Stephen: This is the Around The Coin podcast. This is a special edition with a capital S.

We have Dima Budin, who is the CEO at Core3 and Hay Group. He's also the co-founder and executive chairman of Hacken one of the biggest Web3 cybersecurity companies. He talks a lot about Core3 and how he's bringing transparency and due diligence to the crypto space. Whether it's a crypto exchange or DeFi protocol.

You can get this Moody's type analytics on how safe and how much cybersecurity, the biggest crypto exchange to the most unknown DeFi protocol has.

He's done a huge amount of work with Hacken over the last eight years, building out this entire group of WEB3 CYBERSECURITY SERVICES AUDITS and BUNK BOUNTIES and now he is become kind of a whistleblower as he is posted some interesting insights to wreck news about some sub, some of the gaps he sees in the infrastructure, their potential relationship to the Russian government or Russian entities.

This is a really interesting episode. I'm here to play devil's advocate and talk through some of the allegations that were made and findings that were found. I think this is one of the interesting episodes.

This isn't gonna be a flashy gotcha type of podcast. We really want to dig deep into the mindset that went behind his work, and I think this one is gonna be really interesting for the industry as this story unfolds. This is your host, Stephen Sargeant, the Around The Coin podcast. This is an interesting episode. We have Dyma, he's a CEO of Core3. Most of you know him as the co-founder of Hacken, uh, Dyma. Why don't you, you've been in the industry cybersecurity for almost 18 years. I'm curious why you decided to focus on Web3 to begin with and what got you into the path of like Web3 cybersecurity.

Dyma: Well, but that, that was an incident. Hey. Hey everybody. Um, yeah, that was, um, a funny incident to be honest. Uh, I've been, uh, working at that mo moment of time for Ukrainian government and Gil Cybersecurity Center there. And, um, there was, I was already like in love with crypto. Uh, it was summer 2017 and there was a patient competition in Kyiv and um, like there was the price pool of 100 Bitcoins.

And if you win, um, then you got like, like there is three places, three, three Bitcoins. And we went with my team with the idea of, uh, taking nice bug bouncy and, uh, we got the three, three Bitcoins. And um, and yeah, but then, uh, we found out that, uh, in order to get them, we need to make an ICO. So we made an ICO back in 2017, left our jobs and started Hacken.

So that's, that's the story.

Stephen: I'm sure those 33 Bitcoins look pretty good right now.

Dyma: No. No. They all gone. They all gone very long time ago.

Stephen: Don't tell us that we need to talk. We need to have one interview where we say, the person just says, yeah, I got them all. They're all right here sitting with me. Like every story is that they're gone. Uh, I think the, you guys probably get media trading, like always say that you're Bitcoin, they're gone, so you're not targeted.

I'm, I'm curious though, like you built, you just celebrated eight years at Hacken, uh, which is a huge accomplishment. You just talked about bug bounties. We've had unify CEO on the podcast. How has cybersecurity, it seemed, I know we're having this conversation probably will be posted three weeks after we saw some of the two huge, you know, we saw Drift protocol go down and another dial go down.

How come we're not getting better at Web3 cybersecurity over the last eight years? Or are we getting better? And the illicit actors are just getting more sophisticated.

Dyma: No, actually we are getting better yet. So our smart contracts are getting better. Uh, what we, and what we are struggling to fix right now is operational security, like supply chain security. And this is the, the biggest problem right now. And, um. And, um, yeah. Um, the, the hackers, it's always get and mouse game, you know, uh, the hackers when they, uh, see that is became, it's becoming very hard, difficult to hack smart contracts.

Then they start to attack different, uh, through different s. Yeah. And, um, yeah. Um, so the stack is there, uh, what needs to be done is there. It is just, uh, the projects are either a little bit lazy or saving money on security or they, uh, or it's too hard to rebuild, uh, the initial setup, which was done in the wrong way.

So, so yeah, that's, that's the main reasons.

Stephen: What are you helping companies with that Hacken? Because it looks like a lot of these companies are getting audits. But there's still, you know, ex, there's still exploits. Is there, you know, two layers? Is it the like Web3 layer protocol that they're doing? The smart contract audits, that's what hack helping with the, with.

But then they're sophisticated, you know, social engineering on the other side. That leads to, you know, these huge drains. Like where's this happening on the Web3 or the web two, social media, social engineering infrastructure. Where are these hacks you think are happening?

