Can Web3 Security End Crypto Hacks - Mitchell Amador | ATC #560

In this special episode of 'Around The Coin,' host Stephen Sargeant sits down with Mitchell Amador, the CEO of Immunefi, the leader in web3 security protecting over $190 billion in assets. Mitchell is one of the Top 100 most influential personalities in crypto and blockchain. He created bug bounties in crypto as known today, paid all of the largest bug bounties in the software industry, created the first court for software vulnerabilities, and saved over 25 billion in user funds from being stolen. Before Immunefi, he kickstarted the AI-crypto meta by launching SingularityNET, led growth for Steemit, the first 1M+ user blockchain consumer application, and helped launch the first ICOs in crypto. He lobbied for crypto and blockchain in Europe, being instrumental in the Portuguese taxation regime implemented by the government in 2023.

Host: Stephen Sargeant

Guests: Mitchell Amador

We are also available via:

BuzzsproutYouTubeQuoraMediumXFacebookLinkedInSoundcloudApple PodcastSpotify Player FM

Check out http://deepca.st/around-the-coin on DeepCast to delve into episode transcripts, key insights, discussed topics, and more!

Episode Transcript

Stephen: If I told you we just recorded the best episode on Around The Coin history, would you believe me? I think this might be one of the top episodes you listen to. We had Mitchell Amador, CEO of Immunefi. They're building leading Web3 security, but not the boring stuff. They started out with bug bounties. Now they have a platform where they're saying they want to take hacks in the crypto industry down to 0.0001%.

So there's no more hacks than we can build in peace, you know, free of hackers and exploits and vulnerabilities. This conversation talks early about his work at Singularity Net where they were building AI times blockchain convergence and like you know, before LLMs and we also talk about Steam it where he is building a blockchain based and growing a blockchain based social media.

Mitchell's just a wealth of knowledge. He's been in the space. He has a mission where he's here to attack the attackers and work with those protocols. And security researchers to make Web3 safe. Now, this sounds like, oh, this is gonna be one of Stephen's crypto compliance episodes. You're wrong. This is gonna be one of the best episodes you'll listen to as an entrepreneur.

I ask 'em about building, about marketing, about transitioning, what it's like launching a new platform. How do they approach it? Everything, entrepreneur. And he even gives advice on what to do if you're looking to build in this space. And some areas that people should be building in this space that they haven't even thought about.

This is one of the best episodes to listen to when they're Around The Coin. Trust me, you'll love it. I guarantee it. I can't wait for you guys to listen and I'll see you after the episode.

Stephen: We are in for a special episode. We have landed the top 100 most influential person in crypto personality, definitely Mitchell Amador, CEO of Immunefi. Mitchell, welcome to Around The Coin. This is gonna be a blast. I just want, before we even start off, you're the first guest that I've had on the episode that wanted to know what type of audience we had here and how they should be answering the questions to make sure the audience gets the most value from the conversation.

And I think that's an important way to start, to let the audience know that you're here for them and to help them take away something that they can actually action maybe, or think about. But Mitchell, give us your, you know, two minute pitch of who you are and how you got here. And then we'll dive around into your background.

Mitchell: Sure thing. So, again, my name is Mitch La. I'm the founder and CEO of Immunefi, which means I was the unlucky guy to start it. It's been a long road, almost five years since then. What we do at Immunefi for everybody's context is we run the biggest security platform in the industry that started with bug bounties, which are literally negotiating mission critical deals between hackers and protocols that are risk, that being hacked right then and there and saving them from that type of harm and keeping them safe for everybody. So that's what I've been doing. We've expanded since then to cover the whole security of Gamo day to day. My job is just to do exactly what you might think, which is to run and Immunefi and help safeguard as many projects in the industry as I can. Players like MakerDAO Polygon optimism. We've worked with them all and hopefully at a very positive effect on the industry. We'll discover a little bit more about that over the course of this call.

Stephen: I love this. So you were actually, before you started Immunefi, you were working for Singularity Net, which is like an incubator accelerator teams for like AI slash blockchain ventures. From like deep end to robotics, to RWAs longevity, all the things that are popular in 2025. Can you share some interesting stories from your time working there and any thoughts about like, Hey, maybe I should have stuck that out.

'cause all of those things are hitting like mainstream this year.

Mitchell: Well, firstly on the last one, you know, there's always that, you know, what if things were different? If I had gone a different path? But for me, I've always had this pull and this draw to doing something that I think deserves to exist. Especially if nobody's ever done it before, or especially if there's nothing that exists like it.

You know, it just builds up a fire in my soul and I wanna go and do it after it's already out there. You know, I'm less excited about it. So, you know, when I was joined singularity net and I was part of this original founding team for the project. This was in late 2017. Okay. There was no AI meta in the industry at all.

This was the very first project we created, the AI meta at that time, but it was also very, very early.

And so the project was quite different than it is today. All the things you described it do and the do well. But at the very beginning, you know, the, the dream was basically to create what we would now know today as an AI agent marketplace.

So rather than it being, you know, more of an incubator, at the time, it was more like the first virtuals. Now that was a very interesting adventure because LLMs large language models had not taken off. And so it was a completely different world in terms of trying to create an AI marketplace. We were working with things like, you know, trying to pass well-trained deep learning algorithms or make genetic algorithms available at scale.

And nobody had access to all the incredible LLM texts for creating content or analyzing photos for creating texts. Like none of that existed and none of it was good. It was just a very, very different world only basically major enterprises were interested in integrating deep learning technologies into Bears Stack and what were effectively these massive custom projects where they would access a model in the team in order to train 'em this humongous like gargantuan data sets.

And we were trying to plug in as many of these different AI applications as we could to companies all around the world. Okay, so this is, you know, the early original Singularity Net pre LLMs. Now LLMs have changed the game entirely. Okay? Completely. And Singularity Net was not the main driver right now, unfortunately. But that was a different journey at a different time. I don't know what is most helpful there in terms of understanding only to say like, you know, at the time we were all extremely excited about building a GI, and that was kind of the, the broader inspiration for that project originally to create as many of these different AI applications and then allow people to sync and connect them together in new ways with the potential that could create this kind of emergent phenomenon of intelligence that did not come to pass, but it looks like the LLN version might.

Stephen: That's super interesting. And you were also involved in building up Steam It, which I remember was like this, you know, one of the first, if not, maybe I had the own time only blockchain based social media. I know now diesel is a big topic with decentralized social media. What are some of the things you believe you did well in growing that and then like, where's the area still doesn't feel like anyone's running to a, I still don't hear people like, Hey, you have to go to this decentralized social media.

It's so good. You know, this person's so popular there. You have to see their content. I haven't quite seen that blown up. Is it like their time is gonna come or is there still a bottleneck for people that just like to, you know, be on certain apps like TikTok, etcetera?

Mitchell: That is a, a, a funny story. So for context, I was the original VP marketing for, for Steam It. Ned found me while I was working on some other projects, worked on a bunch of stuff like NXT, the first proof of state system in the early days, and he was like, man, you've done an amazing job at this. Can you help me grow steam?

And I'm like, what's steam it? He's like, well, it's this the first decentralized social media application in the world. The first thing on the blockchain, it's a consumer application. So this is like, you know, 26, 20 15, 20 16, 20 17 there were no major consumer applications by and large beyond like Bitcoin a exchanges. And I looked at this and I was like, yeah, this is gonna be an absolutely brutal challenge. I wanna do that. And so we took a, a product that had thousands of users and turned it into a product with hundreds of thousands and low millions of account ultimately participating on the website. And this is like, you know, 2017 era. Okay. So there was a, there was a world very, very early on in the history of crypto where we already had thriving consumer applications. Okay. And we did that by using, by trying to build a great, great consumer experience. For our customers. It's like the blockchain thing was important. It was very relevant.

It was a key growth driver. But at the end of the day, we have kind of, you might think of it as a decentralized Reddit type of model

where the users would control the ranking algorithm. And this was super successful in terms of driving engagement, in terms of driving the quality of content, in terms of driving value creation.

It was very, very sticky for users. They really enjoyed it. So I learned a lot about that. The, probably the, the most important thing that I learned from that experience, which might be relevant to everybody who listens to this call, is that there's no necessary barrier to using blockchains to create great applications that are useful for customers today. Okay. There's no blocker. We were able to do that in 20 16, 20 17. We were able to create applications that had serious, massive usage at that time. There's no blocker for us doing it today. There's no

blocker to a major centralized social network today, except do you have the skill, the commitment, and the patience to go out and really grind on it?

