In an exclusive interview with cryptonews.com, Mitchell Amador, Founder of Immunefi, talks about the Founding story of Immunefi, building new web3 security systems, and tells stories about finding bugs that have protected $60bn+ in user funds.
About Mitchell Amador
Mitchell Amador is the Founder of Immunefi, the leading bug bounty and security services platform for web3 that protects crypto projects and regular users. In a span of less than two years, Immunefi has saved more than $25 billion dollars from being hacked and actively guards over $60 billion in usersโ funds.
Before Immunefi, Mitchell was best known for making Sophia the Robot a worldwide sensation as the CMO of SingularityNET and as the VP of Marketing at Steemit, where he drove its adoption and growth, resulting in a peak $2 billion valuation. In addition, he was a member of the rLoop Hyperloop team, drove growth for the worldโs dominant web .pdf company, and helped launch the largest user-owned open world, Decentraland.
Mitchell Amador gave a wide-ranging exclusive interview which you can see below, and we are happy for you to use it for publication provided there is a credit to www.cryptonews.com.
Highlights Of The Interview
- Stories about finding bugs that have protected $60bn in user funds
- The founding story of Immunefi โ finding problems in the security stack
- Blockchain and crypto hacks โ will they ever slow down?
- Anonymous workflow; wiped devices, custom operating systems, CUBEs, VPNs, limited access to socials, etc.
- Building new systems โ itโs going to be weird, but it will work
Full Transcript Of The Interview
Matt Zahab
Ladies and gentlemen, welcome back to Cryptonews Podcast. Weโre buzzing as always, and we got another incredible guest locked and loaded for today we have Mitchell Amador, the founder of Immunefi, the leading bug bounty and security services platform for web three, to protect crypto projects and regular users. In a span of less than two years, Immunefi has saved more than $25 billion from being hacked Holy crap, and actively guards over 60 billion in users funds. The companyโs paid out the most significant bug bounties in the software industry, amounting to over 60 million including 10 million for a vulnerability discovered in wormhole, which is pretty bananas. And weโll get to that later. Before Immunefi Mitchell was best known for making Sophia the Robot a worldwide sensation as CMO of SingularityNET. And as the VP of Marketing at Steemit where he drove its adoption and growth. She was also a member of the rLoop Hyperloop team drove growth for the worldโs dominant web .pdf platform and helped launch the largest user-owned open-world Decentraland. Without further ado, Iโm very pleased to welcome Mitchell Amador to the Cryptonews podcast. Mitchell, welcome to the show, my friend.
Mitchell Amador
Thank you. Itโs an intimidating list of athletes donโt hold me accountable to it.
Matt Zahab
Hey, when thereโs a good bio, it must be read properly. Kudos on the impressive background and for the listeners at home who cannot see you. That is one of the coolest company shirts Iโve seen so far. How can I snag one of those bad boys?
Mitchell Amador
Oh, you have to find a critical vulnerability and save a lot of peopleโs funds. If you do. I will deliver it myself.
Matt Zahab
Is that how you get Immunefi shirt? Interesting. No, no e-commerce store yet?
Mitchell Amador
No, no heavens no. So itโs a matter of aesthetic quality. You know, you canโt just make merch available it has to be earned through blood and suffering.
Matt Zahab
Gotcha.
Mitchell Amador
We have made a whole bunch of interesting swag, but only the best white hats in the world can claim it.
Matt Zahab
So I feel like this could be like a Yeezy 2.0 sort of when it came out and Yeezys were going for like 10 grand a pop on eBay. And Craigslist and Facebook marketplace because its supply was so low is that whatโs going to happen to Immunefi shirts like only white hat. Thatโs it?
Mitchell Amador
Quite possibly. I donโt even know if weโll make enough for a market to form, God willing to loan. Really exclusive Hermes style.
Matt Zahab
Yes, Hermes what a brand. Nothing better than a Hermes tie. By the way. Do you have any Hermes ties?
Mitchell Amador
No. I didnโt even know they made ties. I didnโt know they made male stuff.
Matt Zahab
To me the goat of ties. Incredible.
Mitchell Amador
Okay, well, Iโll have to on my partner now, she will judge me.
Matt Zahab
Unless itโs unless thereโs only knockouts. But anyways, enough about fashion. Letโs get into the fun stuff here. Immunefi, you are the founder of Immunefi and you and the team have paid out an absolutely absurd amount of money over 60. Mil and money. Did you ever think that youโd be paying out such a large sum of money to people literally saving billions of dollars?
Mitchell Amador
Yes, I was absolutely certain of it. It was the reason we launched the company.
Matt Zahab
Actually?
Mitchell Amador
Yeah. I mean, when we when we started. So for some context, right, you know, you can tell from my background, Iโve been in this space for a long time. And those are very generous roles, you have to deal with whatever problems are coming your way. And like the security stack in crypto today is 100 times better than it was many years ago. And so we would have incidents like this all the time. And this is what built up the understanding for founding Immunefi in the first place. We knew that security was a losing game. Presently, in this space, we knew how much money was at risk, because you know, we had been those exchanges who got hacked, we had been on the inside of incidents, dealing with them protecting a projectโs Treasury or protecting their infrastructure that manage their keys. Right. We knew how vulnerable things were. And we knew how valuable it was to protect them. Because we had been in those situations where you have to do basically anything. You have to play ball with whoever comes your way. You have to find a way to protect your assets and your infrastructure. Because to not do so is certain death for everything that youโve created. So far the total destruction of the equity that youโve labored on for years, and years, and years. So itโs like you know, you say, Oh, well, did you think you would be paying out like a $10 million bounty? Well, yeah, of course, on a long enough timeframe. Two years was pretty fast. Not gonna lie, but like on a 510 year timeframe for sure. Right, because we had like just looking at the stable coin examples, right, or the exchange examples, there have already been many, many incidents, that would have been preferable to have been avoided, were paying 10 mil out of pocket to eliminate that risk factor would have been vastly preferable. And knowing that it was a certainty, everybody would take that deal. So it was only a matter of time. Until we got to these kinds of numbers. The only question was when, right? Can we bring this new standard to this space? How long will it take for people to realize that you really, really, really have to prioritize security over everything else? And we were fortunate that it happens sooner rather than later.