Dyma: so yeah, the social, like social engineering is so, is a method. Yeah. How to, uh, uh, get into the system that is not, um, properly designed like you should think about like, cybersecurity, uh, as the Swiss cheese, you know? So, uh, you have the slices with the holes and you put them like one after another, and in the end, hopefully there is no.

Hole in the, in all cheese slices. So, um, so yeah, like the, uh, everything starts with the key management, uh, set up. Yeah. Like, um, it's, it was an interesting take from, uh, hide and from Uniswap Yeah. That we need to start, um, not calling decentralized exchanges and defy, defy if they have central, uh, point of failure.

And they are not using properly multi-six and all the, all the, uh, transaction simulations. So, so there are a lot of layers. Yeah. And the audits is usually, is the one that, it is the only one that became the industry standards so far. Yeah. And it took, it took, it took some time to even became, and in terms of the, you know, even private keys management, um, there is.

Only one standard CCSS that, uh, is properly explaining what the project needs to do in order to set the safe environment. And only maybe like 15 companies did the standard, all other ones and traditional ones. They are doing this old school ISO SOC two certification. But they don't account to crypto risks at all?

No, not at all. But in many cases. So, um, so the gap is, is big. Yeah. Another thing is, uh, operational security. Yeah. Uh, companies are not doing, uh, proper. Uh, proper job in this domain. Yeah. Like imagine, uh, all, all these founders with their personal laptops, with their personal, um, phones, uh, holding the keys, signing the transactions with Meta Max from the phone.

This is a common thinking crypto, unfortunately. And, uh, they have all the corporate, um, corporate Slack, uh, I don't know, some Jira installed on the phones and. This is, uh, this is just a bad, very bad practice and we are all experiencing, uh, the, the consequences of this bad practice. So, so this is actually why we're building Core3, to be honest.

This is the Core3 is, uh, uh, that the platform, which highlights all the bad practices on which we can see from the public data and where we encourage and give the methodology. Like what you need to do, where, where your, uh, prob potential problematic area where you need to fix them. Yeah. And um, and also for the good projects to just to, uh, submit, uh, some information that we didn't find and to shine as the project who is doing the right job for security and

Stephen: Is this. Do you see this in like traditional terms? I guess this is very similar to like Moody's, you know, judging determination of an asset and the value of the asset and how strong the asset is. Is this a very similar

concept? Because I remember back in the day there used to be like an ICO tracker where you, they used to give a rating based on if you could

determine the team.

You remember that? I can't remember what it was called, but I remember there was

Dyma: I saw bench. I saw bench with last one I saw, uh, rating as well. The guy signed in jail, by the way.

Stephen: so

so maybe not the best business model, but.

Dyma: yeah, yeah, yeah, yeah. We completely see it in the different, uh, like in order to explain Core3, I usually use the, the whoop, uh, example. Yes. So, um, the first time when the guy, um, uh, gave me a, as a present, whoop.

I like, okay, whatever, not a fitness tracker, who cares? I will try to use it. And I was, uh, wearing it. And then after one month, uh, he told me, dude, you are six years older. Your whoop age is six years older than your actual age. And I was like, what the hell? What is wrong with you? It's like, I, I'm doing some sports.

I'm not the, not the bad guy. And then, um, yeah, I, I, I like. Kind of took it off and didn't care. Then, uh, I met, uh, some other friends and they were like showing off, oh, look at my whoop age. I'm like three years younger than my actual age. Oh, I'm four years. I was like, Hmm. And this guys actually look better than when I saw them, uh, previously.

And then I went back to my whoop, uh, thing, started to analyze what I'm not doing correct. And slowly, slowly I started to fix the things, like started to go to the gym. First time in my life, I started to run in the morning, you know, um, fix my sleeping, uh, routine, uh, started boxing classes and, um, yeah, I'm feeling better my whoop age.

I'm just 0.8 years older than I am, but I'm on the way to, to lower it down, so, so this is exactly what, what Core3 does? Yes. So we are. Gathering as much data for the industry for every project as we can. And, uh, we are, uh, first of all, we are asking to provide a small data so that our data, uh, data sets are more accurate and we give, uh, the, the methodology and the scores on how the projects can improve.