Because social medias, that's really its own game and its own learnings that you have to learn if you wanna do it really well.

Stephen: Right. And most of 'em build up. You don't make money usually on day one. Right. You have to build for long periods of time with no capital. And it turns into a war of attrition it seems like for most of the popular Exactly. networks that stick around today. And I think there's a lot of sexier and faster ways to make money in the industry that people aren't devoting as much time as it needs.

You talked about starting Immunefi

Mitchell: Well, one thing,

Stephen: yet.

Mitchell: and this is just be a fun thought for anybody else who wants to go and do it. Okay. I have many times asked myself, should I go back, build a new social media network? Because I know how that sausage is made. We were able to do it from the ground up and at that was at a time when the blockchain operating costs were so much more severe, right?

Like the

major cost function. We had a, a tiny, tiny marketing team. We had less than five people at any one time driving most of the growth for Steven. And we still were able to achieve very substantial results. The key missing factor there was low cost on the operating and maintenance side. So the blockchain was just too expensive and it was all a, a custom blockchain built off the original bit shows design that was just very pricey to run.

And we weren't able to get to like a massive probably advertising revenue stream that could support that over that timeline that Steam eventually exited and did very well of course, but you know, it could have been much, much bigger. And so I look at that now and I can think of a whole bunch of amazing social applications.

So if anybody knows what like a marathon type of social application is, I think that could absolutely kill it. And there's, I think there's a whole bunch of niche social networks that people are starting to explore products like Commonwealth, right? Obviously you have some of these more larger decentralized social networks that have taken lots of millions of views.

There's, there's tons of opportunity here. People are craving for curation and tokens. Skin in the game can provide really meaningful social experiences in a way that most traditional social media es just can't. So for anybody thinking about it, yes, there is an opportunity there, there are multiple unicorns waiting to be made.

Go take a show,

Stephen: I love that. I love you giving this high entrepreneurial insights based on your own experience. That's something that we talked about pre-show. Like I love this audience to come away with something. They're like, yes, we can still build this. It's not too late. It seems like you were too early on on many of

Mitchell: right?

Stephen: So it might be a good thing to wait a little bit nowadays and let

Mitchell: Hmm.

Stephen: progress the bug bounty though, like I, I'm sure we all know what a bug bounty is, but maybe describe like in your words, like what is a bug bounty? 'cause you mentioned pretty much like negotiating with hackers on one side, but then there's various types of hackers and I think.

Sometimes those waters get muddied as to, you know, whether someone's like a hacker scammer, or whether somebody's a hacker opportunist, or whether somebody's like a ethical hacker. Maybe if you can break down some of those concepts to level set the conversation before

Mitchell: Sure,

Stephen: into deep into bug bounties.

Mitchell: sure. Okay. So high level, when you're thinking about hackers, it can mean whatever you want it to mean, and people certainly use that today in the, you know, information age. But when we're thinking about hackers in this context, we're thinking about people who can find ways to manipulate and operate code. And the the hacking part is figuring out how to take the logic that you might see on chain the business logic and be like, Hmm, can I crack this and make it work a slightly different way? Can I turn that slightly different way into doing something completely Ana? Completely the opposite. Of what the original creators imagined it to be.

Of course, we see this a lot in on chain DeFi protocols particularly. So that's how we think about hackers in this context. That further breaks down. There's this high level moral model into white hats, black hats and gray hats. Okay? A white hat is someone who operates within the law and by an ethical code, typically to protect projects.

So they might find a vulnerability and disclose it, even if there's no reward for it. And that is a very, you know, gracious and generous act that they do. We need to appreciate these people because we've just don't have enough of them. The second one is the black hat. Okay? White and black, good and evil in this context, right?

And the black hat is just someone who operates outside the law using their hacking skills for their own benefit. So typically that'll be like anybody who say, you know, conducts a data breach in traditional software parlance. And we'll try and resell that, that data on the dark web or elsewhere. But of course in the crypto context, it'll be someone who can crack a protocol and be like, Hmm, maybe I should steal all the money. So that's the black hat. And then we have gray hats, right? The third category, which are most of the hackers who kind of live in between, where they don't really feel like just doing everything for free and they're not necessarily by the law, but at the same time, they don't necessarily wanna screw people over either. They have their own personal interests, they often have their own personal code of ethics, and they can swing one way or the other depending on the context of the situation. Okay, so that's high level view

on the hackers. Does that make sense?

Stephen: just say

Mitchell: Please?

Stephen: are your thoughts on the, like somebody creates a game, somebody plays within the confines of the game. The person that created the game didn't think about a potential loophole. Somebody figures out that loophole takes all the money and they're saying, well, hey, I just played the game that was created for me.

I'm not doing anything illegal. I think like the mango markets guy comes to mind when we think about like, where's the line between stealing and playing within the game that was created and just taking advantage of like, Hey, the bank had a a hole in it, and they said I could take it as long as I put my hand out.

Where are your thoughts there about. You know, is, is this like a contentious issue in your world of cybersecurity on the web? Three?

Mitchell: Sure. Well, I'll first note that you know, at the small amount, when you think about that, just in say, a classic game like Roblox, lots of hackers do this, right? Especially when you're young, you're playing around. I played some online games, or I'm messing around with this stuff. The difference of course, comes when it concerns real money, when it concerns real consequences to people's lives. And what you said is a, you know, another way of saying the old code is law debate is code law

or is Law Law and code is code and the TLDR of that, right? The too long do and read is code is not law. Right? Just because you can get away with something. Doesn't mean that you should do it. There are ethical constraint that should be superseding, should be overriding what you think you could just do for fun and what you can do for your own self-interest. Just because the vending machine is broken. Right, and you can push the button as many times as you want. Doesn't

make it any less stealing,

Stephen: because you could deposit a check and take out a million dollars probably doesn't mean you should. 'cause that's kind

Mitchell: right?

Stephen: Right.

Mitchell: Exactly, exactly. So is code law, it's like, no, no. Code is not law law's. Law code is code or what we do of course, though, will depend on our own personal interests and, and codes of values.

Stephen: Awesome. What was the, before you came in, you must have seen a problem with bug bounties for you to be like, Hey, why don't we create a platform or a process where these can be centralized or at least, you know, organized in a way where people can issue bug bounties and people can receive them. Where, you know, people finding bugs and the produ, the, the protocols are like, no, that wasn't really a bug.

We, without paying out that boun. Like what was the issue that you're like, Hey, we have to solve this problem in order for this to be a great free market and the benefit for both the hackers and the companies that wanna secure their

Mitchell: Okay. Okay. Well first, your frame is right and, and for everybody's context, who doesn't know what a bug bounty is? A bug bounty in its simplest form is just a giant prize for anybody who can find these ways of gaming the system. For anybody who can find the cheat code, for anybody who can find a vulnerability in the system that allows it to be used in a way that it shouldn't be used, okay? And it can get infinitely more complicated. From there, it's a giant legal contract. It could be small, it can be humongous, it could be anything in between, but that's just, it's just a prize. It's a contest of sorts, but one that lives forever. You put it on the internet and it's an open call. Now, the superpower of this is by putting that on the internet, you can access the whole world's cybersecurity count.

All these white hat and gray hat hackers. Who might want to be able to help you, who could be incentivized by your rewards, who can just come in and do you a huge favor and protect you from a threat that you didn't even know existed with a bug bounty program, you can make that accessible. Okay. So that's the context. In terms of how we got here, I looked at that. I was looking at broader crypto security as a whole at this time. So at this time I was retired. I was just kind of milling about and reading a lot of books and trying to live a very good and healthy life. And I had built a lot of stuff as you know, and one of the things I was concerned about was, you know, how do I have assurances that these unchained smart contracts are safe? How do we know that DeFi is safe? And this is 2020, right? So we're just seeing naked out begin to blow up. We have Ave, we have compound, we have these early products, and they're beginning to demonstrate themselves and they are magical, right? If you've used traditional financial products. Sure the scale is minuscule by comparison, but the, the value proposition to you as a user, trustless financial products, permissionless financial products, open access to the best lending opportunities, for example, on your compound in the space.

I mean, like that's something if you're not American, you don't have access to incredible lending or debt products. If you're like a normal person, you have access to a very small suite of things and then suddenly DeFi appears and you get access to the world's freest, most liquid, most fast moving market in the world.