Matt Zahab
How do you pay these bounties out? Like how do the nice white hat dudes and do that? who find the bugs? How did they get paid out?
Mitchell Amador
The important question, so not only preparing to get your Immunefi shirt, but youโre also being like, how do I get my ticket? Well, itโs all, you know, pretty, pretty intuitive. So weโve got two ways of basically dealing with this. Number one is, white hat submits the vulnerability, right, the bug report goes through our very, letโs call it in depth process for packaging and structuring that report. That whole transaction is settled, which can be a long process, in and of itself, right, it can stretch over. Weโve seen things dealt with in 15 minutes, weโve dealt with things that take 45 days, right? Very complicated cases, slow cases. Okay. And that can be as simple as okay, we all agree on the impact and the severity cool, or, Hey, look, we agree itโs real bug, but we disagree on the impact. Okay, now we have to discuss it. So we get through all that. Right, we validated this is a real bug, hopefully, for you. Yeah, itโs a million dollar critical vulnerability. And what do we do now? Well, itโs very simple. We say, hey, look, hereโs the address, weโve checked it three times, weโve noticed, you know, people make mistakes with their address this, weโve cut a punch a little features in, that will triple check on behalf of the users and we say, Look, Iโm sending their fee that simple. And itโs almost always paid out on crypto, there are some exceptions where weโll send money to a bank account. But the vast majority of users prefer paying money in crypto, typically, thatโs stable coins USDC. Sometimes USDT, oftentimes a dye, you know, the white hats, especially do prefer dye. And sometimes thatโs in tokens. So for example, some of the European native tokens right there in the Aurora tokens, but it will vary. And thereโs not a clear connection between, say bounty size, and whether itโs in tokens or stable. CO payment, for example, was all in students.
Matt Zahab
Can you explain the difference between how a white hat would work with Immunefi and how a white hat would just sort of go their own way? Letโs say Company X has $100 million bug and white hat person, why goes hey, Iโm going to work my magic here. Whatโs the like? What are the pros and cons with working with you guys, weโre versus just doing it themselves?
Mitchell Amador
Sure. So this is part of the reason we formed the company in the first place, the experience of rolling your own bug bounty program, right and disclose it vastly more so on the side of the white hats of disclosing was so bad, and so horrendous and so painful, that we knew that there needed to be a solution, or weโd all be risking catastrophic destruction across the ecosystem. So if youโre on your own, Iโm helping deal a friend deal with the case right now a bunch of projects donโt have a bug bounty program, they found an amazing vulnerability that puts serious assets at risks. What do you do? Well, you try and get in touch with the relevant personnel at whatever institution that youโre dealing with. Now, if youโve ever done sales before, for example, and youโre trying to reach the right person, you know how hard that can be to navigate and be like, Oh, hey, whoโs responsible for your security, inside Company X, Y, Zed. So youโre gonna be on this wild goose chase, right? Just for the beginning, you found that like alive payload, youโve got an exploit, it can be run, the whatever the institution is, theyโre vulnerable. And yet, you know, youโre going to spend days, weeks, months, just trying to get access to the right person. Yeah, then you get access to the right person. So youโre lucky most of the time, you may, you may just not ever get access, and you just have to call it a day or you publicly disclose whatever. But letโs say you get lucky you make a break and what happens next, or they have a bug bounty program of their own. Letโs say they run it. And they hosted themselves. What happens next? Well, then youโre now talking to who you hope is either itโs either going to be an engineer, typically, or is going to be the head of security, or sometimes itโs even going to be the CEO or a COO, if they donโt have that kind of function. And in all cases, this person is going to be rattled. But theyโve just discovered that youโve got a sword of Damocles, right, a sword hanging by a thread over their head and youโve had it for days, weeks, months. And youโre saying you want something for it? At least, thatโs how they interpret it. Theyโre very nervous. Theyโre adversarial. Theyโre like this person could really mess me up. Do they want to take advantage of me, thatโs the only reason they would get in contact, right? Thatโs not the case. Obviously, the white hat by act by disclosing in the first place is showing their good faith. But people in a state of fear donโt respond that way. And so they worry and the stress over it, and now youโre trying to explain, hey, hereโs the vulnerability, hereโs how you should fix it by you know, please, you know, also pay me for my good work. Ideally, you know, this stuff doesnโt isnโt free. And theyโre like, is it real? I donโt think itโs real. I think youโre trying to scam me. And then theyโre like, oh, shoot, itโs real. But I still think youโre trying to scam me, just even if it is real. And you disclosed in good faith.