So, uh, the whole idea is to make our industry better. You know, um, more mature. Yeah. Because, um, even, like, even if you look at this from the other perspectives, uh, ji's, uh, uh, standard pools feature, they all are used uh, to, um, validate the investment decisions of the funds Yeah. Of the institutional funds.

Um, and, uh, and then crypto institutional funds are not entering because they don't understand the risks. There is no party who can validate those decisions or at, there are some, but they don't have public dashboards. Um, so yeah, we decided like, let's do it. The industry needed, uh, it'll have a positive impact.

We have experience already. Yeah, because, um, we had the, uh, cryptocurrency exchange rankings from 2018, which. It's integrated into Coin gateway transport, and that's, that's all, like, that had an impact on the industry. The exchanges started to do a better job in terms of security and, uh, yeah, we've, uh, we, I see that this is, uh, being, uh, right now in the industry, I see that my, uh, personal, um, experience and knowledge will be better used in this product.

Stephen: And what kind of information is this taking everything from proof of reserve to like. A-M-L-K-Y-C programs to like what kind of security audits they have done. Is it like, like combinating, all of that information, compiling all

Dyma: yeah. No longer. We're also like digging into the GitHub prep. Uh, we are, um, looking onto supply chain, looking into economic supply, uh, uh, concentrations. Um, also even checking the social medias. Yeah. Uh, are they faking their numbers or not faking? Yeah. Because, uh, you know, like a lot of teams are using bots to look better.

This is a clear indication that the, that the team cannot be, uh, trusted with your life savings.

Stephen: And do you think you would've been able to identify something like FTX, let's just say Ft. X. Was on your platform like today, do you think you would've been able to like see that there was some gaps based on the data that they didn't or didn't

provide? What do you think Ft X's ranking would've been before they went under, based on the methodology that you're doing right now?

I.

Dyma: Sure. Uh, well actually I was involved, uh, quite a lot in FCX case, uh, back that days 'cause we were starting to stream about proof of reserves way longer. Um, and my, my end goal, like my big goal was the Core3 is to collect, uh, all the cold and hot bullets of the most of the exchanges for each tokens.

Yeah.

For each tokens, uh, what this will allow us to do, yeah. If we have all these data sets. So first of all, we will see, um, who is broker and who is exchange, because we have only maybe 20 exchanges. All the rest are brokers. Yeah. They, you deposit your money to this ex broker. They say here, you got trading, you have very liquid payers, but in fact they're sending your money to more liquid exchange and they just do middle uh, trading.

So, uh, this will allow us to have this, this, uh, this separation. This is very needed in my opinion. We still like call in some exchanges exchange, but they are absolutely not. And second, what this will allow us to do. You, we will be, uh, we will clearly identify the wall trading. Sorry. So you will see, uh, you'll be able to compare the cold and hot wallet amount Yeah.

Which basically represent all the balances of the users at this exchange and compare it to volume and the order books. And once you do it, then, uh, uh, you'll be clearly see the worst trade and where the, the balances do not reflect, uh, the volumes that, uh, skyrocketed. So, uh, this is, uh, if, if we are able to collect and have a very good, uh, accurate data sets for that, it'll have a massive impact on the industry.

Stephen: Do you think with all the regulation coming in, everything that happened in Canada, you know, with the wash trading incident and the, the legalities around that, do you think there's a lot of exchanges still doing wash trading today?

Dyma: Yes, absolutely. Again, exchanges of brokers. Yeah. For sure. It's like, uh, let's say, um, you cannot, uh, so they're not doing it by themselves. They, uh, close the eyes for some accounts that are doing that. Why they do it, uh, because they, uh, the more volume, the more commissions they earn. So, um, they don't care. So, of course, uh, of course there is worse trading.

Stephen: You've been in the industry for 20 years. Have you seen a societal shift? Like we see people put money into DeFi, no audits. They don't care that all of a sudden now a hacker hacks it and they're like crying on Twitter about their lost funds. Do you think by creating Core3 people are gonna be more particular, especially institutions where they put their money, they're gonna make sure like, Hey, they've went through a lot of the security requirements.

I'll, I feel more comfortable investing in a double A versus something that's teetering on a D when it comes to security.

Dyma: Look, I, first of all, I think we don't have other choice. Yeah. Uh, the, like, even now you see that, uh, even the biggest protocols have a background right now, like Harvard today. Um, if, uh, we don't, uh, like the, the risk infrastructure, the public risk infrastructure is the must, uh, thing to have in the industry.

