Martin Hinton (00:00.419) All right, we're rolling now, Mitchell. So stand by one second. I'll I'll do a little bit to camera. One thing before you disconnect, let me get confirm that everything got downloaded completely. So don't disconnect until I give you the the okay, okay? So stand by, here we go. Martin Hinton (00:16.343) Welcome to the Cyber Insurance News and Information Podcast. I'm your host, Martin Hinton and today we're going to be talking about crypto and the adversarial cyber environment. while also serving as a fast-based test bit for security incentives, loss prevention, and eventually cyber catastrophe insurance. It's a big space. And to help us discuss that today is Mitchell Amador, the CEO of Immunefi Mitchell, before we dive into that big topic today, thanks so much for joining us. Tell us a little bit about your career and and how you got to this space As it is currently today. Mitchell Amador, CEO Immunefi (00:49.026) Sure. Well, I got here accidentally. I had no particular enthusiasm to become a security professional. And the technical side of the business was never my forte. But I found in the course of building lots of different things in early crypto and and prior that I kept stumbling into the most severe security and threat modeling problems that we had in the industry. I had to deal with sim swap attacks where someone takes over your phone, breaks into your iCloud, tries to steal all of your data. It's like identity theft at mass scale, insider attacks, social engineering attacks, attempted hacks of company treasury and funds, attempted kidnappings and stalkings of all sorts, IP thefts, technology thefts, corporate espionage, and everything in between. So I in the course of building a lot of things. I was pulled into this world of security. And I saw all the problems that ultimately brought me to the conclusion that this was in 2019, 2020, that if we didn't transform how we were doing security in crypto, we were not going to survive. Okay, that we would hit a kind of vulnerability apocalypse that would delegitimize our whole industry. And it was that insight and a wish to prevent that and to safeguard. My industry that I loved. I got involved for ideological reasons. that I entered the space and that I built Immunefi, which is one of the larger protectors of the industry today. Martin Hinton (02:23.949) So tell me about Immunefi. I I we we we we chatted before today, so I know a little bit, but I don't get paid to know things. I get paid to have you explain them. So tell me what Immunified are. Mitchell Amador, CEO Immunefi (02:34.51) So, Immunefi is the biggest security platform protecting on-chain protocols, platforms, and blockchains in the world today. And specifically, we occupy the bug bounty niche and beyond, but we occupy almost all of the major protocols, bug bounties. If you look at major protocols by TVL or size, almost all of them are going to be Immunefi customers, and they're going to host their crowdsourced security defense mechanisms with us. In practice, what that means is we've aggregated the largest white hack community spanning the entirety of the crypto security scene and also the traditional web security scene. And we tell these guys: hey, look, we've got all these amazing projects. They need protection, they need support, and you and only you are on the frontier of security that can go and help provide these things. You can find out how to crack their infrastructure and disclose the vulnerabilities that they don't know exist before. they could be exploded. And we operate as the central clearinghouse for all these, what would be traditionally known as zero days, to go between almost every major project in the industry and the global white hat security community. Martin Hinton (03:44.075) So you help people find problems and fix them with regard to security in the crypto space. Mitchell Amador, CEO Immunefi (03:49.966) That's right. We we help people find the holes in their bank vaults they didn't know they have. And unfortunately with software, there are always holes. Martin Hinton (03:59.905) Indeed, indeed. So when we were planning this and and chatting about this conversation beforehand, we talked about I think the phrase was web three is a bit of a dark forest. And I wonder if in practical terms you know, you might explain what you what what you think people mean or what that means to people. Mitchell Amador, CEO Immunefi (04:12.502) Yes. Mitchell Amador, CEO Immunefi (04:18.668) Sure. So I I would bet that a a number of your your listeners are actually gonna know exactly what that refers to because the this quote of course comes from the the the famous Chinese science fiction novel, The Three Body Problem. And in the three body problem, they describe why this challenge, why why is it not that the aliens have reached out? Why do we see no evidence of alien life and activity in civilization when we, you know, earthly humans are broadcasting an infinite amount of very specific and particular and sensible radiation out into the cosmos constantly? Why don't we see it in return? And they get to this conclusion, this terrifying conclusion, that the the galaxy, the universe, is a dark force. And what that means is that there are these predators that are constantly prowling the environment the entire time. And so that the kind of the advantageous position in this environment is just to be strictly silent and to be unnoticed, to be unseen, to be unvisible, because the moment you reveal yourself, a predator will pounce upon you. They must. It is game theoretically optimal for them to take you out. And the connection to crypto is we are the same way, but with vulnerabilities. At any particular moment, there are dozens of illegal criminal groups, many of which could be operating at vast scale, think billions of dollars. Okay, it's like really, really large scale, that are scanning every major contract on chain, that are looking at every new project and every new deployment, hoping and waiting for a single gap. A simple break in the armor that they can exploit to steal all the money in those contracts. Because in crypto, a hack is not just a hack, it's not a breach of PII or personal identifiable information that's going out. Nobody cares about that here. The hack allows you to steal real money. The biggest heist in the history of mankind all happen here with our bearer assets. Mitchell Amador, CEO Immunefi (06:32.204) And so every sophisticated technical criminal organization in the world realizes there's no better place to be a thief than crypto. And at the peak of these, by the way, just to color and contextualize this, this dark forest analogy, the peak, the most famous group of thieves in crypto today is North Korea, specifically the North Korean army. Okay? This is the environment we're operating in. They are just one player. Martin Hinton (06:59.351) Y you would you You touch on and and th the you know, I'll throw a link in the the show notes that the but then been great articles about their stunningly organized and global efforts to to steal from in this situation and and then more broadly as well. That all suggests that it's shifted to a much more industrialized or organized kind of reality. Like th there is a persistent threat to the crypto environment from well-funded, well-organized nation state in the case of North Korea backed actors, is that a fair characterization? Mitchell Amador, CEO Immunefi (07:37.463) Hundred percent. And not just North Korea. North Korea is just the most famous. The largest Iranian exchange went down in the opening days of their war being hacked by an Israeli cyber attack group. And we know that some of these other groups in Ukraine and Russia have been throwing cyber bombs, so to speak, at each other for years