Matt Zahab
So the whole process, itโs an absolute shitshow. And, and again, Iโm trying to put my feet in the in that in a corporation shoes. Itโs like if I had $100 million hack insight bug rather, inside my corporation in some in John comes out to me and goes, Hey, Matt, you got to pay me 10 mil to save 100 What do you say? Like thatโs, thatโs a pretty crazy situation. You know, like, those situations donโt grow on trees. And I would also be like, John, youโre full of shit. And then Iโd probably get 100 Mil stolen from me.
Mitchell Amador
Thatโs what Equifax did. And they had like, you know, half of America social security data from them, right? So itโs like we all empathize with our customers, like we really do. We been in that position, we know how hard it is. But at the same time, none of that is the right response. All of that is counterproductive. All of that creates a horrible experience for the white hat, who is otherwise saving your bacon, and showing that theyโre operating in good faith. Itโs destroying your future security potential, because word gets out, and then nobody wants to help you. Nobody wants to deal with you. Because after all, you just you screw, whoever approaches you in good faith and takes a risk. And itโs a mess. And thereโs nevermind, like, imagine calculating a reward. You have no bug bounty program, you have no expectations. Like, how do you calculate that? Well, itโs straight up negotiation, where youโre indirectly itโs a zero-sum game. Like, no matter how you cut that, odds are, the white hat is going to be very dissatisfied with you, because youโll want to preserve financial resources. And no matter what you do, like you will probably be very dissatisfied with what you pay, because youโre always gonna be like, well, couldnโt we have gotten a cheaper? Thereโs no sense of whatโs fair value. Itโs just a recipe for bad experiences. And this is what all bug bounties were in crypto. For years. Before we came along, just constant bad experiences that made bug bounty programs so effective that the vast majority of the space didnโt even bother using them. Like they werenโt even worth the time.
Matt Zahab
Was there a particular instance, which made you feel the need to co found the company? Like what like, were you a part of a hack yourself? Or a co-founder, whatever the case may be?
Mitchell Amador
I mean, letโs just say Iโve been, Iโve lost plenty of money in our industry. But that wasnโt the thing that kind of spurred me on. Thatโs like cost of doing business. Weโre in crypto early, you know, things are a mess.
Matt Zahab
Shitโs gonna hit the fan. Right?
Mitchell Amador
You can do everything, right, it still happens like tons of wallets, for example. I messed up how they create their seed phrases. And that led to vulnerabilities on the line thatโs happened like half a dozen times, and let you know, all the funds you put in there vulnerable some years later. Like, itโs just comes with the territory. But the moment where I was like, Okay, we need a systemic solution was when I was on, I was in Switzerland on this on this mountain, I was super sick. I was very sick and moody and unhappy. And I didnโt like Switzerland, so expensive. And it was cold, like bad combination of traits. For me, the food isnโt to my liking. Itโs like everything is just making me irritable. But I had all this this money maker now. At and it was a lot for me. And itโs gonna be a lot for a lot of people. But it was a lot for me. I was like, I donโt really feel good about this. I donโt really feel safe about this. What do I do about this? Iโve been in this space for so long. I know lots of security people, but for some reason, like, where are my security assurances here? Why should I believe that the money that I put here is safe. And I started checking. I was like, I shouldnโt believe it, make it out, run some of the best security ops and in the space, for sure. But when I went to check, right, why should I be certain about it? You know, you go and ask the person youโre like, look, all code is insecure. All code is going to have bugs. And we do the best possible work that we can. Theyโre an amazing, amazing team. But thereโs just like that as a risk factor for them too. And you donโt get the inside view. You donโt get to see the audits. You donโt get to see the security reviews. You donโt get to see the QA thatโs going on to validate how good theyโre doing it from the outside. Youโre just like, I donโt have a lot of good reasons to be confident of any particular smart contract that my moneyโs in. And it was at that moment when I understood so that when I just did when I digested that insight fully, I realized that itโs like, okay, this needs a systemic solution, we need a whole security stack. And if we donโt develop that security stack, we are going to doom this space to an incredible number of thefts. Furthermore, that security stack, it has to like it needs to start the most important piece. And the thing I was totally missing was like, What are your trusted assurances? What are your security assurances? How do you protect yourself when youโre on Main net when all the moneyโs really there? And thatโs how we came to this conclusion of bug bounties for like, you know, we identified a whole list of what the problems in the security stack were, where all the things needed to be addressed, what kind of technology needed to exist, and we came to the conclusion of Okay, this one, bug bounties is the hardest. Itโs the hardest. Itโs the least fun. Itโs the worst experience. And itโs the most important to actually saving people from getting robbed. So weโre like, oh, well, you know, me and my friends, we all had the same nature go to the hardest problem. throw ourselves against the wall. So thatโs what we did.
Matt Zahab
A couple of things there. One, I love that story. Thank you for telling me that. I often find that people have these aha moments in life similar to you did while you know being on a mountain in Switzerland, freezing your balls off, like when youโre out of your comfort zone, like great things happen, you know, and itโs weird like that. Itโs almost paradoxical, where a lot of incredible ideas are created when youโre in the best of moment sipping on a Mai Tai on a beach in Thailand or Bahamas. And on the flip side, while youโre freezing your NADs off on a cold mountain in Switzerland, itโs funny how the world works. Not sure if you have any commentary on that. But the second is you finding an unsexy problem. And it being very profitable. Thatโs another sort of, you know, rule in life that is so apparent that no one likes to go after, like, if you were to ask me, and no offense to you in the team, Iโm sure not offense taken, you guys are doing very well, heck, you just raised a lot of money, but heโs willing to, weโll get to that soon. But like, I wouldnโt want to be paying out bug bounties. Thatโs not a space Iโd want to work in. But itโs friggin important. Itโs not sexy, but it pays the bills. And it does more than that. Itโs just yeah, not sure where Iโm going with those two points. But funny how life works. Sometimes.