We don't want to be the only one. Yeah. We want, uh, other companies to create public risk dashboards. We want people to talk about the risks. And, uh, and compare projects with projects. Yeah. So that it triggers projects to do a better job. Yeah. You know, like we don't want to talk anymore. Like, ah, do you have a smart contract of your token?

Uh, e seats venue. But in fact he has the huge protocol, uh, audit. So, so yeah, it's about the accountability of the projects and transparency once you're accountable. Um, then you are becoming a better project. So that's Without it, without it. Look, uh, we, we gonna drain and fall. Yeah. And all the retail will just trade mean points.

Uh, follow the insider insiders from the Washington DC and I don't know what else they do. And, uh, and uh, uh, leverage trading on hyper liquid was 100 techs. Which is the, which is very bad industry to be in, and this is not what we wanted.

Stephen: You're very close to a lot of these hacks that are happening. How? Like I think there's a perception right now that, hey, if I get hacked, if I'm part of, you know, if I've invested, you know, tokens into Drift protocol and I get hacked, TE's gonna come in and save the day and collaborate, and people are gonna always come help me.

How true is that? Like how many hacks have you seen where the actual protocol has to shut down because there's no way to recover the funds to the victims,

Dyma: Come on. It's like, I think it's, uh, the, this trend that you're saying is, is just like, start, starting to be a trend. Yeah. Uh, like the re like yesterday or today it was, uh, rum who, who basically took the stolen money from uh, north Koreans, um, back to the protocol. This is something that never happened, uh, before, after the, uh, almost 10 years ago.

Yeah. So, um, it's, it's very new thing and I think it's, and we have like in, uh, community, Ethereum security community, there were a lot of debates today about it. Um, I'm on the sites that if we can, um, if we can. Um, identified the very clear, uh, theft and, uh, and, and if there is a mechanism of trusted councils like this in Orbital, uh, I think, uh, it's okay to do, um, such reversal of the transaction.

Um, but of course there are a lot of other opinions that we should be complete permissionless and so on. Um, but I think if we have this tool, then we need to use it, but we should not use it for every, you know, like, uh, every case. Yeah. Uh, it should be very extraordinary and the council should decide, and the council should be trusted.

Stephen: What are your thoughts around, people say like, well, mango Markets is a really great example. Like, Hey, I played within the game that was created, and you're probably seeing a lot, a lot of these protocols get technically hacked, but you're probably looking at their code like, well. They just, someone just came in and did exactly what the code said they could do.

How do you balance, like what is a hack versus somebody that's just playing within the parameters of the smart contract and they just happen to take the funds? Is it like as soon as you're playing outside of what the game should be like, how do you determine that? You seen so many different types of hacks.

Do you see where a lot of

these hackers are

Dyma: it's,

yeah, I think it's, uh, like, you obviously understand are you making harm or you are not making harm. Yeah. If you are making a harm, basically extracting the value of, uh, users that, and most probably it's, it's still a bug, not a feature. Yeah. Uh, then, uh, um. Then you are Hacken the protocol. Yeah.

And so if you want to be a good guy, yeah. Uh, ask for 10%. There is no doubt the protocol will pay you 10% and everybody will be happy. You'll be a hero. So it's, I think, um, yeah, I think if you're smart enough, don't, uh, don't make harm to other people. Yeah. Uh, be a whitehead.

Stephen: Does that bother you when you see certain protocols not put in the cybersecurity, not do the audits, and then they want to pay the bounty to, you know, to whoever takes the funds? Does that bother you where you're like, why did you guys just invest in,

Dyma: I was, I was, yeah, I was bothered about it so much. You know, like, like if you, uh, the, uh, we recently had the meeting with this, uh, founders of security firms in Web3, and we, we were debating how big is our market? What is the annual spend? Yeah. So, uh, our, um, we ended up for the amount, like 300 million.

Yeah. All the transaction monitoring called the ec, ec, like, uh, smart qui back balances. The, the total earn of the whole market of all the companies, uh, is around 300 million. Yeah, comparing it to 400, uh, 4 billion lost every year. It's like, it's nothing. Of course. Uh, so, so we, we already stopped being bothered about it.