and years and years now. So North Korea is just the most public, but we're in an environment where the norm or the default, the typical threat model. for a builder in our industry is that there are nation state actors and they are out to get you and to rob you. Martin Hinton (08:11.395) the I mean, and this is a twenty four hour day, every moment of time threat, right? That there's a constant scanning of the system. That is that presents a constant threat, right? Obviously. What is the response to that? You know, w what what are people who are in this space need to be thinking about if maybe they're not quite aware, and I suspect most of them are, but you know, crypto is one of those things that people h a lot of people who aren't involved hear about and they pretend they understand or they Mitchell Amador, CEO Immunefi (08:17.72) Yes. Martin Hinton (08:40.311) Maybe are bold and admit they don't. But but what about that that idea? What what does normal even look like when you're when you're facing this kind of threat? Mitchell Amador, CEO Immunefi (08:41.279) Mm-hmm. Yeah. Mitchell Amador, CEO Immunefi (08:48.526) Sure. This is where the dark forest analogy breaks down, by the way. Because at least in in three-body problem in the dark forest, you had a solution. You stay silent. You do not emit or radiate any signal. You stay invisible in order to stay alive. But in crypto, we built the whole system so it's transparent by default and everybody can see what everybody else does. So no such option. No, we don't have good solutions that part. And so the only solution that we have. Is really to go after the holy grail of cybersecurity, which is we need objectively secure systems. We need as close to perfect security, perfect defense, unhackability as you can get, as the technology can allow, as physics will allow. And this is actually what all of on-chain security is about. And this is what we do. We create objectively secure systems. Martin Hinton (09:46.989) So so so for full so pausing there for a sec, right? So just for those of the audience who aren't on the inside, if you're outside crypto, what's the clearest way to understand the stakes here? W wh why it matters? Th you know, for people who don't really understand this space, why does it matter? Mitchell Amador, CEO Immunefi (10:08.238) Sure, great question. It matters for two reasons. Number one is this technology has proven so impactful and transformational, the blockchain that is, that it is inevitably going to underpin global financial infrastructure for the next several decades. Okay. We are in the process of replacing financial infrastructure across the world. The tech works great, lowest cost has all these benefits that will be brought to society, is being brought to society. It's happening. But the flip side of that is When an attacker can compromise these systems, they can do incredible damage. The biggest hack last year was for $1.6 billion. $1.6 billion in less than 15 seconds. Okay? Scary. Two hacks earlier in March were for $300 million each cash. Okay. This is a high-stakes game. This is you know the GDP of entire cities. across the world, right? Tens and hundreds of thousands of people laboring to create good lives, just stolen like that. Okay, it has immense impact on people's lives. That's why we must win. Martin Hinton (11:17.355) Yeah, I I I mean I I think that's why I mean one of the ideas that that's important to keep in mind is that that if something bad happens to your neighbor or within the ecosystem of your economy, even if you're not involved in that economy, it's a bit like a storm hitting California and you have a situation where the you may not think living in Ohio it matters, but then you realize you're paying twice as much for avocados. It that sort of domino effect is is the reason it matters broadly across you know, even people who aren't really involved. Mitchell Amador, CEO Immunefi (11:48.015) Exactly so. And this is especially salient when you think of what crypto is and what it offers, which is a superior, fairer, more transparent, more inclusive financial markets. Okay. Which is exciting, but financial markets, if they're gonna be efficient, they're gonna have leverage. And so they're prone to contagion. And so these events can get really out of hand. Okay. They can cause much more damage. We've been able to prevent those scenarios to date. We've done a very good job. The industry has some really great people who believe in the mission and who support it and have put up, you know, a billion dollars in some cases to make sure that creditors at some of these institutions that are harmed stay whole. But that's the kind of stakes that we're playing with here. And eventually it's going to touch the whole of society. So we need to create these systems and make them safe right now before we see trillions more in assets flow on chain. Martin Hinton (12:45.847) That attitude is one that is a befitting example because I think broadly with the digital economy that we've embraced since you know basically the World Wide Web came into fruition in the nineties, is one where we've raced forward, maybe built on less than ideal tech stacks, right? That the the problems of yesterday don't get addressed and you wind up exacerbating the failure to get it right from the beginning or at least have a principle in place from the beginning. Is is that juxtaposition to the way you see this all being developed within the crypto world. The the idea is we we gotta get this right from the start. A for for it to be new and reliable and the world to be comfortable with this change, we also need to find ourselves in a situation where, you know, the money goes into a, if you will, vault or a bank that is actually secure, that people can feel safe about. I is that too simple a way to think about it? Mitchell Amador, CEO Immunefi (13:36.387) Yes and no. I mean look, I we've been building in this at scale now, Martin, for over a decade. Okay. At scale, I'm talking millions and millions of users, no longer hobbyist projects, but serious money and people dedicating their entire careers to this type of activity. So it's been a long road. We had our period there where we were yellowing and you know we were influenced by the break fast or sorry, move fast and break things philosophy. But all of crypto has converged on you know, kind of move as fast as you can and break absolutely nothing as security philosophy. Every single investor will enforce that standard and expectation on their portfolio companies. Every single institution will expect it. Every single exchange will demand it. So we've we've gone in this new direction where, yes, that is our point of view. And it's still early days, right? So you could say that we've committed to that. Obviously being around in the industry a long time, I'm a little more nuanced. I see all the things we tried and failed at as well. So I can't say we really decided it from the beginning. It's more like we learned the hard way at small scale and now we've committed as kind of more mature adults that this is gonna be the foundation of our industry. And it's working. Martin Hinton (14:50.285) So shifting back to bug bounty, I wonder if you could in a plain English way explain or define what a bug bounty is. Mitchell Amador, CEO Immunefi (14:59.118) Sure, so a bug bounty is real simple. It's a big prize that you put up for someone in case they can find a vulnerability in your system. Okay? And that's a very general statement because it's a very general tool. The bug bounty itself, the bug bounty program, we call it, is really just a legal contract. It's a prize contract. It's a contest. Or saying, look, I'm looking for this type of thing. I've got my bank vault if you. And my bank fault is not just made