Mitchell Amador
Itโs true. So thereโs this, you know, funny phenomenon, you got those great ideas on the one side, but the things that really move the needle, right, in a systemic way, in a way that applies to everybody, or large populations, the simple things, right, like somebody found a way to make insurance, cheap and easy to calculate, and suddenly everybody can get insurance for like, Well, why would anybody care about that, but then you have, you know, 1020 30% of the population no longer stressing, every day of their life, that their house is gonna go on fire, that the house is gonna get flooded. This frees up this enormous bounty of human energy and potential. Right, life is like that. And for our part, like, the root of that is the anxiety, the fear that founders have, that we had, when we were building. Weโre, weโre building all this incredible infrastructure, weโre trying to create the rails, right? Weโre trying to create the piping for a new world. And weโre vesting work, weโre all in weโre putting skin in the game, where are you know, all in on our portfolio, like that project is our dream that weโre trying to build. And our whole life path is contingent on its outcome. And youโre stuck with this overwhelming fear and anxiety that a single vulnerability because some engineer had a bad day or drank too much of a smile, whatever, vulnerability slipped in, and you got wrecked. Because of that. Itโs like this incredible reverse. Itโs like a itโs like a hell lottery. A lottery from hell, you know that you might have drawn that lucky ticket because someone made a mistake. And the result is the destruction of years of your labor. And weโre like, okay, thatโs not good. Thatโs like thatโs toxic. Now, weโre motivated to go and fix that. And that does mean, we have to deal with like, really tough workflows and really tough problems. But I think that freeing people up so that they donโt have to worry about these things, either as a founder or as a user of these technologies is ultimately extremely worthwhile.
Matt Zahab
I love that. Can you Mitchell, can you walk me through a couple of good stories about finding bugs that have helped protect some of those 60 billion and user funds will be love stories in the crypto news pod. You donโt have to not you donโt have to drop names. But if you have any really good stories, Iโd love to hear.
Mitchell Amador
Thereโs been a lot of such cases. Obviously, a lot of this stuff is discrete. Iโm trying to be careful with what I say. But there was this fun case like Iโll go back to the this was a very early days for us. It was this third or fourth critical vulnerability that we dealt with the project called ArmorFi and the founders A guy named Robert Forester, heโs a great character, and is a strong security guy was a bug Hunter himself. So he understood right away the value of what we were doing, and decided to post this big million dollar bounty on day one. And heโs all geared up, heโs pumped, heโs gone through multiple audits, heโs like, Iโve done everything that could possibly be done. Now Iโm gonna launch within 24 hours, someone across the world had found a gamebreaking vulnerability that would have allowed someone to steal all the user funds that were in that product. His was an insurance coverage product. And so one exploitation, which would happen to be the claim function, someone could click trigger the claim function, and they would just take it all. Itโs like the biggest insurance pay day in the history of crypto, right.
Matt Zahab
One click
Mitchell Amador
One click, and what was the cause of it? What was the cause of it? An extra asterisk, just want to call on messed up the math, multiply the exponent by the exponent. So resulted in all possible funds, just this minor thing that should have been caught in QA, should have been caught by automated tooling should have been caught in both audits, yet. Everybody missed it. Everybody did. And as a result, like the only person who could come and save the day, this function would have been triggered, by the way by the first person who claimed from that insurance product. So itโs like, it wasnโt like, oh, well, maybe the hack wouldnโt have happened? No, it was 100% certain that it would have been triggered. The first person to claim their money back would have taken all everyoneโs money. And he would be like, well, weโll go if I go to court. But the guy who ended up saving the day ended up being this young German gentleman who just looked at it, he was like, Well, you know, I think this is an incredible project to think this is incredible bounty, and I think I can solve this issue. Let me disclose it. Within, you know, one, two hours after the disclosure, we were tying things down, pausing the contracts, cleaning everything up being like itโs all on hold, itโs all on hold. And itโs a funny event. We fixed it, the use of funds were all saved. They had a token with that project in it, and it pumped on the news that the bug bounty worked and that the security was so effective. Pump like three, very absurd, but I was happy that it worked out well for him. So that was okay.
Matt Zahab
What did the German lad get? What did he get for his bounty.
Mitchell Amador
Weโve got about a million dollars worth of tokens, Commander being what ended up being a little bit more by the time it was delivered.
Matt Zahab
Wow, maybe I should learn how to code and be a white hat or
Mitchell Amador
Itโs a increasingly compelling career path. What can I say? But you got to be you know, really, really into it. Itโs not easy. If you think about bounties. Right? And you think about security bug bounties are basically well what if you did code review? If you did vulnerability analysis, but you put it on max difficulty whatโs the gaming term for suicidal difficulty? Well said whatever that is, itโs just all on all of them all the time.
Matt Zahab
Thatโs a great analogy that well thatโs the novella quote right play stupid games win stupid prizes play big games play big no win big prizes. Thereโs a pretty friggin big game youโre playing.