Uh, so it's fine. Our, our security engineer, for example, uh, very talented guy, made uh, more than $1 million, um, in few months on our own bug bounty platform. We got from this, uh, engagement, I think 10 or 15 K. And he got more than 1 million. And he's like, okay, thank you guys. I'm, uh, and we'll have a sabbatical and it's fine, you know, but.

Stephen: It's this part of, you know, at the end of the day, you're securing, what is your goal with Core3? What are you hoping for? Is it just like finally institutions have a place that they can rely on for, Hey, am I making the proper investment? Especially with everything that happened after FDX. We, I'm in Canada.

We had our provincial, you know, there's, were provincial retirement plans ahead, invested in FDX. There's a lot of losses that were felt around the world 'cause we felt so safe in that. Is that your, you know, if you leave your legacy behind, is it gonna be Hacken? Is it gonna be Core3? How do you think about that?

Dyma: Thank you. Um, yeah, I think Core3 acts on a bit larger scale. Yeah. So, um, it has a potential to influence, uh, the market, uh, in the form to make it more accountable and transferable. And so, of course to bring institutional investors. So I think it's important. Uh, but at the same time, uh, you asked me what is your goal?

Um, and, uh, and I have an idea. So, but it's, so the goal is, uh, for sure to raise the transparency bar as, uh, much as possible. So probably the, you know, like what is the, how will you know that, uh, you succeeded? Yeah. That normal question the product managers is asking

Stephen: Coin G buys you when,

Dyma: No, no, no, no, no. When some of the broad, some of the shitty scammy projects, which who everybody thinks are okay and trustable, uh, they are busted and they go bankrupt and, uh, yeah.

And people get at least some money before they Yeah. So, uh, yeah.

Stephen: I'm curious, how do you make a revenue? Because obviously you have to be unbiased in the way you do this. I think Coin Gecko people are saying you have to pay money to, you know, give them extra information so they can properly record. Like how do you make, uh, like what's the revenue structure or the business structure around the model like this that's doing good for the industry, but you also have to pay the developers, the engineers, the, the business development people going around and making sure that this is the standard in the industry as well.

Dyma: Sure, sure. Uh, right now, uh, like there will, there will be subscriptions, premium subscriptions with the alerts. Um, there'll be due diligence on demand, uh, for the, uh, investors. Uh, and there will be also the priority listings. Yeah. So once we get to the. To the track that, uh, we are, um, popular, uh, then, uh, we will charge a little bit more funds for, for not, for, not for, just for the projects here.

I see, to be honest, that our equipment industry is shifting a lot to RWAs and I think that's the yields, the off chain yields that are, um, that's available on chain. And that also requires a lot of risk, uh, assessment. This is, uh, something that will be, um, very popular. It's already, but still, we, even, even right now for yields, we still missing those risk infrastructure that checks not just technical part, but also the scalability, legal, financial, all this kind of stuff.

Stephen: One of the knocks on proof of reserves is like, well, we don't know their real life liabilities. Right? You can have this. Secure on Web3, but they may owe a bunch of loans. They might, even though we saw this with FDX, where they're leveraged on the other side. How do you balance like a proof of reserves?

Well, what's happening in their actual real world infrastructure, their debt, their, you know, equity, et cetera.

Dyma: You count. It is like this is the job of proper financial audits and unfortunately, all these big companies, like I'm not talking about Coinbase or Kraken, they are doing all, everything that they can. So not to, uh, have a consolidated financial audit anywhere in the world. Yeah. So they have, uh, US entity, UK entity, Singapore entity.

And,

Stephen: Right.

Dyma: and they are passing their financial audits, but the reality no one sees. So, um, so at the moment is, uh, is the problem that cannot be solved? Yeah. Um, like what we can do, we can continue continuously educate regulators like what I'm personally doing in Abu Dhabi, in Europe, um, in, uh, central America.

Now, now the team, uh, starts to talk with the US regulators as well. But um, but yeah, we're quite far away from, uh, from some really impactful regulation, unfortunately.

Stephen: You know I, it's funny because the anthropic is supposed to take my job as a content creator marketer. They're gonna take your job. I here too, because they're ready to roll out this AI that can detect these bugs, and it's so powerful that they have to give it some time because hackers could use it to exploit all these, and they're more talking about web two, but I'm assuming they're referring to Web3 as well.

What are your thoughts about ai, you know, not needing, Hacken or any of these other security companies? Because they'll be able to write an AI code and just detect all the bugs out there.