up of a building, although it could be, it's also made up of code. It's also made up of servers, it's also made up of infrastructure, it's made up of websites, and so on and so forth. And I say to you, Martin, you being the cunning, clever, brilliant, hopefully white hat, hacker that you are, if you can find a vulnerability that meets these requirements, that lets you do these bad things to me, to my customers, to my data, then I'm gonna pay you a prize. I'm gonna pay you it, and I'm gonna pay it according to this much money that I specified in advance in the contract, the bug bounty program. So this is what a bug bounty is. Now, even though the description I gave here is simple, as you can imagine, it can get very, very technical, right? Because we're talking about technical systems, and your typical bug bounty program is gonna specify at least half a dozen, if not two dozen different impacts, or How do we say this? You know, deliverables, so to speak, that they're looking for. Like you need to be able to hack this system so that it achieves this thing specifically, or this thing, or this thing. And that determines how much money you get. But at a high level, it how it works. It's a contest. Martin Hinton (16:42.381) So the the wisdom behind paying hackers to report flaws, i i that's because you're tapping into the the perspective and the th th the way they see things as as something to break into, is is it you're taking advantage of whether it's learned or maybe internal natural instinct on the part of them? Is is that is that is that the wise part? You know, find a potential adversary and convert them into an asset? Mitchell Amador, CEO Immunefi (17:06.54) That's a benefit, Martin, but that is off the mark. That is not why we do this. It is nice. Hackers are brilliant and creative and you know hare-brained people, make no mistake. And it's great to have them on our side. But the real reason that we do that is numbers. It's the sheer force of security power that we can bring to bear and hardening our systems. And I'll I'll give you this example real simple. imagine we we have we have our own vault that we're we're And we've got you've got two, three colleagues who do IT and security. And you need to make sure all the system is secure because you got gold there. You got you got your corporate IP there, you got all the PIA from your business, you got all your customers' records, all the transactions, maybe you have access to your actual banking infrastructure as well, passwords and the like. There's a lot of valuable stuff there. Now we're gonna say on one side, your three guys are gonna work great. They're gonna work hard. I'm sure they're extremely competent, but they're three guys. Now, what if I said I could deploy 30,000 guys? to stress test your system. Which one do you think is gonna result in a more secure system? Martin Hinton (18:12.769) The the the thirty thousand? Mitchell Amador, CEO Immunefi (18:15.256) Thirty thousand. Not a thousand times more, because that's not how it works. But definitely five, ten, twenty times. As much you you start to approach the kind of hypothetical limit limit of how secure a system of that architecture can be. And the only way we found to do that in cybersecurity is really by deploying more eyes. More eyes, more people who are using different techniques and who have different points of view and ways of looking at it. And so what a bug bounty really does is it gives you scale. It gives you the kind of scale. That you could never build yourself. Like, and let's go back to this North Korean example. So the North Koreans who are doing this, they are not a corporate outfit. They are literally part of the army, the intelligence division of the army. And they're responsible for bringing in revenue, to which they bring at least billions of dollars per year, which of course goes to fund the North Korean military and society and so on and so forth. Now, in the in the total of their program, I would say there's probably Maybe 300 to 1000 hackers, probably on the lower end of that. Okay. And these guys operate one of the largest and most sophisticated and certainly the most feared hacking armies in the world of finance today. Okay, and there's less than a thousand guys. Immunefi alone has over 90,000 registered hackers. Okay, just us. Not including our competitors or all the other players in the industry, just us. We outnumber the biggest threat actor in the world, right? Many, many times over. Okay? Many, many, many, many, many, many times over. And many of these hackers with us are also corporate entities or companies that have advan have access to some of the most advanced and frontier security technology in the world. The best formal verification solutions, which is like And fuzzing solutions, and these are these are basically sci-fi technologies that we've burst into reality in the course of crypto that make us able to create secure code. Crypto makes the safest code in the world at this point. It's just us and people working on nuclear and ballistic missile systems. Okay. This this is the small group of people who can create objectively secure code in the world today. And we've created tech to make that commercially viable and feasible at massive scale. Now, combine all that. Mitchell Amador, CEO Immunefi (20:34.38) These these crazy brilliant minds, plus we outnumber them, right? We outnumber them a hundred to one easily. Probably more like a thousand to one if you pull in the broader web two security communities. And you realize, wow, if if if you can deploy all that talent to secure a system, that is going to be incomparably more valuable. That's going to be the most effective thing you could possibly do to secure your code and to secure your infrastructure. And that's why we use Bud Bounties because. In a world where you you like where a single failure, where if you get ninety nine point nine percent, you fail, right? In getting even a fraction of that wrong. In that world, you need this disproportionate army of security experts who are protecting you, and bug bounties and crowdsource security is the only way to do it. You are always going to be outnumbered, no matter what company you go to, Martin. No matter what project you build, the odds are the North Koreans are gonna have more hackers than you. But with the crowdsourced solution, we can give you an army that's infinitely larger than theirs. Martin Hinton (21:42.859) I I mean it it seems like there's the there's a sort of different pillars of of of if you will breakthrough here. There's the technical, the economic, and then you touched on the the sort of the the cultural part of this. I mean i i is it is is the breadth of this that great? Mitchell Amador, CEO Immunefi (21:59.565) Yes, I would say so. I would say so. In and in more ways than I explained, right? Obviously, numerically, we are much more advantaged than the attackers. There's just more brilliant good people in the world who have more brilliance and expertise than there are attackers. That's the reality. we do have technological breakthroughs. In fact, we, the very people who are the ones who would want to help society and do this work, we are typically the ones who make the technical breakthroughs as well. Because you know, the great inventors and the geniuses, they don't tend to be like, you know, the criminal masterminds of society for the most part. They tend to be the tinkerers and the creatives and this the the kind of like artistic engineering types who just like to build things and and want to contribute to society. And then we've created really an excellent culture around this work, even better than traditional web, even better than traditional open source. The crypto security culture is, I think, in my opinion, in my