Mitchell Amador
Sure well Iโve won a lot of super prizes in my life so
Matt Zahab
Youโre preaching choir retweet king of the stupid prizes over here. Mitchell we got to take quick break and give a huge shout out to our sponsor the show and that is PrimeXBT I love PrimeXBT you guys know why? Because they offer a robust trading system for both beginners and professional traders doesnโt matter if youโre a rookie or a vet. You can easily design and customize your layouts and widgets to best fit your trading style. PrimeXBT is also running an exclusive promo for listeners of the Cryptonews podcast use a promo code CRYPTONEWS50 that is CRYPTONEWS50 all one word to receive 50% of your deposit credited to your trading account. Again, that is CRYPTONEWS50 CRYPTONEWS50 all one word to receive 50% of your deposit credited to your trading account. Now back to the show with Mitchell. Mitchell, you guys became the biggest and leading security platform for all of crypto in less than two years. That is definitely something to write home about. That is incredibly impressive. You got to give me a couple tips here. Couple tidbits. A couple of golden nuggets, obviously right time right place. No shit. However, give me some non-obvious things that you and the team did to scale to this incredible feat.
Mitchell Amador
I can tell you some secrets but theyโre gonna scare you Sure. Do you want to if you want to.
Matt Zahab
Iโm all ears hit me.
Mitchell Amador
Okay, well, you know, number one, you got to be lucky. Right time right place always the most important thing. But for us something that proved super effective. And itโs been the general philosophy for how a number of my circle I guess I run our operation has been, go and do the hard things wherever the hardest problems are, is the major opportunity where thereโs a chance to create real value. And we took that to the limits. With Immunefi, we went, we basically launched and we went directly to hardmode. So for example, we started taking customers like right from day one, when all we had was a Google form, right and a mediocre listings page, just a table, just a giant A, and weโre like, No, weโre in business. Letโs go. We did full on trying 24/7 processing of reports from day one. They were just coming to hit our inbox, we would analyze them and send the results back to the customers, which is an incredibly difficult thing, if you know what itโs like to run 24/7 security teams.
Matt Zahab
I donโt and that would be nightmare fuel.
Mitchell Amador
Almost nobody in this space, does it? Weโre one of the only ones. So you know, we did that. And this is from day one. Another day. One thing, while this was more like day 30. But when we discovered this problem, like there were these disputes between the projects, what do we do? Itโs like, well, you basically need like an arbitration system between them. Right? How do we get that in? And the answer was like, there is no law in this. Thereโs no framework for dealing with thereโs no nothing. And it was like, Well, I guess weโll just have to make it ourselves, which is what we did. And we became the mediators, now we have a whole set of doctrines on how to interpret these types of events and how to handle them and a whole series of case studies and histories for how to work them out. It was, you know, this is this common theme of like, okay, whatโs the most difficult problem things that nobody have ever solved before, that are extremely ambiguous, itโs like go towards them. They exist as points of user friction, if you solve them, you create incredible value. For everybody not winning wasnโt just for the customers, right? Obviously, it was for us as a business. But it was for the customers by driving actual bug reports. Bug bounties didnโt work in crypto, but for us, we made them work. And it was for the users. Sure, we took that suffering on ourselves, you know, indefinitely nights, staying up until 567 am in the morning to get the job done. Right handling super stressful cases, and disputes mediations and making no work. But the result of that was billions of dollars in funds saved the result of that was the creation of a whole industry dedicated to proactively saving projects and use your funds. So like we went towards the heart thing, and the results was a whole industry. And I think that applies in a lot of cases.
Matt Zahab
Well said. I love seeing how passionate and fired up you are about this. Like itโs I can tell you absolutely love this shit. Thereโs no need for Firestarter under your ass any morning.
Mitchell Amador
Yeah, well, I look at it this way. So in addition to just being pretty passionate about making blockchain work, which weโre doing, right, like, if we succeed in our mission to make the space more secure, we are directly enabling the blockchain world and if we fail in our mission, a blockchain world is not possible. The fear of hacks, risk and the like insecurity in our space will invalidate its potential to be the rails the future financial rails of the world. So thatโs motivating. But you and I, Matt, you and I have money in this space in this domain. And if we donโt protect it, well, I donโt know where are you? But Iโm going to be a pretty sad panda. About it all. I do not want to get robbed. So motivated. Iโm motivated in protecting you and motivating protecting me Iโm motivated in creating something for the future. Itโs, itโs worthwhile and security is the principle.
Matt Zahab
Mitchell will crypto hacks ever slow down? Now? I know this is a difficult question. Because even web2 hacks are still apparently all the time he talked about the Immunefi, not Immunefi, Equifax hack, which again, half a billion users or however crazy it was. This shit grows on trees every single day web two companies get hacked most of the time, itโs data. And sometimes itโs hundreds of millions of dollars. But in crypto, itโs more money than anything else. Are we ever going to see the slowdown? Or will the hack parade always just be a crazy thing? Because of the nature of the decentralized systems in space?
