI-Powered Cyber Threats Surge: 78% of CISOs Report Major Impact in 2025(Opens in a new browser tab)
- FBI Internet Crime Report Reveals $16.6 Billion Losses Amid Soaring Cyber Threats(Opens in a new browser tab)
- Small Business Cyber Insurance Adoption Up 50%, Insureon Data Shows
- CyberCube’s 2025 Predictions: How AI, Quantum Computing, and Innovation Will Reshape Cyber Insurance(Opens in a new browser tab)