Like this is incredible. This is incredible. Especially if you come from a place that doesn't have mature financial products

as I do so,

Stephen: to,

Mitchell: right. Most people,

Stephen: a bank account, but you're able to participate in lending and staking and, you know, boring like it, it is, you know, eye opener, what people are getting access to.

Mitchell: Right. And, and, and it's nuts even if you do have a bank account, right. The world of financial products that most banks offer does not necessarily compete very well with what crypto offers. Certainly, in my view, and even at this early time, sure, we weren't mature then, but I could see we were on the right track. We had cracked the code for what would make crypto really useful for society at large, which is just a better, cleaner, safer, more transparent, more resilient, more adaptive financial system.

Just basic useful stuff was gonna make the difference. But I didn't know why I should feel that these products are safe. Okay? I didn't know why I should put my confidence in them, put my money in them. And I had been around right from, from the very beginning. I had seen maker there be created, I had been around when most of these projects did an ICO raise money, and I didn't know that. And so I went into the process of reviewing the whole security stack.

I interviewed more than a hundred people. Just, I wasn't necessarily planning to start a startup at the time. I was just, I was just doing it. 'cause I was like, oh, this is such a bad problem. I want crypto to work. I really believed in, like, I had spent my whole career trying to build these things. I, I was an idealist and what I learned was we don't really have a comprehensive security stack. We had audits and then we had a very small number of open source tools and a lot of kind of learned skills that lived in the heads of less than a thousand people around the world. I thought to myself, this is the nuts. This is, are we gonna put trillions of dollars in these

things? Okay, we, we need to, we need to fix this.

How do we make crypto safe? And that became the primary motivation for UN unified and the origin of this whole project. Out of that conclusion, I looked at the whole stack, all the options that we had, all the technologies that we had that point. And I asked which one of these things is gonna be the single highest leverage, right?

I knew how ICOs boomed in 2017, and I knew that if there was a similar boom in DeFi, this was likely to be accompanied by a massive amount of hacks, because there would just be a few opportunists, a few black hats, and maybe a few gray hats, and they would take what they wanted. So I knew that there was a time limit to this.

We had to solve these problems and solve them fast, but if we could, if we could do that successfully, we would allow and unlock crypto to grow into massive scale. I was very, very motivated by this. This particular vision, I, I needed crypto to work, right? That was so much of my life that I invested into it

Stephen: Can

Mitchell: and af,

Stephen: there anyone

Mitchell: oh, go for it.

Stephen: thinking, like, on these same lines, like would you have these conversations, maybe sidebar conversations at conferences and people are like, yeah, I've been thinking the same. Like, was there anyone talking very similar or was like, everyone like, woo hoo, crypto blowing up our bank accounts.

'cause usually people don't

Mitchell: Sure.

Stephen: until they, until after the hack or after the bear market. When they start losing money, they start pointing their fingers. Like, why didn't we do this? Why wasn't this more

Mitchell: Sure,

Stephen: But you're talking at like, pretty much the height of that time, of one of the bigger markets thinking about these concepts and what we had to do to prepare ourself and be preventative.

Mitchell: sure. No, I, no, it's, it's kind of sad. I told you I interviewed a hundred people and nobody really had the bigger picture in mind.

right.

There were people who had built some cool products and cool stuff. There were a few bug bounty platforms. There were attempts to create decentralized versions but nobody saw the bigger picture, and nobody was really building for what customers wanted as opposed to whatever it's that they wanted to build at the time. And I, my goal at that time was just to equip whoever I could find who was doing this best, and just put my weight behind them and be like, you know, this is a great vision. Let me support you. Let me help you. But I couldn't find anybody. Who saw the big picture, either the impending catastrophe. I wrote a whole blog post where I go, and how you can predict how I predicted that this catastrophe was sure to come given historical patterns in the crypto markets.

Nobody saw that. Nobody cared about it at the time,

and then nobody was really building the book only platform. They looked at it and they're like, this is a security business. There's no security market, there's no bug bounty market in crypto. Very few projects used in, they were all over value. Why would anybody do something like this?

Nobody believed in the solution that bug bounties could work for crypto necessarily. So they weren't widely adopted or well used at all, and nobody believed that there was a business case at the

time for them as well, and so that you couldn't build something sustainable. So I was pretty much alone in those days.

Stephen: How'd you finance it? Right. You have to think there's not a lot of traction coming from your side. Was it a low cost to run? 'cause you're kind of like matchmaking, you know, protocols with hackers, so you're maybe taking a percentage, like was it low cost, low capital to run this, or was it just like your strongest belief?

Like, I'll invest everything that I've made in the past into this project because eventually it will work. It's not a matter of if it will work, it's just a matter of when these hacks start happening and people need a solution immediately.

Mitchell: Sure. Well, in the beginning I was all very mission focused, so my concern, and this is, you know, ended up being a superpower, going after a market that nobody knew existed or cared about, but ended up, of course, we ended up creating a vast market as a result of this. But being mission-driven, I didn't care about that.

Right? I was in it for the glory of protecting the space. I was in it for the ethics of protecting the industry that I thought had so much to offer. I was in it because I was a user of these products and I wanted crypto to succeed. I was in it because I believed. And what these things could do. And that was enough in the early days.

So I ponied up my own mind

in the very beginning and we just, you know, perks of being a, a entrepreneur and having built a lot of businesses prior, I just ran it really, really tight. So, money

come in, money go out, we don't increase spend unless we make more money. And it was

That simple.

Stephen: business. my business right now. That's awesome.

Mitchell: It was

tough. It was, it was tough. But then people saw that,

okay, people got inspired. And so my friends who had followed me on my journey, who had supported me, who had guided me, mentored me in many cases, they're like, Mitchell, you're doing a great deed here. This is a good thing. And it might be bigger than you think. You should go all in on this, like give you a push and we'll give you capital if you end up meeting the capital, here's the capital. We didn't end up meeting the capital in the beginning, but then as things started to grow, I was so, you know, happy to know that I had such a great group of, of friends and confidants who would pony up their own cash because they believed in the vision of what we could achieve.

And, and it all paid off.

Right. We, we did. Great. Great. Good.

Stephen: you hear very often. Usually people that are like, Hey, this might blow up, are like, Hey, how can I get equity in it early? And you know, how can I get mine if it does blow up? Versus like, Hey, the money's here if you need it. We just believe in the mission. I don't think you hear that story very often, especially around Silicon Valley and other places.

It's usually people trying to get their money in as cheap as possible to, you know, extract as

Mitchell: Sure.

Stephen: as they can out of these missions.

Mitchell: Well, there's another thing there, and this is a key one for other, you know, present or future entrepreneurs. It wasn't just that they believed in the mission, it was also that they believed in me. And so for a lot of these guys, they just looked at it and they're like, Hmm, Mitchell's done a bunch of projects.

And even though some of them are just so nuts, like singularity nuts was nuts at the time. Nobody ever done something like that, right? Steam. It was also nuts. And before that it was also nuts. Nobody ever done this. And so they were like, well, mission's great and that's good, but we also just believe in you as a person, so maybe we won't make any money.

But knowing you, I think this might lead to something interesting. And that is often enough, right? And look, I have since then have fully converted to that worldview. There have been many cases where my friends went off to do something good and worthy, and I was like, look, here's the money. Maybe it doesn't turn into anything, but I've learned the hard way that people are what counts.

And so if someone can make this work, it's you, you know, go and make it happen. And that's been some of my, my, my best performing investments have been things exactly like that. So people at the end was

the other factor.

Stephen: right? Trusted jockey.

Mitchell: Yeah.

Stephen: some numbers, Mitchell, like this is a, you know, you've saved billions, like millions, billions. Hit me with some numbers that would absolutely blow people outta this world. I think the easiest stat is in 2022, was that, you know, basically DeFi burned down $4 billion of losses, mostly, you know, vulnerable exploits.

Smart home smart contract code vulnerabilities Hit me with some numbers that would absolutely shock people.