experience, The best security culture in the history of the world. We share everything, okay? We share our data with each other, we share our information, we share our technology and techniques with competitors. It's more like co-opetition, almost anywhere else, and we glorify people who protect society. And this has created an environment where it's very easy to get involved. Plus, we have huge incentives, like you know, Immunifier pays out. We just paid a three million dollar bounty for a single bug two months ago. And that's that's not an uncommon occurrence. That's just something that happens. So some guy can retire for life on that if he wants. You know, he's probably sitting in Indonesia somewhere, because he's probably from Indonesia just relaxing. Okay, cool. Good job, man. Go have some kids. Martin Hinton (23:34.081) Yeah. Martin Hinton (23:37.571) You you touch on you touch on something that you know, I use the word culture in the question that set that answer up. And one of the things that I I I I've become fascinated in in this space is the CISO at corporations and the way that they are sort of the new kid and they're pressing for money and they viewed as a cost center. And I've read a couple of reports that survey them about what works. And it's counterintuitive to certainly corporate culture in the conventional sense. Where w what they admit confidentially, in at least one report I've read, is that being able to talk to CISOs and other companies in the same space as them, potential competitors, and share information about what they're seeing and how they're responding to it is invaluable. But the problem is that's counter counterintuitive to classic C-suite mentality about a competitor's executives. And and I wonder whether or not like that's do you have any thoughts about that? That the the the way that you've described this. Mitchell Amador, CEO Immunefi (24:24.428) Yes. Martin Hinton (24:36.703) you what did you say? Cooperation or c I forg I forget how you put that word. Say that one more time. Mitchell Amador, CEO Immunefi (24:40.568) Cooperition. Cooperation. Martin Hinton (24:45.037) Coopetition. Okay. So explain cooperation to me and and why maybe others could benefit from this because I want to move into the idea that the way we're talking about this and what you said might suggest that the the mentality around security and crypto has solved problems that other industries and other sectors could emulate, copy, absorb parts of, or learn lessons from, however you want to put it. what what do you think about that that you know that idea that there are elements of this, you know, if you will, new new thing. Mitchell Amador, CEO Immunefi (24:47.363) That's right. Martin Hinton (25:15.031) that could really help existing legacy ri environments. Mitchell Amador, CEO Immunefi (25:21.226) excellent and prophetic inference about where the future of security and the rest of the internet must go. And we will see there are pressures that will force it in this direction. But to your point, yes, that's exactly what we do. So security leaders in crypto are well networked. Almost all of us know almost all of us, right? We go to the same events, we meet in the same groups, we share our information very liberally. And while this might be exotic or strange to traditional C-suite, the reason why we do that is because we all understand we face a much greater threat. And that threat is total annihilation, total destruction of equity, total loss of customer well-being. Okay? It's very frightening. And because of that, we have to take extreme measures. And the best measure is to coordinate our resources amongst each other's. Any one CISO, any one security leader can only do so much. But when coordinating with a hundred others, we might see a threat that's happening in the Chinese community or in the Indonesian community and be able to route that immediately to the American teams or the European teams or pass information of a known hacker, you know, straight to Interpol for dealing with to see if those funds can be frozen and returned to the people. In fact, we've been a part of many such cases where by coordinating we've been able to stop thefts. You know, most recently, North Korea. Stole $300 million in one of these cases. And in one such event, one of these DAOs managed to freeze 90 million of those dollars. Okay? Because they could coordinate in this intelligent pro-social way where people had the same expectations, first and foremost, that we should be protecting the community. And this is a primary and critical and important thing. Okay. And as a result, this creates the valuation of the prioritization. Of sharing information. Now, I said this is a very prophetic inference because there's a huge change that's happening in security right now that we already went through in crypto, that the rest of the internet and by extension, the rest of the global economy, is about to experience and find out. And that's the nature of the severity of your threat model. Your average American company. Mitchell Amador, CEO Immunefi (27:42.211) Doesn't really depend against nation-state actors for the most part, right? Maybe the largest ones do, but like your typical, you got a Ohio beer company, there it's not on their radar that anything could happen. They may not even have passwords on their Wi-Fi systems, right? It's probably all open access. Like hotels that you see almost everywhere in the world, open access systems, easy to enter and exfiltrate data. So and that's that's most people most of the time by default. Only the largest institutions get to that that that that realization. But in crypto, we've been living in that world all the time. We are the we are in the dark forest where these North Korean monsters, right, are lurking about for any moment of weakness. So like they can steal, quite literally, steal all of our money in in a flash. And the reason why I mention that the rest of the world is soon gonna be changing there is because the the Advance of frontier models have made it easier than ever to create effective cyber attacking teams and resources at mass scale. You know, if I look back three or four years ago, you had a handful of these groups across the world. We even had names for them called APTs or advanced persistent threats because hacking groups were so rare. But now, any reasonably sophisticated hacker, reasonably competent and expert hacker, can create their own. operated mostly by themselves if they can use these advanced LLM agents effectively, which have proven very effective at cyber offense. And so the same problem that we had, right? Where we had a disproportionate number of APTs looking at us hacking groups, finding these things. Well now the all of the hacking groups and all of the small time hackers in the world can do the same things that it once took a three hundred person army from North Korea to be able to do. Everybody can have a nation state cyber attacking army now. And the world's just beginning to realize that. And they're going to discover the whole internet is discovering slowly, but it will be it'll escalate soon that most traditional CISOs were really doing a version of compliance, not security. Or rather, the definition of security changed. They were securing against crime, not war. Martin Hinton (29:56.652) Yeah. Mitchell Amador, CEO Immunefi (30:01.976) But in crypto, we secure against war. I give this analogy to my colleagues. I say we don't do cybersecurity, we do cyber defense. Because we're in a war that never ends. And our colleagues are about to join us in this new war, whether they like it or not. Martin Hinton (30:15.235) Y you you I mean you touch on the the and I think it's it's imp to pause on that point. The the the reality of this environment, the