Mitchell Amador
Thatโs a difficult question that you asked me difficult questions. But the answer is, itโs nuanced. No, the hacks are never going to slow down. Number one, but at the same time, the hacks will get less less damaging, right? on a percentage basis. Right. So what youโre gonna see is the pace is going to continue to increase an increasing increasing increase, just like we see with the history of scams in our space. And we see with hacking and scams in the traditional financial markets, like you donโt hear about it. Thereโs 100 times as many hacks 600 1000 10,000 times as many hacks going on in traditional tech and finance that you just you just never learned about. It becomes a constant thing and thatโs the direction where crypto is gonna go. Itโs just going to be constant and never ending. Like now weโre at the point where hacks are Multiple times a day, thatโs not going to stop. And that just comes with the increase of growth in the space. And the increase in the number of people who have the skills to exploit and you catch that guy in a bad day. And heโs, heโs going to do it, right. Heโs poor, heโs lost his job. You know, he got beat up by the system, whatever, you know, heโs justified he feels and making the exploits. Thatโs what itโs gonna do. But security in the space is also improving, right, weโre in this never ending arms race with human greed and malevolence. And so weโre also getting better at protecting the space. Every day, more and more white hats are signing up to us Immunefi best hackers in the world are signing up to join us in protecting projects. Every day projects are getting more sophisticated in their security practices, building a better layers of defense, setting up better bug bounty programs that result in more eyes on code, and more vulnerabilities prevented from exploitation. And so what youโre gonna find is, the hacks are going to continue to explode, okay, and the magnitude of Hacks is also going to increase just because thatโs a statistical phenomenon. on a percentage basis, the effectiveness of hacks is going to decrease gradually, as security catches up more and more. And itโs this kind of, you know, weโre mitigating the damage, weโre mitigating the risks, it doesnโt completely eliminate the events, theyโre still going to happen, theyโre going to get bigger, theyโre going to get worse, but less of them are happening on average relative to the amount of money at risk. And you see this with a lot of the hacks now, right? The bigger hacks are a lot rarer. Itโs typically much smaller hacks that are happening, the basis, that was not how it was in the early days, where most of the incidents were very, very large amounts of money. So the trajectory is good. Right? The trajectory of security in our space is really improving dramatically. Day by day. Weโre certainly doing our part to do that. But yes, the hacks are not going to slow down. And yes, they are going to increase some freedom. Interesting. So we also have to be ready for that reality.
Matt Zahab
Are we going to see what was the biggest hack so far? What was it wormhole? 350 mil?
Mitchell Amador
No, no, no, the wormhole case was not itโs not even remotely close to the largest.
Matt Zahab
Whatโs been the largest?
Mitchell Amador
Well look like you could look at the Binance case, which was, you know, just this week, last week, that was five more than 500 mil and BNB. stolen from the bridges. Now the attacker only got away with about 6070. But thatโs still you know, basically free mint dilution of the entire base. By about 500 mil. Youโre the ronin hack, which was almost $600 million. Yes, yes. Right. That was a huge case.
Matt Zahab
Are we gonna see a 10 figure hack?
Mitchell Amador
Of course we are. I mean, itโs already happened, like the Bitfinex hack years ago is equivalently 10 figures, or might be 11 figures today.
Matt Zahab
I mean, I mean, a present day, I mean, on the day, for sure. Itโs gonna happen. Itโs gonna happen.
Mitchell Amador
No doubt. Iโm 100%. Certain. I mean, we for context, right? We can look at the optimism case, we can look at the polygon case, we can look at some other cases, we know that arenโt public, right? We have already been there preventing the 10 figure hack multiple times over, how do you think we got to the 25 billion number, which is conservative, the real number is more around 35 to $40 billion dollars, by the way, at this point. So like, thatโs, you know, thatโs the are we going to get to a 10 figure hack 40 times over. Alright, think about that. Itโs not just a single isolated case. There have been, I think, I donโt know if weโre up to a dozen yet. But you know, weโre not far off.
Matt Zahab
And you probably you and the team have seen some crazy shit that the public probably has no clue up. And never will.
Mitchell Amador
Of course, of course, you know, most of these things. So you hear about these exciting cases, like the armor I just mentioned, or, like the Polygon cases, you hear about them, because the Polygon team is so good faith, right. And so prone to public disclosure, and supporting the community that theyโre going to share. Right? Whatโs going on, they have such great security practice, basically, that theyโre going to do that and props to me.
Matt Zahab
Theyโre not going to give not gonna give the true reason why.
Mitchell Amador
Well, theyโre doing what theyโre gonna do. And I think what they that approach of making things transparent is the right one, but a lot of projects donโt, right, or a lot of situations they consider very sensitive, and those ones never make it public. And you can see the amounts of money moving around, like thereโs like, itโs a good incentive to be like, Well, okay, well, I can talk or I can keep this private and their dollars. Thatโs not bad. Yeah. Right. So we have tons and tons of cases, affecting billions and billions of dollars that donโt see the light of day because everybody agrees for whatever reason is relevant to them that itโs best to keep it quiet and we support that, you know, if the both parties want to keep it private, thatโs their business. Itโs not ours. We are happy to do our duty and protecting the community and we draw ball.
Matt Zahab
So, when that situation happens, is it like, you know, Everyone does a virtual handshake, Docโs get signed, and then NDAs get fired across everyoneโs desk, everyone signs them up, boom, back to sort of that arbitrary third party, you know, mediator, and thatโs it Case Closed.
Mitchell Amador
Typically we donโt need NDAs or docs. I mean, I want you to understand a great number of these white hats disclosing are anonymous. Theyโre not going to reveal their identity.
Matt Zahab
Like fully, fully non, you know, zero about them.
Mitchell Amador
Yeah, they want to do their good faith action. But they donโt want to get iced. They donโt want to be punished.
Matt Zahab
Gotcha.
Mitchell Amador
Because they did something that they thought was right, which happens, right, thatโs happened a lot in the history of hacking. And thatโs happened a lot in the history of bug bounties where you get punished for doing a good deed. And so thereโs this privacy element. And so some projects will they might send over an NDA, and itโs like, okay, well, if that was in the terms of their bug bounty program? Sure, letโs do that. Thatโs the right thing to do. Thatโs what you agreed to do.