Mitchell: Okay. So for starters, when you're thinking about historical hack rates, we're doing, we, we kind of were doing three to $4 billion in hacks per years. Okay. And there's an additional amount on top, depending on how you want to calculate the scam numbers. So in the early days of crypto, and here we're just looking kind of DeFi summer onwards, when we started having more mature financial markets that were self-sustaining and self-referential. A real economy in my view. We're seeing billion dollar hacks now, this is, you know, one to 3% of total value in those contracts being hacked for you. That's a lot of risk to be taking on the smart contracts. Those are the realized hacks. Now, it could have been even worse. So for context and what we've done in

unify over the past four years, if we just look at the hard cash values, not looking at underlying equity, not looking at token equivalents or equity like assets as well, and not looking at derivative like assets as well. Just looking at hard cash or hard tokens that could have been spilling. We prevented over $25 billion in hacks. Okay? If those hacks have come to life, we would be living in a very different world. In my view, crypto could have been delegitimized, and it could have been worse because that's $25 billion of hard cash or hard token values. If we look at the contagion effects that could have followed those, so thinking underlying tokens, right? A hack happens. It's not just that the money is stolen, but it's also that the underlying token value is destroyed. I did a, a

whole analysis on this where it's like often 50 to 80% of the underlying token value is destroyed for the following, you know, six months, a year plus.

And some of that can be permanently sustaining with, even with projects that survive and many don't. You might have 10 or 20% token drawdowns that never really fully recover. So the actual potential damage was much, much grander than that. However, having said all that, and despite how scary these numbers are in a market that has like been hovering around a hundred billion, 150 billion, moving towards 200 billion TBL, we prevented all of those, those were all saves at the end of the day. And so this world where we live in, where you feel like these, you know, two to $4 billion hack numbers are absolutely massive and frightening. This is the good world that we're in, right? We're in the wild west, right? The, the bank carriages are getting robbed. The banks in the small towns are getting robbed, and by and large, even with the damage that we've been seeing, we've been broadly successful at protecting the industry from what could have happened. This is the level of hostility and adversarial 'cause adversarial that we see in the industry today, and that our job is to go and defend against,

Stephen: And you, you have to think too, like $25 billion in the wrong people's hands is gonna equate to more hacks, right? If you, you give

Mitchell: right?

Stephen: to North Korea, they're gonna be able to fund some other projects. They're gonna be able to hire more people working underneath them. You know, they're gonna be able to create more exploits and attack vectors.

So it's not just the money you saved, it's like what could have been done with the money, had they got into the wrong hands?

Mitchell: Mm-hmm.

Stephen: that? You talk about the early stages. No one really believed in Web3 security. You know, you have all of these, you know, as you call them, saves. What was it like as an early adopter who were, who was like that one company that like, hey, really invested in what you were doing?

They're the, were the ones putting out those hard, high, you know, high amount bug bounties that really got people to notice and Immunefi and being like, Hey, maybe we should start doing the same thing.

Mitchell: Sure. So there are two great examples to that effect. The first one, the first Big bounty we had. So when Immunefi started, you know, we were just one simple webpage that links to other static webpages. We were super paranoid. We were assuming that North Korea was out to get us from day one. And it's all rather primitive.

Okay. We're just aggregating these things. And the major challenges, like you said, changing the standards around bug boundaries, because in the beginning, bug boundaries didn't work. They were written by lawyers. They were super restrictive. So why would you help someone who like saddle you with an NDA afterwards and makes your life difficult and hates on you like. That is a bad, that is literally the definition of being punished for doing a good deed. Okay? So that, that didn't work. And then the bounty amounts were too small. You might

save a million or 10 million or a hundred million dollars and then they would give you like five KA t-shirt or maybe just a t-shirt. So if tree started, this has happened many, many

times in previous to unify.

Stephen: I like, I've heard stories of the tv.

Mitchell: It's

crazy,

Stephen: oh, we'll take you out to lunch next crypto conference. Well, thanks so much.

Mitchell: right? It's like, come on, you guys. The work it requires to figure these things out can often be intensive. A great white hat could spend months cracking a single contract and figuring all the nooks and crannies, particularly infrastructure. So it's like it wasn't matching up. And the first real challenge was to transform what a bug bounty was. We may use the same words as we do describe Web two bug bounties, but in fact, crypto bug bounties are a completely different beast. They're written and designed differently, not written by lawyers, but written directly to appeal to white hats in the security community at large. Even gray hats we wanna pull, they're financially lucrative.

This was a key challenge that we had to break through in the very beginning. So you, you talked about, you know, some of these big hacks that have happened, like the biggest bounty ever paid on Immunefi was $10 million.

Okay? That's the biggest bounty paid anywhere on the internet. All the biggest bounties on the internet have been paid on Immunefi. Okay? So we, but that was it in the beginning. We're, we're fighting with T-shirts, right? So how do we go from the world of t-shirts to big money? We needed to crack that, and we needed to make them safe. One of the big challenges is, you know, under traditional American laws, you disclose a bug and technically you've committed a crime just by looking into someone's infrastructure, even if it's all on chain and public and transparent.

Like even under those conditions, kind of, sort of, it's breaking the law depending on the jurisdiction. So we needed to go and fix that, and so we created something that nobody had ever seen before. Which was the scaling bug bounty and a whole bunch of trust assurance measures designed to create a credible, neutral third party that could adjudicate these disputes, that could adjudicate whether a bug bounty was real or not, and help enforce payment to make sure that actually happened at the end of the day.

Stephen: Can

Mitchell: Now the fir oh go for

Stephen: the money work? Is it locked into a smart contract and based on certain requirements as it has to be agreed upon by like a jury of the peers of whether it was actually solved or not solved? And or is it escrow system? Like I think people would probably say like $10 million.

Like who had the $10 million? How long did it take to get to that white hat hacker? Like these are all questions I think operationally aren't a hundred percent clear,

Mitchell: sure. They are very nuanced and they were very alert in the early days. It was more like we had to use much more heavily trust and social reputation to move forward.

Nowadays we have our vault system, which is a self custody vault that customers can use with some restraints on it to ensure good faith actions to put funds in.

It's not exactly an escrow system because technically there's no third party, but it's like a decentralized escrow system. In some ways, it's the kind of thing like to the point I mentioned earlier, how you can create great applications that make sense for the world today, and crypto, our volt system is like that.

It's better than any other bug bounty system in the world because you can just look and actually see funds on chain that the customer has committed for the purposes of advantage. But the most important thing regarding that is just the law, right? Just contracts. And we have a bunch of contracts that we use for these things. So the Bug banty program itself is a contract that the customer has agreed to and put out there. The contract they do with us at a unified is a contract that's legally binding, they have to abide by. And then finally we have an arbitration system. This was another innovation that we made. We created the world's first, and as far as I know, only court, private court just for software vulnerabilities called Immunefi arbitration. And it works with the London Chamber of Arbitration and mediation in the uk. And the result is we can have rulings that are very cheap and very fast to do that are informed by our technical expertise. Okay? And we can bring witnesses as we see fit that Immunefi as the best tri of service in the history of bug empty, and my view, certainly in crypto. And so we have all these experts on staff who can say, is this a real vulnerability or is this not? Is this within the, the, the rules of the programs? The programs are all designed to be as crystal clear as they can possibly be. And Immunefi arbitration to be like, okay, this is appropriate. You need to go and pay this.

And, and it's binding across the entirety of the world.

So we have all of these measures.

Stephen: How many times do you have to go to that arbitration? Is it like, like, like loans, right?

Mitchell: Almost never

Stephen: loans, like 6%, 7%.

Mitchell: less than 1%,

Stephen: reach that level of arbitration?

Mitchell: almost none,

almost none them doing it right. That's like the Supreme Court level. But we spent years building things. For example, we have a unified mediation, which is the, the, the most neutral, incredible mediation, service, and bug down to use. You always know that our guys are gonna tell you exactly how things should be, right?

We're not primarily taking payment on the bounty itself. We're just saying what is true and what is right, and the customers agree to that when they sign up. And then the programs are designed to ensure good faith action as well. Right. So we have all these protective measures that have been put in place over years to make sure that people are good faith actors.

And then we have additional, we have this kind of a ladder of escalation for managing disputes and bringing those to harmonious conclusions.

Stephen: I love that. That makes a lot of sense. I think that clears up a lot for the audience. I'm curious, I think a lot of the audience would be like, why do you need a bug bounty program? You know, we see these protocols that get hacked and then they just offer the hacker 10% to give us back the money or, and you can keep 10%, or like, we'll give you a job.

Like what do you think of that process? Is that kind of cutting corners? Do you think that these protocols should have done a better job on the front end? And then secondly, what does society need to do to be like, Hey, I'm only gonna be dealing with protocols that have bug bounty programs in place that have done their audits, pen testing simulated environments for before they launch their code.