cybercrime, the cyber threat, w whatever it is, there's a dynam dynamic nature to it that is very much like the chaos you get when people describe what combat and warfare are like, where all your plans and all your preparation are only so useful. They they are useful. Don't make any mistakes about that. But the Mitchell Amador, CEO Immunefi (30:35.18) Yes, yes. Martin Hinton (30:43.415) The inability to know what the future holds is a paramount thing to keep in mind. I is that what we're talking about here? And that you need to be nimble and thoughtful and adaptable in order to meet the threats that you can't even imagine because they're be beyond your imagination because they're into the future. Mitchell Amador, CEO Immunefi (31:02.294) Yes and no. Yes in the said that what you said is true, but no in the sense is that's not the core thing. That is a tangential or kind of like secondary point. The central point is that the economics of cybersecurity were once are are are based around the economics of how much it costs a human hacker to do things. Okay. And what it takes to do for a human hacker to do things at scale. And that whole status quo is officially out the window. Okay, the economics have changed dramatically. And I'll give you example. You know, a few years ago there were probably half a million sophisticated security professionals in the world who could do most of the interesting vulnerability or zero-day research that could impact large enterprises or the economy at scale. That's a very small number of people. Most of those people are going to be working for large companies or governments. And so in the end, the the pool of of effective cyber criminals is quite small. It was very rare. But now With the advent of LLM techniques, that number has effectively exploded. Imagine that number going at least 10x. You can imagine instead of going 500,000, there are 5 million. Instead of there being, you know, possibly say 500 to 2,000 hacking groups in the world that could cause material harm, now that number is instantaneously more like 5,000 to 25,000. Okay. This explosion of capabilities. of offensive capabilities. It's like it's like it's like the world woke up and gave everybody the equivalent of these, you know Mitchell Amador, CEO Immunefi (32:47.802) how sort of these these missile systems and these drone systems that have revolutionized warfare in Ukraine and the Middle East in a terrifying way. What if we were to take the equivalent of that in the cyber domain and just give it to everybody? Because that's what we did. Right? That's what these new models have done. Martin Hinton (33:01.739) Yeah. I I you you touch on a principle that that that is famous for the US Army special forces, specifically the Green Berets, and the phrase they use is force multiplication. And the idea is that you might take a thirteen man Green Beret A team, the the famous A team, and send them to a country, and those thirteen men can train five thousand people to become soldiers in six, ten weeks. And that then creates an army well beyond the thirteen f fight fighting capacity of the thirteen and it is absolutely a function of and and this is the the the positive and negative of AI, right? You you can use it to do for for good or for bad. And the the way it's landed in the the field of bad is something that is people are just getting their heads around. I mean, do you think do you think the vast majority people comprehend just the scale that that's that's achievable now because it's exists there and it's, you know largely, if you will, virtually free to use. Mitchell Amador, CEO Immunefi (34:03.918) They have no idea. But what's worse is that the vast majority of CISOs have no idea. Right? Everything, their budget, their infrastructure is all based on the last war. They've their whole system is imaginal line, you know, for a conflict that it's just not going to be behaving under the same rules and conditions. Martin Hinton (34:10.37) Yeah, I mean Martin Hinton (34:23.469) There there's a you know, we we before we started we chatted about history and I you know, there's th that prior to World War Two, there was a very famous American general named Billy Mitchell, and he was an advocate for air power while everyone wanted to build battleships. And he said, No, no, no, the next war is gonna involve airplanes that take off of ships, and they're gonna be able to desync ships really easily. You need airplanes, you need airplanes. Lo and behold, he turned out to be very right. And and I think that that's Mitchell Amador, CEO Immunefi (34:46.936) Hm. Martin Hinton (34:48.823) That's a phenomenon, right? We get invested in what we've bought and the tools we have rather than the tools we might wind up needing. And in addition to that, and the problem is that the CISO who sticks his head up and says, you know, too loudly, that that's a that an existential threat to their existence and their job security to become that that human dynamic is a weird part in all this in this crypto technical, you know, world of of you know digital. The human element of, you know, good leadership. Mitchell Amador, CEO Immunefi (35:04.504) Yes. Martin Hinton (35:16.611) clarity of narrative, the ability to explain a problem and why the new solution you need to, if you will, build should be brought on board at some expense. Is that a is that part of this that that is sort of counterintuitive to what many people might think when they hear about crypto or they think of crypto? Mitchell Amador, CEO Immunefi (35:33.322) In what sense? Like the the the kind of security framing or Martin Hinton (35:34.657) Well, I well the the I the I so well I think that you know w we we hear a lot with AI that jobs are gonna be replaced, that people are you know, what are people gonna do and where do people how do people peel p people play a role in this? But it it it adapting to this reality and it and and absorbing it into humanity is gonna require human beings to adapt and be primary in the experience, right? To lead the experience. And I guess I'm curious what you think about that. Whether you think that's that's accurate or whether you think that that Mitchell Amador, CEO Immunefi (35:54.199) Yes. Martin Hinton (36:03.757) You know, the whole notion of, you know, the phrase you hear is agentic AI, you know, things that do things. You give them a task and they go off and they do it on their own, and that that's that, just like an employee. Well, employees make mistakes. L LMs are only based on us, so they're gonna repeat all the things that we did at scale. I mean, the joke I I've been making is that you know, we use the phrase hallucinations and and I go, You mean mistakes? Like that's what we used to call them when people made them. You know, th I mean but obviously in in the new new thing has to have a new new language and a new new buzz. I I guess I'm curious what you think about that broadly, that that that idea of, you know, the importance of people in all this, back to bug bounty hand and the human being being the one that finds the problem. Mitchell Amador, CEO Immunefi (36:42.904) Well, it's it's complicated. It's not an easy and you know now we we must all be profits, Martin. So you put me in a difficult spot where I have to cassandre this if I'm gonna give something of value. But look, you know, crypto is a little different. in my view, most of the adoption will happen in a way that nobody notices. And th the more crypto can do that, the more likely it is to succeed and provide value for society. And the reason for that is that it's a back-end system. It's a back office system. Like the people don't want to know how the accounting is done for them to get paid. They want to get paid and move on with their lives, of which they're eminently