Matt Zahab
But if itโs not and it doesnโt happen. How did how did these white hatters stay fully non like give me their means of communication? Are they signal plus proton mail? Are they like carrier pigeon? Like whatโs, what do they do?
Mitchell Amador
Itโs really hard to stay fully unknown, right? Because you need such great OpSec that you never slip up even once. Okay, which is nigh impossible. Thatโs extremely difficult to do. Thatโs like writing software with no bugs. Yeah, super, super hard to do. But there are ways that you can do that. So typically, theyโre going to have devices that are dedicated to certain functionalities, and only use them for that. So they might have something they only use for crypto transactions that the only use for bug hunting, or they only use for communications, they might be on custom operating systems like tails, or heads. Or they might be using cubes to limit access. Things like VPNs are obviously a given. But theyโll use other types of masking software to make it even more difficult to pull out information. So for example, your browser is telling, you know, Apple, or, you know, weโre using Google Chrome, itโs sending Google information back on what kind of hardware youโre running, right? Whatโs the fingerprint of your machine and a whole bunch of characteristics. And thereโs lots of ways to block that. And to obfuscate that, theyโre going to typically use those, they may also limit access to any socials or infrastructure that they use with this machine, right? Because the moment you log into proton, sure, proton says they arenโt tracking anything. But like, they can check where your IP came from, they can check, you know, try and collect more information in your browser, more information on your hardware if theyโre savvy enough. And so you also want to control how you access all that infrastructure. A variety of measures like this, in aggregate, combined with a very, very disciplined use of a very small number of tools is how you stay anonymous. And like, consider if you really want to stand on anybody, like you canโt use Google Docs, right. And you canโt use a ton of applications, your phone, if you use an iPhone, itโs always in lockdown mode, which is you know, iPhones are not private at all. So you probably wonโt even be an iPhone user. But youโre doing all this stuff, right to limit access, making your potential attack surface very small by using a small number of applications, dedicated devices, and being extremely disciplined about how you interact with anything on there.
Matt Zahab
So, at least just from white hat and non user to you and company gets hacked. Whatโs the means of call? Is it emails telegram? Is it signal? What do you guys use?
Mitchell Amador
The means of comms? Well, we use our application. So the reality is that bug reports are really complicated things to deal with. Right? It may take us days or weeks to resolve the incident. Thereโs a ton of nuance, you need a lot of eyes on it. So itโs not going to be like oh, it comes to us and then we deal with it for them. No, no, it goes to Mike go through our layer of triaging where reviewing the report, theyโll go through an automated system, and itโll go to the project. But the project could be 10 people, right? It could be a single engineer, or it could be a whole engineering and security team. And they need to go back and forth and talk and they may need to talk to us privately. So the whole we have an application where all this communication takes place. Touch and it happens after the submission of the report that creates basically the report. And then from there, we have a giant thread. Weโre handling all sorts of different types of communication between the white hat between the project and then under various conditions with Immunefi itself.
Matt Zahab
So it all happens. That makes total sense. It all happens within Immunefi walls.
Mitchell Amador
Right. And we of course, like this is the most sensitive data we understand that we are the castle to bring in crypto. And so we are constantly perusing our infrastructure right. Manning our walls end to end, locking this down to make it as protected in a safe environment as possible.
Matt Zahab
No double parenthesis in any Immunefi code.
Mitchell Amador
Letโs just say that we write very clean and efficient.
Matt Zahab
Clean, sexy, and efficient code. I love it. Mitchell, this has been an absolute treat man, Iโve had so much fun chatting with you. And hopefully we can do this in person one day, we are getting a little tight for time here. The race, congrats on the race from framework, one of the best VCs in the space. Walk me through that whole process. You know why you guys decided to work with them? The money, the whole nine yards? What are you gonna do with it? Tell me about the framework venture race.
Mitchell Amador
So that was a tough one, right? We came to the end of last year. And our thesis was just, you know, really beginning to take off. Okay? And weโre like, Okay, well, what do we do? You know, next? Well, we need to raise we need weโve built something thatโs really amazing and really compelling. And it produces so much value for the community. But we need more help. We need more people, we need more resources, we need more engineers, like we need so much more to really deliver on our mission. So letโs go out and raise, the first thing that we did was shop that around to all our partners be like, Well, what do you think? And itโs at that point framework, you know, volunteered itself, which was surprised they were our seed investors. And they were very supportive, extremely helpful, very hands on product partners, a rare thing in our space. And we liked that, but we didnโt expect them to want to back us to the next step. They said, No, no, letโs, you know, let us do it. Let us do it. So we started talking back and forth about how it would work. And I mean, I think I was really happy with basically everything and how they conducted themselves super high integrity, they basically gave us the pitch for where they were going. And I was like, okay, yeah, these are the right partners. For us. These are the people who can help take Immunefi, to make us the, you know, the disclosure layer, the 911, layer for vulnerabilities in all of crypto. And theyโve been that way ever since. So I can count on them to hop on a call with me and grill me about product and get something really valuable insights any day of the week. Which is thatโs, you know, the first thing I donโt know, you want to talk about, you know, how weโre going to use the money or what you want to do?
Matt Zahab
Yeah, well, you can get into it and have some fun here.