Like when there's society gonna be like, Hey, I'm only dealing with the most safest protocols out there versus like just throwing their money into anything that kind of looks shiny and I could be overgeneralizing it. Maybe you can speak to that more than I can.

Mitchell: Sure. Okay. Two very different questions. I'll start with the the second one. Ultimately, society at large has limited ability to participate in securing the industry at this time. The tech changes so quickly. Okay. The nature of the circumstances are so nuanced. The most of these actions take place behind closed doors.

Stephen: All right.

Mitchell: very difficult to know what's going on. So for example, you know, we, we've had chats with regulators about what to do on the security side, and they're like, should we enforce this standard? And I'm like, man, you guys are like three years behind. If we write this into law, it won't really make a difference because you don't understand the whole tech stack that's available that customers should adopt.

And by the way, three years from now, that tech stack will change substantially. We'll have added a bunch of new things. So it's a limited ability. Now, the most powerful ability for society to intervene towards the betterment of security in the ecosystem is simply too demanded. Because if there's one thing to remember, it's that crypto is the most fast moving and adaptive market in the history of mankind. It is a jungle of competition where we are all competing for dollars around the world in various forms. In consequence, we are extremely responsive. To customer needs. Right. And as a simple example of that, you could compare the cost of a financial product on the DeFi protocol to anything that you might see on a centralized equivalent.

And look at the margin difference between these types of products, right. And the capital efficiency of these types of products. You know, very typically the vast majority of DeFi products charge zero fees upfront. And for quite some time then they may give, you know, a ton of their tokens effectively the equity of these things away to their users in order to incentivize them. Like this is the most competitive from a consumer standpoint market in the world. And by extension, if you ask and demand security, they will give you security. And that is exactly what we saw Immunefi.

Stephen: All right.

Mitchell: it wasn't just this spate of hacks. In the DeFi summer and the aftermath thereof, that drove our incredible growth. It was also the fact that we worked with the community at large to set a new security standard, as we would say, if you're not using Immunefi, if you're not using bug downs, you're not taking security seriously and who wants to throw down their money into a project that doesn't take security seriously? They're not a single consumer in crypto. That'll be like, oh yeah, let's just yell that. Yeah, that's a good idea. Nobody says that. And so that's super powerful. That alone is what will inevitably make all the difference in pushing more effective security services. That's all we need to do to win this game.

Stephen: And you just launched Magnus, which is, you know, in February of 2020 5th of February of this year, which is pretty much giving a platform to do exactly that, right? Take this kind of fragmented inefficiencies on, on chain security and bring it into one place, one workflow. Can you describe Magnus for everyone and like essentially, you know, what makes this so interesting to a lot of the protocols that have already started to adopt it?

Mitchell: Sure. And, and here I'll, I'll try and walk through some of the higher level reasoning. 'cause there's something of value here I think that everybody could use. Either participating in crypto today or, or considering doing so Magnus is what we call the Crypto Manhattan Project, crypto Security Manhattan Project.

Okay. And the reason we call it that internally at Immunefi is because if we succeed, we're gonna usher in a new age for crypto because we're gonna bring hacks to an end. The reality of the fact is that we have incredible tools, security tools available in the industry today, but they're not widely adopted. In fact, most people don't even know about them. The problem that we face today is exactly the same problem that we face at the beginning of a Immunefi. When nobody used bug bounties, they didn't know about them. They didn't know that they worked, they didn't know how to use them. We fixed that problem with bug bounties, and as a result, bug bounties have become a standard in the space that are incredibly effective.

We just had a protocol today reserve that increased their bug down to $10 million. Okay? Like the industry is all bought in on that. 'cause they can see that the ROI on these things is often, you know, a hundred, a hundred x on the

mitigated cost, right? The cost that you would've otherwise had to pay if the vulnerability was exploited. Now we have that same dynamic across the whole stack, right? We have early detection tools that could be used in the software pipeline. Nobody uses them. We have monitoring tools, right? That can provide real time threat intelligence. Those have some more adoption, but we're still looking at under 20 or 30% of the industries, like nowhere near where it needs to be. We have firewalling technology that can screen out and identify malicious transactions. That's sub 1% in terms of overall adoption. It works today, it's ready. Today we have new auditing solutions that are just beginning to be explored. And then when we have automations that can be triggered across this whole stack of things to make them speak to each other, that could be, say, automatically pausing contracts when threats are detected, and those aren't being used today either. So there's this whole stack of super tools that could take us from this world of one to 3%, right, in terms of hack TV per year. And bring that down to like 0.1%.

Stephen: Why aren't people using it? It doesn't, like even the bug bounties, you're putting up $10 million, but if nothing can be found to be wrong with your code by some of the top hackers in the world, you're not losing any money. But if you don't put up the 10 million as you know, kind of collateral and something does happen, you're gonna lose so much more than $10

Mitchell: Ready?

Stephen: So what, like, this seems like almost like a no brainer and a huge backstop for a lot of these protocols. Like

Mitchell: Sure,

Stephen: not a concern? Is com like security not a good, like the bug bounty, even like not buying tech or paying

Mitchell: sure.

Stephen: tech stacks that you're talking about? Why wouldn't the bug bounty be the first thing every protocol does?

Mitchell: Well they should, and that is something that we're slowly seeing to come to life. We are

at, you know, majority of the industry adopting it. So we're going into that world. But the reality is it's just hard. Lemme give an example, right? You have probably used a multisig before, but you know, when it comes to day-to-day use, you're probably not super excited about using some three of five or three of six or four of seven multisig for doing things.

It's like that would be a huge pain in the ass, and you save that only for when you really need it, or you might not even use it at all. The vast majority of users still don't use multi six today, and yet that is like best practice.

You are a next experie. Even if you've been around many years, you may not use multisig. Right, because it's just hard. And the tool is like the UX just isn't there. So we needed to solve that problem. We needed to take a world class, the best possible bug bounty program that you could make and make it effortless to adopt. We do all the work, we have all the standards, we have all the statistics.

We show all the ROI, we automate all the workflows so that you just come in, you say, sure, I signed, let's do it, man. Let's go. And we guide you. Here's how you should set the price. Here's the kind of terms you should have. Here's the assets that you should be putting in scope. Here's the type of alerting that you should do.

And it's all just there for you. It's all just done. And that's what made the difference. Okay? And getting mass adoption of bug, bug bounties, making it just a no-brainer. That made sense. And that's also what's missing, by the way, on the rest of the stack. And

this is the problem that mag solves. Setting up monitoring is not very easy.

How do you connect it to the rest of your stack? And the answer is, for most tooling today, you can't, and you don't. And so it's like, it's like a brain in a jar. It can tell you useful things, but it can't do anything. Or let's say a pipeline defense. How do you know which, which software is good and what's not? Well, you as an individual protocol, you can't, you just have like all these signals coming at you. None of them seem particularly credible. You don't understand what's going on. You just like, well, screw it all. I'm just gonna go to an auditor because at least I trust that guy. I'm just gonna use it Immunefi because at least I know they're good. So this is the problem that you have with the stack. And so this is also what Magna solves, creating the best possible implementation of all these tools for you without almost any work on your side. And you

just have to sit back, do I believe in Immunefi? I do, then this is, this is the way to go.

Stephen: that makes a lot of sense. You're like the ozempic, you know, for people, like, we all know that eat healthy, go for walks, get some exercise, get proper sleep, and we would lose weight. But to your point, that's hard. Right? But the Ozempic gave us like, oh, a pill or a shot and we can do it easily. You're kind of that, you know, making it easy for people so they don't have to even think about it.

But to your point, like not every day do you want to use Multisig or these complex things. It's the same thing for these protocols that have to go through a bug bunny. And I'm glad that Magnet solves that problem, but you're also integrating AI into that solution. Talk to me about your AI usage and how that's supporting your customers.

Mitchell: Right. So just to twist that pill analogy a little bit, you'll forgive me for this transgression. But everybody wants a pill. Nobody wants to take vitamins. Even though, you know, prevention you know, a p of prevention is worth a pound of cure, right? And so what we're doing with Magnus is we're giving our customers that pill.