correct. You know, debits and credits is not for everybody. And you know, crypto is complicated back-end shared and distributed databases. Okay. And the systems that do it will are will mostly be like that, the ones that touch people's lives. A few of them are going to be interesting, impactful, and front-facing. Like you know that I made a the first social media application in crypto almost a decade ago now that got to millions of users. There will be things like that that are forward-facing. There will be things like net new assets like Bitcoin that are forward-facing and and interesting. But that's a small number of things. If if there was never any Bitcoin. For example, any ever kind of publicly investable or or or accessible crypto markets, this whole technology set could still provide incredible value for civilization just by replacing the traditional database models that we see across finance today. Okay? So it's not true that humans need to be at the forefront. It w what's true is finding great and compelling use cases. And being able to demonstrate the efficaciousness of superior and the safety, the safety of these distributed systems. That's what's key. And if you can do that at a large enough scale, then adoption will take care of itself as basically superior technology sets do. The caveat with that, of course, is when we look at the history of the advancement of technology, the best technology does not always win. Right? Germany discovered last year that it needed nuclear after all. Go figure. Mitchell Amador, CEO Immunefi (39:02.562) They don't have much at the moment. It's a problem. So people go down different paths. I personally think we went down a different path by not investing in hovercrafts and not investing in more kind of air Zeppelin technologies and inflatable balloons. Could have been a really interesting world, but instead we just skipped all that and we went to jet airplanes. And I'm not sure that was the path. I mean, where's our sky yachts? Didn't work out for us. It was a big loss. Okay. Martin Hinton (39:27.447) Yeah. Exactly. Mitchell Amador, CEO Immunefi (39:31.136) So, you know, things go that way. And and and in that sense, you do need people to champion. And and crypto is really at the fore of that with its huge kind of consumer marketing angle and its big focus on all these new financial applications that protect people's wealth in an environment that's becoming increasingly dangerous. Like the value proposition of crypto today is becoming more and more obvious to everybody as all these current currencies effectively go bananas. So that's me hedging my bets and saying, like, okay, there's a human element of this, but like Crypto can still win, blockchain can still win and become extremely relevant to your life without you ever hearing, without there being any famous figure, any proselytizing from on high. On the other hand, the more interesting superior world, right, and the non-dystopian world, I think, is the world where we do have people who can speak to the benefits, who can make this a human-led movement, who can really inject their theology. or their values, their worldview into the technology, which is where crypto started and what made it most interesting for me personally. Okay. That is going to be the best possible world for this tech. And in that sense, we are still doing that and it is still human driven, even though it's got a bunch of financing. Martin Hinton (40:37.911) Yeah. Yeah. Martin Hinton (40:48.803) So bringing it back to cyber insurance and the the role that plays, where does where where could I suppose is the better way to put it, where could all this fit into the cyber insurance landscape? Mitchell Amador, CEO Immunefi (41:01.038) Sure. Okay, so there's a few different ways to think about that. My the most important one is this, Martin. How do you feel about the effectiveness or the reliability of cyber insurance as a market today? The largest new insurance market in the world. Incredibly valuable. But what's the current state of it? What do you think? Martin Hinton (41:30.413) Well, I I I mean the pricing is the the word soft has been been lingering in that market for quite a while now. I I I think that, you know, it it could it it's its issues now are compounded by the broader pressure on insurance generally, particularly in America. And it's it's a complex complex risk and you know, there's this argument about if you enter AI into the conversation, does that fall into cyber insurance or should it be its own separate reality given the complexity of that new additional problem which we've touched on. So I I I think it's a you know it it's it's probably fair to say it's a toddler and it's still learning to use a knife and a fork and and you know pull its pants on. it is probably where it is in in the the broader scheme of a lifespan. But what do you think about that? Mitchell Amador, CEO Immunefi (42:16.846) That's a very wise and gracious answer, I would say. I would, you know, to be fair. Like the the central challenge of insurance, of course, is risk management. And the big challenge with software is that this stuff is really risky and finicky. And when we designed software in the beginning, we didn't design it to be riskless or safe. That is not what we intended to do. We designed it to get Martin Hinton (42:20.501) Ha ha ha. Mitchell Amador, CEO Immunefi (42:45.654) The answer that we wanted, usually fastest or cheapest. We made a hell of a lot of trade-offs in that process. The classic example is the internet. The internet was never designed to be a secure system, and it's not a secure system. It has all of these foibles that make it exposable and make it brutalizable, that make it an environment for theft, that make it effectively a live fire zone, okay, for people across the world. We didn't have to be designed this way. There were alternatives, but that is how it was designed. And the global internet works in this way. And that's what makes it a haven for crime and other such problems. Now, we have slowly figured out on the internet how to mitigate these solutions one band-aid at a time until we ended up with this kind of like interesting monstrosity with all these different like casts and bandages and and like ointments all applied on wherever the little wounds are. And in crypto. We we ended up having to go down a different path because we didn't have time, we didn't have space, we didn't have decades to figure out how this was all gonna work. We had a few years. And as a result, we built security and learning the lessons from the internet, of course, knowing that we're dealing with money, we built security and as much, you know, risk reduction as we possibly could into the ideologies and the values of our systems. There's no blockchain in the world that's not designed to be secure, first and foremost. Okay? There's no blockchain in the world that is not designed to minimize customer and user risk, first and foremost. And many of the systems have quite complex measures in order to do that. As a result, we are rapidly converging on a world where we can effectively price the cyber risk of on-chain systems. We're not quite there yet. But I'll give you example. Over the last six years or so, we had the explosion of DeFi, which went from effectively zero into a market that's worth hundreds of billions, a financial market that is larger than the vast majority of countries in the world today. Okay. Now in that market, we were seeing loss rates of between two and four percent of assets per year, which is really high, really, really painful. But it was the frontier and there were incredible gains to be made. Mitchell Amador, CEO Immunefi (45:10.58) Most of those losses were from logic errors. If I look at the losses from code