Mitchell Amador
Okay, so we raised $24 million. And that wasnโt just from framework. Framework was the lead, and weโre eternally thankful to them for that, but was also some of our other partners. So basically, everybody whoโs invested in us in the past, double, triple, or quadruple down in our last round. So that when we guys like the blueprint forest crew, that would be electric capital and other group of amazing people, who would be the bid scale, guys, like a whole bunch of them. And, you know, we wanted to raise this money to really deliver on this vision of building the 911 layer, and the 911 layer of the space requires, you know, instinct communications, it requires extremely effective levels of filtration so that you can identify what the high priority cases are, right from the get go. It requires a extremely high value funnel, right and extremely high value flow of attention going in that can turn into high value bug reports, which you know, that leads to kind of our marketing and our community functions and all the work that weโre constantly doing there, to nurture the security community and grow it more and more and more, we just donโt have enough people, weโve really donโt have enough people in the space right to protect the space. So And finally, and probably the most important thing is weโre going toward this world where we need more and more trust. The problem with bug bounties is trust. And so weโre creating all this frankly unique technology these unique assets things that really have never been seen before in order to facilitate what we feel will become a multi billion dollar market for vulnerabilities in the not so distant future.
Matt Zahab
Well said. Hey, congrats on the race not a doubt in my mind you guys are gonna put those down arrows to good to very good use. Mitchell absolute treat last question for you hot takes we love hot takes in the Cryptonews pod letโs get a check and boots on Step inside the hot take factory What is something that only perhaps Mitchell believes in that most other people donโt doesnโt have to be crypto related can be food sports, politics, geography, space, celebs fashion you name it can be something good? A metric of hot take.
Mitchell Amador
Thereโs so many. How about over the next 100 years thereโs going to be a whole bunch of new religions that appear and theyโre going to be good and theyโre going to spread like wildfire you know, some single digit number probably new Christianity news our app isnโt.
Matt Zahab
Good. If we were starting the religion of you know Mitchell security and, and lovely corporate T shirts. What would that look like? Like tell me if youโre if you were the head priest or head preacher of said religion, what would that look like?
Mitchell Amador
I was the head priest. Well, for starters, weโd have better shirts, right? If youโre gonna go for taste, you gotta go all the way. Whatever you do in this life, you gotta go 110%
Matt Zahab
You canโt be half-pregnant.
Mitchell Amador
Right. You canโt be half-pregnant. So I think, you know, the aesthetic value is going to be a big thing. Itโs going to be a big thing for it will be a big thing for me. But itโs going to be a big thing for this future, as all these people around the world, figure out that, you know, the old systems donโt work anymore, just like they donโt work for money. As weโre seeing crypto. Well, you know what, they donโt work for a lot of things anymore. And so theyโre going to build new ones. And itโs going to be weird.
Matt Zahab
Itโs going to work though.
Mitchell Amador
It will, it will work. And thatโs the thing. Thereโs going to be new religions and theyโre going to work and people will prefer them over the old way of doing things. And for a modern, you know, like you and I, itโs like, our world will be cast into the past. Just like in the way that you know, we think of the ancients were like pagans worshiping, Hera and Zeus. Thatโs weird. What does that even look like? Right Norse. Behrman going in some ugly, rotting log temple praying to a poorly carved statue. What does that even mean? Itโs totally different, but theyโre gonna look at us the same way and our strange gods of modernity and economic wealth. So itโll be interesting. I hope to live long enough to see a lot of it come to fruition.
Matt Zahab
I love that. Mitchell. Thank you so much for coming on man had an absolute blast. Before we let you go. Can you please let our listeners know where they can find you and Immunefi online and on socials?
Mitchell Amador
Sure, so everybody, you can find me on Twitter @MitchellAmador. Thatโs MITC H E L L A M A D O R. So you can follow me there. I usually talk about security or Spitfire about how the worldโs going wrong, which is a natural pastime of all security people I feel. So thereโs that and you can learn more about Immunefi and what we do at Immunefi.com Thatโs immunefi.com. Check out our blog on medium. Itโs got a lot of these crazy stories and especially good one if you want to fund read is inside the war room that saved primitive finances hail of 48 hours of straight suffering to save millions of dollars of use or funds should be fun.
Matt Zahab
I love that, Mitchell. Thank you so much, man. What a treat. Canโt wait for round two. Hopefully, it will be in Portugal in person with two Shure mics and not yetti mics. No free ads but sure youโre the go. Thanks, man. Appreciate it.
Mitchell Amador
Thank you.
Matt Zahab
Folks. What a great episode with Mitchell Amador from Immunefi. Whatโs an episode tons of incredible stories fresh off a $24 million raise. Weโd love to see it. If you enjoyed this one. I hope you did. Please do subscribe it would mean the world to my team and I to the team love you guys and to the listeners. Thank you so much. As always love you more than you know keep on growing those bags and keep on staying healthy, wealthy and happy bye for now. We will talk soon.
Read More: cryptonews.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
Solana 
TRON 
Dogecoin 
Cardano 
Lido Staked Ether 
Wrapped Bitcoin 
LEO Token 
USDS 
Toncoin 
Chainlink 
Avalanche 
Stellar 
Hedera 
Shiba Inu 
Sui 
Wrapped stETH 
MANTRA 
Bitcoin Cash 
Litecoin 
Polkadot 
Binance Bridged USDT (BNB Smart Chain) 
Ethena USDe 
Bitget Token 
Hyperliquid 
WETH 
WhiteBIT Coin 
Pi Network 
Monero 
Wrapped eETH 
Dai 
OKB 
sUSDS 
Uniswap 
Aptos 
Pepe 
Coinbase Wrapped BTC 
Gate 
Tokenize Xchange 
NEAR Protocol 
Ondo 
Internet Computer 
Cronos 
Mantle 
Ethena Staked USDe