Oh, it's really hard to set these things up. Oh, it's really hard to figure out what works. We're like, we figured it out for you. And then we're sneaking in all of the vitamins because

all of these tools, for the most part, are preventative, right? They're taking care of problems before they even exist. So we're sneaking in all the vitamins into the simple pill, like entrepreneur, like say you want to go build a DeFi product, and that will soon be possible with tools like magnets. You need to know so much about security. There's all

these things you have to deal with that it's just a a, a pain in the ass. But with Magnus, you can basically outsource almost all of that. Know-how you maybe have one great developer, one great CTO, a security engineer if you want, and they can use Magnus to operate the entirety of the security infrastructure that you may have.

And that's where the AI comes in. And so we can give you all this preventative power while solving a kind of immediate critical problem. Then you can just focus on building a business. And that's the dream come true for all of us, right? Focus on doing what actually matters to grow and create our vision. Now the AI stuff that comes in is very varied. So what we're basically doing is building dozens and dozens of different AI workflows and different AI agents to take care of workflow challenges. Because the challenge in running security operations is you have to be monitoring the situation 24 7. You need a guard that's outside your house, right?

That's just always looking around for threats because that's how dangerous crypto can be. But how do you do that? Because human beings can't do that. And the answer is you use AI to do that. So we can use AI, for example, to monitor incoming vulnerability. Does that look like a threat or is that not right?

Is this likely to be a valid vulnerability or is that not? We can do things like, oh, that does look like a threat. Shall we instantly pause your contracts and make sure that's safe? We can do that. We can do that. Such as you submit a new batch of codes, fresh code. You believe it's awesome, but you're not sure if it's safe.

Well automatically triggers our mechanisms to go and red team that for you and make sure that's safe, make sure nothing slips through, and we can even do all that with the basics of running your whole security setup. So we have a system, for example, called radar, which is just an agent that constantly monitors your on chain assets and looks for problems whenever it sees new infrastructure. That is owned by your, your other contracts and immediately say, Hey look, we would like to add this to our, our perimeter for what we're defending so that we can automatically protect this 24 7. Do you want us to do so? And so the AI solution is all very simple. At the end of the day, we're taking all the annoying work that was taking up hours, that was distracting entrepreneurs and builders from going and doing what they wanted to be doing. And we're creating step by step. It's gonna take a long time to get them all, but we're gonna do it. We're creating these AI automations that allow 'em to be done in a best in class way better than most developers or engineers would know how to do, because security is a specialized skill and doing them instantaneously. So just a little touch there. For example, we have a system that can automatically scan all your code and create a bug bounty. Okay. Based off of unified best standards, which would typically previously take, you know, five to 20 hours to create for someone who is not skilled in doing so and still wouldn't be as good for us.

It will only take, you know, three to five hours, but still takes a lot of work and it can do it in just a few seconds. That's how

we're using AI to supercharge this.

Stephen: that they should, a proper amount that they think, that you think that they should be putting out there just to make sure that there's nothing, there's no, you know, the rock left unturned.

Mitchell: That's one example, right? And the AI has, you know, so much more memory, right? These LLMs can have much more context. Than most people can, and they can absorb all of our contextual expertise that we have built over the last four or five years of operations. We can plug that into that model and it creates the first draft.

Then of course, we can do human reviews on top as we need, or adjust as we require. But this is the kind of AI automation that has ultimately turned security from a you know, a difficult manual workflow that requires extremely specialized individuals, a lot of money, a lot of time into, wow, I get the best.

I get kind of like the best practice response to every single problem, both threatening, but also just basic and about workplace efficiency. It's magic.

Stephen: You mentioned that you know, humans can't do this. Humans can't be sitting there at the perch looking around 24 hours. But a lot of what we see in some of the hacks and the exploits, and I think maybe you can explain the buy bit hack probably better than I can, is human error. So how are we gonna bring hacks down to zero if there's still that human error element in play?

Mitchell: Sure. Ultimately, human error is the single most difficult problem in crypto. Now, the way that we can solve that problem is the Magna Solution, right? And the Magna Solution is an implementation of this idea of security. Swiss cheese. Have you ever heard of this idea? Okay. It's fun. You know how Swiss cheese, well, if you don't know Swiss cheese, it's a wonderful, wonderful cheese from Switzerland.

It has all these little holes in it. So you might have seen this from like old American comics and stuff. They, they absolutely love Swiss cheese. And the idea, the central model for security is what we call defense in depth. We stack layers of this cheese back behind each other. Now, any security practice that you do is gonna have gaps.

It's gonna have holes. There's no way to stay fully safe in this world. I either as persons or certainly in terms of on chain contracts. But by having enough layers, okay, enough of these Swiss cheese layers, it makes it very difficult for a vulnerability to turn into a hack or an X point because they don't just have to get through one of the holes.

The first one they have to get through the hole, find the, the gap in every single layer. And so by creating today, we use, you know, primarily two or three layers, right? Internal red teaming audits, and then bug bounties by adding a few more layers to that, protecting the, the software development pipeline going after monitoring firewalling. That's right, five, six more layers that we can add in there. It makes it much less probable that anything can get through, and this solves a lot of the problem of human error. Specifically on the development side.

So that's one solution.

Stephen: as they broke through two layers, there might be alerts like, Hey, these layers are being broken. Something strange is

Mitchell: Exactly.

Stephen: protocols. You should probably start taking a look and clamping down. Is that something that would happen?

Mitchell: Exactly, exactly. So, and you can have instantaneous

responses in that kind of case when you notice suspicious activity. So for example, if you see someone messing with a multisig. And you can see them signing a transaction, but it's not, you know, a typical transaction. If you had a guard on that multisig, you might be able to intercept that automatically, even if you had no idea what was going on.

Or even if you are actively signing a malicious transaction, if it didn't hit your, your whitelisting criteria, it would be actively blocked. So this type of approach is used already very effectively today in traditional banks. That's when you get those really annoying messages, right? When it's like, are you sure that you want to send that out?

Are you sure about that? But we can be applying the same principles in much fairer and more transparent ways to protect decentralized infrastructure comp comprehensively,

Stephen: What do you think in the future? We've seen, you know, Phantom, they do kind of like the wallet Web3 security. We see hyper native blockade that are more like pre-transaction, real time. You know, there's so many different aspects to to Web3 security. But we also, some saw something like the Ronan Hack that like $600 million moved and it took them seven days to figure out that they lost $600

Mitchell: right?

Stephen: What do you see the future of Web SEC three security, and how does maybe Immunefi and Magnus contribute to that future?

Mitchell: Sure. So the way that we think about this you know, the mission of Immunefi has always been how do we create, make crypto safe for a world of open applications to thrive, right? We'll do the safe safety problem, and if we can do that, everybody else will pick up the burden and, and make the world better with this technology as a result. And when we, when we're asking that question, when we're asking that question about building magnets, the key question was, how can we make it so that if we succeed alone, then everybody else will succeed too? Can we achieve that? And that's exactly what we've been working on, building now the future of it, right?

Is this defense in depth line, this layers of Swiss cheese that I've described to you previously, plus doing the best possible implementation customized to each customer. And that's a lot of magic in there, right? That's a difficult thing. Customization always is. Combined with instantaneous and rapid response according to best practices.

Okay? And ultimately, we believe that we can achieve this, that we will achieve this with Magnus, but it has to be automated. It has to be driven primarily by AI solutions of various kinds. That's the only way to achieve a re a, a fast enough response. And I, I note that because most hacks, not all hacks, the Ronan one, for example, is not like this. But most hacks take place in just a few blocks. And in practice this means seconds to minutes or, or, or even shorter, depending on how fast the blockchain is. And that's your window that you need to respond in once you've detected a threat. Okay? The only thing that could ever do that was going to be an automated solution. So the future of on chain security is going to be overwhelmingly AI driven. And that's what we've created magnets to embody. Now, it's not gonna leave the human element behind because only humans are innovating. Only humans understand the underlying technology and can think of new attack vectors and can improve the systems, and can improve our operating processes. And only, you know, fundamentally, only humans can figure out the really novel bud Bounty and, and vulnerability disclosure cases. That's just a pure example of creative thinking that nothing else can replicate in this world. There's always gonna be a place that's gonna be an increasing and growing place for white hats and security researchers to make the stack even better. But day-to-day, day-to-day actions are going to be driven by automation's overwhelmingly.

Stephen: I love this. It makes a lot of sense. And if, yeah, I know we're at probably at time, but you have so many insights. Can you talk to me a little bit about the security researchers? Like I know you have like a top 100 security research that you leverage over 45,000, I believe, within your community. Like what part do they play?