errors and logic errors this year, we're sitting at 0.6%. Sorry, this was last year. This is last year. This year the numbers so far are even lower. It was 0.6%. Okay. And those numbers are falling fast. There's a world that we can get to within, I believe, by 2030, okay, where effective losses due to logic and code errors. Are going to be sub-10 basis points of annual resources per year. And in that world, we're approaching parity, if not superior security, risk reduction relative to traditional financial systems in the traditional financial economy for various reasons. And who knows, we can get it even lower from there, five basis points, right? Maybe one basis point, depending on the scale. Why? Because we have objectively secure systems, because we have objectively secure code. Okay? This does not Eliminate financial risk, of course. Like you do not solve balance sheet risk with great code. That's not how that works. Right? You don't solve, you know, systems engineering problems and kind of risk tolerance and managing your debts and your liabilities accordingly with super secure code. That doesn't help for that either. You don't solve black black swan events or or political problems with super secure code. It doesn't work for that. But you do solve the code problem. And the code problem is the most terrifying of them all because if you can't have secure code, you introduce downstream risk into every other system, no matter how things are gone. Okay. So we're on the cusp of a new kind of insurance in the blockchain markets where we can reliably predict and price smart contract insurance. And when we can do this. This is going to be one of the key unlocks for moving the larger traditional financial markets on chain. We're not there yet, but we're going to be there. Within the next few years, we'll have achieved it because we created objectively secure code. And by the way, that is something we will be able to export to the rest of the internet. So it's not going to stop here. We will share our benefits with everybody. Martin Hinton (47:29.111) You I I I I I think of myself I right now my my history, Bud, is I'm thinking of the the first steam engine and and how simple and basic it was and how all these people came to it with improvements that you know led to it powering the industrial age and that that we're in a similar moment in in the way you're explaining it, that this is a technology that not only can you exist within and be secure and have risk more quantifiable so that it can be underwritten more. it's something that can be then it can propagate across the existing parts of, you know, the world's tech stack, if you will. I is that is that what we're talking about? Mitchell Amador, CEO Immunefi (48:08.928) 100%. Hundred percent. Not just as an infrastructure layer, but as a tool stack. So for example, the world is gonna inherit our threat model and it'll make the internet and society a safer place when people learn that cyber defense is how you protect a company, not cybersecurity. No longer mall cop security, but like understand the North Koreans are out to get you. And they'll take our tool stack too. We've created the most advanced technologies for proving the code is safe and secure and making them cheap. making them economically accessible in a way that they never were before. Okay. And we're going to give those to the whole of the internet and we'll be like, hey, look, do you guys want cheap, you know, objectively secure code? Here are the tools to do that. Ultra low cost. We did all the RD. We did all the technological breakthroughs. We did all the scientific hard work. You can just have this and have it for free. Okay. And if you want, you can create secure JavaScript. You can create secure Rust for whatever it is that you're using. And this is gonna bring everybody else's danger, everybody else's hacks, everybody else's exploitability, everybody else's cyber risk way, way, way down. We're just gonna give it to them all. It's gonna be great. We're not done, but it's gonna be great. Martin Hinton (49:25.165) So we've touched on AI. I I wonder when we look at the next phase of things, one of the big things people talk about is quantum computing and its impact on, you know, standard encryption that is as it exists now. So what about that that new new thing, if you will, the the things that everyone talks about coming in depending on who you talk to a few years or maybe longer? W what do you what do you see in that landscape and how's it going to impact the space? Mitchell Amador, CEO Immunefi (49:50.691) That is a very exciting question. The answer is what you suspect, which is it's gonna impact us in either this, you know, exciting, brave new world sense, or it's gonna be terrifying and destroy everything. And let's look at the latter part first, how it's gonna destroy everything, because that's what people want to hear, right? good stuff. If we can't find a solution to Quantum cryptography that works for blockchains, then the entire premise of blockchain as a safe, trustworthy, shared, distributed database is destroyed. And then because whoever has effectively the ability to use their quantum computers in order to break this encryption can effectively steal everybody else's money, sometimes in a way without them even knowing. And so that's game over for blockchains if it can't be solved. Now I don't worry about that too much. Because just like it's game over for us, it's also game over for every bank and financial institution in the world. Because if we can't crack quantum cryptography for our needs, they're sure as hell not gonna do it. They're way less competent than we are. They're way less savvy about the basically the frontier of computer science and security than we are. It's night and day difference. So, you know, they're gonna be fucked. Sorry, screwed. The militaries around the world are gonna be screwed for the most part. Most militaries are not capable of of handling this kind of cryptography problem on their own. So imagine everybody's communications being broken overnight. Most governments are gonna become effectively transparent to whoever this mysterious quantum computer operator is gonna be. It's like really a nightmare scenario because all of what we depend on for electronic communication becomes breachable, really. Now, on the other hand, we expect and we are building as an industry to solve that problem. We are working on new quantum cryptography solutions that we can upgrade existing blockchains with such that our systems prove invulnerable to that type of threat. But there's a caveat. And the caveat is nobody really knows what will be invulnerable or not. It's very difficult to prove. Mitchell Amador, CEO Immunefi (52:11.222) That your you know quantum secure algorithm, your quantum secure cryptography is really quantum secure. And so the rest of the world's in this position too, mind you, but we're all just gonna have to YOLO this together in some form. And we're taking from the best of what the quantum community has and we're giving them the best of what we're discovering. Because just like we see, right, we're defending against a bigger enemy, the bigger enemy of of quantum computation breaking existing cryptographic. encryption schemes. Like that is a real boogeyman. That's a that's much more damaging to society than any rogue state like North Korea is. No, much worse. Martin Hinton (52:51.233) I find my I find myself thinking about all the handring over Y2K and and and that that sounds like a a children's picnic to to the scale of this potential problem is is is not is that fair? Mitchell Amador, CEO Immunefi (53:01.901) Yes. Hundred percent. Hundred percent. Martin Hinton (53:06.519) So in that context, what what should businesses be doing? Outs you