Dyma: Yeah. First of all, I think that, um, um, the myth, yes, that everybody's talking about the, uh, cybersecurity AI from tropic. Uh, if it is that good that they are claiming because still no one sees it, maybe some, some people, then it's, uh, basically a weapon. Yeah. It's, um, a real world weapon that's cannot be pub be publicly available.

Yes. So, um, so this is one thing. Second thing, yes, of course. Um, like AI also made some of the stuff, it's becoming better and better, uh, however. Like AI from what we see is good to find bugs. Yeah. Uh, but it's also good to miss them. Uh, so you still right now needs to, you need to follow methodology and to check everything that was done by, uh, ai if you didn't miss any, any procedure.

Um, but in the future here, uh, I'm pretty sure that there will be, um, changes in our industry. Yeah, we already see, especially in SaaS business, um, it's something really scary happening. Yeah. Like now the IT departments can build their own, um, like endpoint protection and firewalls without big, uh, complicated, uh, uh, paid annual subscription.

So the industry will change, of course. Uh, all we need to do to be adapt, uh, uh, to,

uh,

to adapt. Yeah. Be creative, positive thinking.

Stephen: I think creativeness has always, I, I'm curious, are you seeing a lot more pro. Protocols use ai. If you're like seeing some of these, you know, post hack mortems or you

know, even the companies are coming to you, are you seeing more people just taking the GitHub of some other protocol, dropping it into AI and trying to spin out their own protocol with maybe a different couple features?

Dyma: I think the a uh, the times of such protocols and types of such, uh, forks without the innovation, um, at least for now, they're gone. Yes. So no one is doing that. Yeah, because simply you, you cannot fundraise for that anymore. Like two, three years ago. You can easily fundraise for something like that.

But right now, no. Right now you need, you need some innovation. Um, and, uh, the, uh, teams that I'm speaking, for example, some of the like, I don't know. Um, this, they make, make down nowadays Sky. Yeah. They, they still didn't, they don't do any updates with the AI for their, uh, protocol. They, they write the code themselves.

They can run the checks and tests as additional layer, uh, with the ai. But yes, some, some of the most prestige protocols, they still kind of fold the, the. The old school approach, but of course, like, uh, a lot of, lot of teams are experimenting, including us with, uh, different data tools while developing something

Stephen: So the other day I was reading Direct News. I get my newsletter and I see this article Who vets the vets about some sub. And I saw that you were a contributor to this article and I really wanted to talk to you about like, Hey, what's going on here? Give us the lay of the lamb, because sometimes it's probably one of the most popular ID verification companies, especially if you're talking FinTech Web3.

I'm curious, what did you see? What prompted you to maybe dig a little bit open source and you know, what is your, what was your overall goal with contributing to something like this?

Dyma: Yeah. Yeah. So, uh, the goal is, is is still the same, like, make our industry better. Um, you know, I can, uh, it reminds me that, um, 2018, uh, again, it was about the bush tradein. We were doing a big investigations about bush trading and big exchanges. In 2018, and we were, and we, uh, made the claim that Coin market cap is, uh, should be accountable for not checking the, uh, volumes, uh, through the APIs that the exchanges are given to them.

And, uh, that was the time when it was still not bin and toy. Uh, the founder, um, um, Brandon Chess, he found my telegram. And he started to threaten me, like saying, Hey, I'm gonna sue you. You cannot use my, our name. Uh, and we ended, we had a good talk. Uh, we ended up that we need, like, we need to change something.

Yeah. And we came, came up with the Data Accountability Transparency Alliance. It was 2018. And with the new rules for, uh, that exchanges have to, uh, follow, uh, if they want their volume to be accountable there. So. The order book metric was introduced, like the order book, you know, this, uh, plus two minus two, uh, uh, sites.

And, uh, and uh, the volume, uh, was also, uh, a new, uh, new methods to minimize the potential straight. Yeah, because still, like if you want to clearly eliminate the world trading, it's, it's just requires a lot of. Uh, competition power. So, yeah. Sorry for preamble, but this is to explain you who we are. Yeah, we're whistleblowers.

If we, and this is just one example, there would been many of them. It is just the recent one and very loud one. So, um, so yeah, I found out the information, uh, from some people that, uh, these guys, uh, have connections, uh, with the. Um, smart Engines Company, which, um, which is, which is like absolutely like, uh, f Berg Kremlin Company.