Are they actively, like, is, is this a place they go to as their full-time income? Are they

Mitchell: Okay,

Stephen: retired but they want to give back to the community. Can you talk a little bit about, you know, this integral piece of the puzzle?

Mitchell: sure. Well, you know, ever since Immunefi started, I certainly haven't been retired, but most of these guys are going to be part-time. The best ones will overwhelmingly be full-time. They're typically extremely creative individuals. They're disagreeable. They have their own opinions. They don't care being told what to do, and they're very perseverant. Okay? They're tough. They want to keep going, and they have this grit and this grind to succeed where nobody else has succeeded. Okay. That's what, what makes them so good. You could have a guy who looks at a contract that has, you know, a billion dollars and he tells himself, I think I'm gonna be the only person in the world who could ever break this.

The hardest puzzle in the history of mankind, and I deserve a huge bounty for it. We just had a critical case that was paid out this week for $500,000. Just one, just one bounty, just one from this one guy, right? He's just doing his work and he, that's all he needed. He just stuck it out. He's like, I'm gonna solve a puzzle that nobody else has ever been able to solve.

So this is the type of mindset, these are the type of people, this is how bold they are, and this is the type of grit that they transform into creative problem solving the likes of very few people can do. And this is why they have earned such incredible amounts of money.

Stephen: And like also save incredible money.

Mitchell: Absolutely.

Stephen: worked on so many different projects, Mitchell, you know, I see the, the Magnus and some earlier, you know, projects that you were with. It all seems to like combine into this world that you want to see. You talked about, you took some time off to focus on good health.

Like what is this world, what is this good life that you're trying to build? Not only in crypto, but just like across the people that you meet in any industry.

Mitchell: Sure. Idealistically speaking, you know, I aspire towards being a man of conscience and I believe in and want to contribute to a world of conscience where people are driven primarily by their best impulses. To do good by themselves and to grow and to nurture and grow other people in the same way. You can see the connection to bug bounties, right?

Turning a difficult situation into win-win for everybody every which way that you look at it. It's kind of a natural expression of these types of ideals. So I think crypto could have a role to play in facilitating that. Very basically by easing the economic and material conditions of life and making people's lives just a little bit better so that they can focus, because it takes a lot of work, right?

Focus on the best part of themselves, right? Focusing on getting close to their conscience and expressing it and living by it. 'cause you can't do that when you're in need, right? You can't do that when you're poor and starving. You can't do that when you're under constant stress and pain. You

need emotional space for that.

You need some freedom for that. So that's the world that I'd like to contribute to. That's where all these things fit, right? You know, working on singularity net, trying to create an A GI that's where Steam it fits in terms of creating a better social media that is better for the users and less value extracted and more value created for everybody involved.

That's where Magnus fits in and solving, you know, the crypto hack problem once and for all, and bringing that to an end, then allowing everybody else to build awesome stuff. Without having to worry, right. And allowing anybody, right. You don't have, so that you don't have to be super technical in order to manage your security stack or be a security engineer.

You know, you just have to have a brilliant idea and be willing to dedicate yourself to it and do good by the world. That's the world I'd like to contribute to and where these ideals are coming from.

Stephen: For, you know, from an entrepreneur lens is unifier. You look into like, Hey, like a lot of mergers and acquisitions in the space. You know, we saw chain analysis, Alterra, they, hexa gate, they took acquired.

Mitchell: Right?

Stephen: you know, stablecoin acquisitions is like, is this something that you're like, Hey, I hope this is embedded in something even bigger in the industry, or do you wanna be like, I'm the big one in the industry acquiring maybe other companies that can come under the Immunefi brand?

Mitchell: Well, we have acquired companies before, so, you know, we are familiar with that game. But the most important thing is just achieving the mission. Okay? That's what everybody at Immunefi signs up to do. Everybody wants to do good in the process of doing their daily work, right? It's not just enough to get paid.

It's you, you wanna look back. I remember my, my VP ops, which is, you know, a guy named Aaron Castle, best operator operations person I've ever worked with. And he looked back at me and I was like, okay, so you know, what's, what's one of the big reasons that you joined? And he says, well, you know, I don't want my kids to look back and ask what I did.

And I'm like, I built a, you know, an an exotic asset business. And that's what I spent five years of my life, seven years, 10 years of my life, doing as meaningful as that. That can be, I want to contribute to something great. I want to do something great. I want them to look back with pride. And that's what people at Immunefi want to do. That's what we all want to do. And if, if we. For now, that puts me, you know, squarely in the driver's seat. But if there came an opportunity where someone came over and said, look, I believe in your vision. I think you can do a great job and I can help you do it better. I would seriously consider that the mission takes priority over all things.

Stephen: I love it. Does your priorities and like marketing change now that like, Hey, you have a platform, you know, it's a little bit different than the Bug Bounty program, I'm assuming. Or because you, you know, you have so much experience of like growing protocols and organizations in crypto. This is kind of your forte anyway, so this is a lot that you're contributing, but I know that must be tough balancing that and being the CEO and, you know, managing people,

Mitchell: It is extremely tough. It's a bad lifestyle. I wouldn't necessarily recommend it to most people. There are, you know, other better things to do

with life,

Stephen: to make money, as I

Mitchell: right.

Easier ways to make money. But it was a worthy thing to do. It look. The real transition there, I hear speaking as an operator, hopefully the other operators in the audience. The transition is moving from being a kind of one product or a very kind of focused product with a very focused brand to being a multi-product company and how you make that shift. We were already a platform, but being a platform with many different products and it is a completely different marketing beasts.

So how do you arrange that? How do you brand that? How do you message that to people? That takes a lot of work. That is taking a lot of work. It's not done. It's not gonna be done for another year or two, and we fully settle into it. And the key thing for those of you who are thinking about it, the key thing for us who are doing it now, this is just a laser focused, right?

Laser focused. On the value proposition to the customer and what that means and how we solve their problems. Because if we can demonstrate that and make that very clear in our marketing, in our copy, in our pitches, in our conversations, and in our daily interactions, just every touch point possible, the customer's gonna understand, and you will succeed in that shift in marketing strategy and approach, but infusing it, right, infusing this new message and value proposition into so many touch points.

Like that's the challenge because that is a massive operational shift that takes place across nearly the entire stack of your customer facing operations. A big cultural problem, a big branding problem. But that's, that's just how it has to go. Make it or

break it.

Stephen: hasn't changed, right? You're still offering, you know, a, a way to improve somebody's Web3 security. So at

Mitchell: That's right.

Stephen: could also use the new Magnus tool. Is that a good assumption to make?

Mitchell: Every unified customer will be a Magnus customer. Full stop. Right? Everything that we've designed has been designed to serve these core needs that our customers are already experiencing. So you could really think of the shift from Immunefi as you know, the major bug bounty platform in the world to Immunefi Magnus as the leading security platform.

As a growing up, we're still doing the same thing. We're still the same person, but we're doing it in a bigger, more mature, more impactful way.

Stephen: I think a question that people listening to this might have is like, does that mean that you don't need the bug bounties anymore? I think that would be a question if I'm like listening to this from far, I'm like, oh, okay. It seems like Magnus is gonna do everything.

Mitchell: Okay.

Stephen: need bug bounties or is like the bug bounties part of Magnus overall solution?

Mitchell: Your, your latter point is exactly right. So, bug bounty are one of the key and critical layers of Swiss cheese,

but at the end of the day, there's just one layer and we want a whole stack of them to ensure that no hack can ever get through.

So Bug Bounty is the leading one, but all the others, they all designed to fit and connect and to communicate between one another, and that creates new value that we think will ultimately make the world a much safer place.

Stephen: Bug bounty is the, the cheese with the, the smallest amount of holes, the smallest size holes. Is there anything else you're building or on the roadmap? I'm assuming Magnus is taking up all your time in 2025. Is there anything else you're thinking about or your team's focused on?

Mitchell: Magnus is taking up all my time. Magnus is actually, you know, the foundation for something that we think we're not just targeting, you know, getting down to the sub 1% levels of hacks, we're actually targeting the sub 0.1% of its hacks to sub 1%. Okay. That'll take us to like a world of five, you know, to $10 trillion on chain value over the next five or 10 years.

But like the real game, if we wanna accelerate even further is can we basically eliminate hacks as a category, especially whether code related in the first place and we think we can take it another notch down. That's something, oh, I wanna talk about that in 2026. It's gonna be a long road to their Magnus is the core and the foundation of that. But we'll save that for the future.