know, if you if you're if you're hearing this and you're a a CEO or on the board of a company, w what should be the next question you ask given the fact that whether you like it or not, this is coming and it it it it's gonna impact you and all the things you rely on, quite frankly, as you put it. Mitchell Amador, CEO Immunefi (53:26.392) Well, this'll tickle you, Martin. You'll understand this right away, you know, as a as a as a man of history. You know, for most people, you can afford to do nothing because the stakes are so high that the people with the most resources must do a whole lot to ensure their own survival. And so there's this kind of tragedy of the commons where the vast majority of society is just gonna freeload off of the few institutions that make the investment and it's gonna okay, sure, why not? You know, thanks guys, you do all the hard work. And it like it doesn't really make sense to take the bet against yourself because you don't have the resources to make a material difference for the most part. And so you're kind of forced to make a bet that you're gonna figure it out, like perfectly. And then since you're already making that bet, why worry about it? It's kind of like nuclear war versus not nuclear war. For the most part, you just bet that it's not gonna happen. You continue on with your life. Having said that, if you're a CISO at a major company or government or institution, Martin Hinton (54:17.015) Yeah. Yeah. Mitchell Amador, CEO Immunefi (54:24.502) You do actually have a chance to play a privileged role in this story. You you really do. Because there are I mean, frankly, this industry needs money and it needs publicity and it needs culture, right? People need to develop the solutions. A lot of that is going on in militaries behind closed doors, which is not great for us and industry and and in broader civil society, because we don't get to share in those benefits and they will surely keep them from us. So we need more development on the public side of things. Then we need to popularize that. A lot of the really cool stuff is being built, okay, in the quantum computing realm. But so much of it gets locks up in these large organizations. We need to be popularizing what can get shared, both the large organizations and the small ones in the scientists and the academia all around the world. Popularize that so people can learn the lessons as fast as possible. And then we need to create a culture of sharing, okay? And this is where CISOs all around the world can get involved and participate. By just encouraging others to take a look and by sharing these things actively. Because this is a a threat that that we all share. And that culture may end up being the key towards saving a lot of society from harm from this, because maybe somebody does get a quantum attack capability, but if someone else gets quantum defense, they they have effective quantum encryption algorithms, they can be bullied. They have to be convinced to share that, okay? And if we have a culture and an expectation in society that we're all going to look after each other, we dramatically increase the chances that that party will be incentivized to share that technology with the rest of us and thereby safeguard the global society, the global market, the global civil society. So these are three things, and and CISOs are going to have a play to play a role in this because believe me, I think the militaries are developing lots of stuff. But I I will bet top dollar that the private industry will outproduce and out out research all of the governments in the world on this subject. That's probably where the solution is going to come from. So if we set this culture between us as security specialists, that we all have a stake in defending society and we're going to share this information just because and we're going to encourage it just because even if we're not in a personal position to do about it, we'll at least publicize the good actors and reward them for doing good for society. I think that will be impactful. I think that will make a difference in him. Martin Hinton (56:45.335) Well said. So we're coming up on about an hour. I and we obviously didn't get to everything that we we may have had in our planned conversation. Is there anything we didn't touch on that you think we should mention or anything that you'd like to say any more about? Mitchell Amador, CEO Immunefi (56:58.156) Yeah, I mean, I probably the thing that I I I would say is we are entering a new world in so many ways. Right? Crypto is transforming finance. It's gonna be unrecognizable in ten or fifteen years. It's just it's really completely different. AI is transforming knowledge work and just absurd and crazy ways. The kind of global chessboard of geopolitics is be re being rearranged before our eyes with strange and sometimes very comical combinations of events going on. It's we live in this fascinating time of change. Okay. I the longevity industry is blowing up. I don't know about you. I have a friend going out to California to meet a bunch of them right now. They're convinced they're on the the the urge of the verge of at least 50 extra years for most people. I hope they're right. That would be great. Everything is changing and we all have a kind of a part to play in this story. One of these key parts, you guys are working on the insurance side. This is something that we're gonna need. We're gonna have to stabilize this system. We're like a kid going through puberty once again, and that's great while it lasts, but at some point we're gonna have to calm down and figure out how we're gonna live with all of these things instead of allowing our civilization to sink into the dust. So, you know, you guys have a role to play in this story. People like me are trying to innovate on security, give you guys all the tools that we possibly can. We're telling you. that we're moving into a world where we can create objectively secure code, objectively secure systems, and that it's really gonna work. You'll be able to to do magic with this. And I hope somehow, somehow into the future, all this stuff proves useful to you guys in in helping create the future in your own way, because you'll have a role to play too. Martin Hinton (58:42.187) All right, one last question. Five years from now, what will seem obvious that most people still miss today? Mitchell Amador, CEO Immunefi (58:51.874) Yeah, there's so many things. Martin Hinton (58:54.189) Pick one. Mitchell Amador, CEO Immunefi (58:56.104) the one it'll be a spicy one. That use of technology by individuals needs to be heavily controlled for health and well being. Martin Hinton (59:11.107) Well put, well put. Mitchell, I have nothing else. D do anything else you want to say or any any other last thoughts? Mitchell Amador, CEO Immunefi (59:18.816) No, it was my pleasure. Martin, always a pleasure to chat. I learned some new things in the course of being interviewed, which is always delightful. it's a great time and if I can prove helpful in the future, you just let me know. I'll come back on and support, okay? Martin Hinton (59:31.619) That that'd be great, Mitchell. Thanks so much. Everyone else, you've been listening to Mitchell Amador, the CEO of Immunefi. we mentioned a few things and there'll be some links in the show notes wherever you might be listening to or watching this, so you can find those resources there. Likewise, if you've got a question or a comment, a thought, please share it. You can leave it in the comments and I'll get you an answer or pass it on to Mitchell if I can't. But Mitchell, again, thanks so much for the time today. Everyone else, thank you so much for watching. This is the Cyber Insurance News and Information Podcast. I'm your host, Martin Hinton. Enjoy the rest of your day.