Yes. It goes, is, uh, funded by the governments. It creates the tank recognition system, passports, uh, uh, recognition systems, and even register the patent for the. Drones, military drones, uh, face recognition like patents. It's crazy. So, uh, so yeah, uh, they told me, uh, I found out this information and started to search in the, in the English speaking internet, uh, for this connection is truth or not, and I didn't find much.

Yeah, only some things. And then I asked my perplexity, uh, I'm Perplexity Max. User. Love it. Uh, unfortunately they don't have the referral links anymore, but, um, yeah, it's, I, I so many

Stephen: just have to do that, like that cool video so they can post it on Instagram and add it as an ad.

Dyma: Yeah. Uh, I, I already, I converted so many users for them, so I, I did it like, okay. Search for the Russian internet. Yeah. Uh, I, I said Korean. Chinese, Russian and Iranian. Yeah. And he found so many articles that confirms the, that they used to work with them. They were very integrated into the tech. Basically.

It was built by them. The tech, the identification thing, uh, the sums up with claiming that, um, it was on premise, um, library, but, and. And that's, uh, the smart engines didn't have any access to the data, but this is absolutely unverifiable claim. Yeah. There is no audits of that. Uh, on-premise lab, uh, like library, if there were any, uh, uh, route to, uh, leak the data, uh, to mirror the data.

We don't know. There is no audit. There is no evidence. So this is just their words. Yeah. And. I, uh, personally, like I used to work for Ukrainian government, I know if you start cooperating with someone like this, uh, it's simply not possible that you are like, okay guys, the war started. Bye-bye. We're moving to uk.

Simply not possible. And, you know, uh, and the, another claim of sums up is saying that. We have, uh, sacrificed our lives and we moved away from, uh, Moscow and we moved our staff. Okay. Of course you did it. You didn't have any other choice If you would be there still now, like there is no chance you would secure any contracts, so of course you did it.

But again, the, the major question, like are you using some sub? Where is the third party? What is no? Are you using smart engines? Where, where are the third party orders, uh, for that? Um, how we can verify like there's nothing

Stephen: What is your overall concern? Is that especially 'cause you're Ukrainian,

is it that, you know, it's very tied to the Russian government? Government, the Russian, like I remember Face App. We were concerned about putting our faces on Face App because the company was Russian and they're gonna take all of our identity.

Is that the concern that some sub in some way could be tied to, you know, the Russian government and you're saying, well, they can't just leave if they were ever tied to them in some

Dyma: yeah. It's, yeah, exactly this. So I, I'm afraid I don't, I don't say that this is, I'm afraid that this roots, um, are, um, alluded. That's all our faces and all our passports. And all our smiles. Move your head, uh, right and left up and down. Uh, all these videos are on the servers of Kremlin. So, and if this is true, then like, uh, the, you know, where all the military technologies going like next, uh, huge innovation in the mill tech.

It's not just mill tech, uh, the batteries. Yeah, so the batteries will be 10 times lighter than they are right now. And when the batteries are 10 times lighter, you can do very microscopic drones like bees. Like that scary movie from the Black Mirror. It's not gonna be a movie anymore. And knowing all our face IDs, knowing all our biometrics is just a matter of execution.

From with this big, how you can kill anybody anywhere in the world. So that's it. That's so, that's the only reason why I whistle blow. 'cause I'm scared.

Stephen: And where's the gaps? I think some of the gaps in the article were around like who really owns, you

know, some sub or the company rare text that like was associated with some sub who funded them, I think is a huge one. As a marketer, I realize some sub is, you know, very good at marketing. They have a lot of marketing potential that really great on content.

They talk about everything. This was the one thing I was like, Hey, they raised a series B. They didn't really talk about it out loud. They didn't verify the company. If I'm a VC company, corporate VC fund, and I invest in a company like some sub, I'm gonna talk about it. I want more people to want me to invest in their project.

Why do you, like, where do you think the connection is? Is that there was some sort of Russian connection that they wanted to get rid of after the war, or it's high or the invasion had started? Like where do you think this. Where's the allegations here going? Just so I can better understand where are there's, or you just saying there's just way too many gaps

Dyma: there are way too many gaps. There are way too many gaps. Yeah. And, uh, the, the, the, the ownership thing. Yeah, absolutely. It's ridiculous. Can you find other successful more doubts? Some cyber successful company. They have integrated so many big clients, they're making millions, hundreds of millions. And, um, um, yeah, so ano, another thing is reusable token.