Stephen: And that means that that means you have to come back for part two. Do you think that opens up the, you know, the floodgates for Tradify because they're still kind of on, I think if there was one question you asked Tradify is like, Hey, how come you're not all in? It's like there's that still that little nuance of us losing all of our customers funds because

Mitchell: Right.

Stephen: you know, and then us offering back money to a hacker to get the portion back.

Do you think that's the one thing that is still missing to open up mainstream adoption of cryptocurrency?

Mitchell: Well, we, we are already moving on mainstream adoption,

so we've kind of won the early battle of mainstream adoption. But when we're talking about truly large financial markets, right? When you have, you know, 10, $20 trillion on chain, and here I'm talking about, you know, beyond Bitcoin, excluding Bitcoin from that calculus entirety, just thinking in a of a world where crypto is overwhelmingly the largest financial market in the world, okay, that's the wind condition and that requires exactly what you said. So when we're looking at like, how do we get down to in minus 0.1%, right? The 0.1 to 0.001%, in terms of hack value per year, it's precisely to facilitate that massive tradify movement of wealth of 10, 20, $30 trillion.

Stephen: I love that. And Difa Lama might go out the, you know, they always keep those ranking of all the hacks and what caused it. So you're hoping to

Mitchell: It will come

Stephen: section of their website, hopefully down for good. Mitchell, this has been amazing. Curious though, you're, you're touching so many things. You've been, you know, decentralized social media, or at least blockchain based social media or, you know, working with companies that was early on blockchain and AI convergence.

What are some of, like, you, your nerdy, nerdy friends are heavy into tech. What are they playing with? And it doesn't even have to be technical. It might be, you know, like not, you know, new ozempic or, you know, going out to the forest and doing mushrooms. What's that thing that people are doing that you're like, people are gonna think this is strange, but 10 years from now you're gonna be like sitting there microdosing acid and being like, oh, this makes so much sense now.

Mitchell: Sure. So, a weird thing that I do that I think is gonna blow up over the next 10 or 15 years is hyperbaric oxygen treatments. So for contacts, that's like, you enter a highly pressurized chamber and then you breathe purified oxygen, and the result is a dramatic increase in oxygen uptake, which has all sorts of interesting effects in the body. Generally positive it is not without its dangers, without its risks. So, you know, buyer beware and do your own research, but it is a pretty phenomenal thing, and I can see a world in a best case scenario, right, where the world goes on a better path. Than it is today. I can see a world where hyperbaric oxygen therapy is widely available in every major cosmopolitan city at a reasonable price.

And I think that would do absolute wonders for health outcomes and by extension for, for people's whole quality of life. So that's one thing.

Stephen: I, hold on. Before you go out, like how often would you do that? Is that something you do once to a month? Is it a weekly thing? Like I'm, I'm so into these type of trends, so I'm really interested about this.

Mitchell: Well, I'm pretty hardcore, so I've got multiple hundreds of hours of hyperbaric therapy under my belt, and I could do it several times a week or whenever I need a boost, but that's unusual. Like I have my own chamber and almost nobody has their own. So, that type of frequency can work. Alternatively for most people, they would just aim to do it for, say, 50, 60, 70 sessions to go and deal with a particular health problem over the span of a few months, up to three or four times per week.

Stephen: And what's the worry? You said that the, you know, it doesn't come without side effects. What's the worry while you're in the chamber? Something could happen, or is this general that hasn't been around long enough to know if there's any deeper side effects?

Mitchell: Well, it's been around for a long time. So for example, it was much more popular in the old Soviet Union where they used it to prepare Cosmo knots for going to space. 'cause the simulated pressure was very helpful for that effect. But the, it's pretty safe. But the challenge with it is there are always unexpected contraindications who are effectively flooding your body with oxygen. And that has, you know, serious risks if you're not aware of what they are. So you need to make sure it's safe for that particular person.

If they're reasonably young and healthy, there shouldn't be any concerns. But if they have older or have diseases or historical illnesses, there may be things to manage there. And then the second thing in a constant danger is just you're dealing with a hyper pressurized chamber. It. And so, you know, you need to be very, very careful. For example, if you have a, you know, 99% oxygen in a tank, you're just flooding a say a metal tank. That way, if any light ha or not light, I should say, any spark catches, it'll emulate the whole tank. As in it'll all be incinerated, right? Because the oxygen will catch fire and you'll be inside it. So the, the technology needs to be very carefully handled and very sensitively treated. There are ways to de-risk that there are solutions to that, but like I said, it's not without its risks. You have to be cautious.

Stephen: Very interesting. Mitchell, you're a very interesting person. There's no doubt why you are top 100 per personality in blockchain. Does that award mean anything to you? Do you like, look at it and like, Hey, you know what, if it validates a lot of the hard work that you've put in? I know a lot of people like that's their LinkedIn profile, their LinkedIn feature, like that's what they'd have.

What does it mean to someone like you who's building on the mission? Is it a nice to have? Is it like a goal that you had earlier on in your career? That doesn't mean as much now. I'm always curious about those type of accomplishments.

Mitchell: Sure. I, I never really thought about, you know, becoming a, a, a particularly famous person or to have my work recognized in that way. So the thought really didn't occur to me before it happened. When it did happen, honestly, I was just very appreciative. It feels nice to be honored and to be respected. I put in, you know, endless amounts of grind and suffering. To go and build Immunefi and do the work that we did. I'm happy with that outcome, but I really do appreciate just people saying, you know, thank you for doing your good work. And I think the whole team feels the same way. So the award is a small thing. I think it's great. I mean, I think these, these little acts of, of kindness and respect are, are really, really, they're much more powerful than you would think, and it had a much, you know, more positive impact on my own life than I expected.

So I'm, I'm glad they give it, and I, I felt very honored by it.

Stephen: Mitchell, I could literally talk to you all day. This has been probably the longest conversation I've had on the, Around The Coin. It's been one of the best conversations I have. We have to do a part two 'cause there's just so much going on in the industry. I'm curious before we go, did you see the Salon of Commercial that's getting all the controversy?

Mitchell: No, but I, I saw the post Solana Ethereum hammer and sickle and swastika comparison, so I imagine it was pretty wild.

Stephen: I don't know. I never, first of all, I didn't even know Solana was like an American, like, I don't think of like Anheuser-Busch Solana when it comes to American patriotism, I think of more like, Hey, they're more like TikTok. TikTok. Aren't they owned by like Chinese? Like, I'm not quite sure. So that was fairly interesting.

But they like, were hardcore patriot. I'm like, okay, I don't think anyone's like, you know, running the flag up and down Solana's headquarters, but that could

Mitchell: Now I have to see it. You sold me. You sold me. I'm gonna go and search it right after

this.

Stephen: go, go watch it. I thought it was like, it, it was weird because it wasn't overly fun. I think when you go with that kind of humor, you have to be overly funny. You have to be like, Andrew Schultz funny. Like it has to be an act. It was like, kind of like, trending on some topics. It felt more like. Hey, this is a commercial for Trump.

We're part of Trump. It felt more like the Mark Zuckerberg announcement of like getting rid of certain

Mitchell: It's the new era.

Stephen: Facebook. It felt

Mitchell: Mainstream adoption is here.

And they understand, right?

Stephen: It felt like they were trying to like, give their offering to Trump as being part of, you know, team Trump.

That's what it felt like. But I'm not big on politics. It just, it just didn't hit, I don't think. I wasn't overly offended by it, but I wasn't like, oh, this is so funny. I can't believe they went there either. So you guys send me a message when you watch it. Let me know what on. Mitchell Amador, CEO of am Immunefi.

I'm excited, I'm like gassed up about me, obviously crypto compliance, blockchain investigations, background. I see the impact on hacks on the victims that also, you know, when those protocols go down, the victim's money, a lot of times, as you said, goes with it. So I'm pro Bitcoin hack and Crypto hacks under 0.001%.

I'd love to see that, you know, number pop up in the next chain analysis or Immunefi report. So, great talking to you and where can people find you? Where are you interacting with the, the people that are gonna love this episode?

Mitchell: Sure. If anybody wants to follow my work ongoing, they can find me an x. And I'm @MitchellAmador, M-I-T-C-H-E-L-L-A-M-A-D-O-R. So follow me there and you'll see all the trouble that I get up to and try and keep everybody safe.

Stephen: Love it, Mitchell, thank you so much for the podcast.