Yeah. This is also a very big, uh, doubt of a product. Yeah. the, the, the, the token that you can, um, like they have a centralized storage of all the identities and the, the company that, um, has a user who is doing KYC that some sub already did, it'll cost, uh, less expensive to them to verify if he was already some sub user.

So this is very, like, it's kinda not a very secure. Uh, solution, uh, and create that creates very big marketing advantage, uh, for them. So, uh, it's, it is just another, another thing. Uh, so, um, so yeah, of course. If, uh,

like, like, show us the investors, why, why not doing that? It's so obvious.

Stephen: But if I'm some sub, I'm like, Hey, you're really picking at straws. Like, okay, the company, UK company house, I. Reached out to me personally, reached out to a company I was expert, like, Hey, this is the allegation. What are your thoughts? And they're like, you know that, that that registry for like significant ownership is very mis, like a lot of people misunderstand it, and the person even said like, Hey, it's not like a capital failure, but as a RegTech company, they should have known better.

They should be complying with that a lot stronger. Um, and then, you know, it's been about four years. I'm surprised they haven't raised more money. And do you think that could be one of the issues where they're, they can't raise, or the, you know, if they raise more money, they'll have to expose who's on the capta?

Like what are your thoughts around some potential other, uh, things that you're seeing?

Dyma: I think they will never race and they will never allow any stranger in their cup table. Yeah.

Stephen: What do you think they could do to completely disarm that article? So they see it in rec news. Their PR company, their legal team, I'm assuming is probably a little bit more active than usual. What's one thing if you are a sum sub customer, what's the, what's your priority? Knowing who invested in the company, knowing who had beneficial ownership during that time where there seems to be a gap, like checking out their actual, you know, their actual infrastructure, where the information's being housed.

Like what's the one thing that you would ask for if you're a company right now, uh, if you were a sum sub customer.

Dyma: Um, I don't want look, uh, I would ask for the word. Yeah. Not for SOC two that they're trying to show. Look, we did SOC two now for the actual library. Um, this on-premise library and technical audits of, uh, that tech on the storage, where is stored, um, this type of things and the ownership. Like, look, this is, uh, this is post-Soviet Union like legal structure.

You can put, uh, anyone, like you can make these three guys, uh, the, like the u Bs. But in fact, they will have a trust, uh, signed somewhere that they don't, uh, that they already sold their, uh, uh, their shares and they're just nominees. So I think that the fact that they had this, um, problem, it's not that they, they were just lazy and no one was, uh, uh, pointing finger on that.

Um, but yeah, I think this is way easier to fix for them. Like just to say, Hey, the, the company was so successful. It was brilliant that the three brothers, they bought out the investors. Here you have the documents and uh, and did the company 100% owned by three brothers, which, which is not that difficult to meet up.

Stephen: W Why do you think they had to separate themselves from Russia? Like I understand the Russian invasion, it doesn't look good on what Russia's doing, but Israel and Gaza is a situation. I don't see any of the Israeli and cybersecurity companies distancing themselves from Israel. Why is it so important that they had to distance themselves from Russia? In your opinion, obviously, or like what was the I, that's the one part I don't understand. Okay. Like Russia did a bad thing, but they're just a Russian based company. Russia isn't involved, their company isn't involved in sanctions per se.

Dyma: look, first of all, that, that the connection was too strong with the smart engines. 'cause they basically were using the tech was the, the only solution that they were using. And second is that, uh, and soon, sooner or later, it'll be very, like, it would be much earlier that someone would start talking about it rather than right now me and direct news now.

But second is that, um, uh, um,

I think KYC data and biometrics is such a sensitive thing and. Like, even like I, I made an example with Jones, but imagine what else you can do with this data. Even if you have a small risk, one risk that's, uh, this is the like 1% that this is the, the real story. Yeah, that's Smart Engines has all our KYC and faces.

Imagine what they can do with that. It's crazy with all the deep fakes, with all the, like, I don't know, it can be a, a massive, uh, nightmare. So, and it can be, uh, dropped at once. It can be one by one with increasing number of deep fakes in the, uh, in the whole, like worldwide. And people will not just understand what is happening, you know?

Until they connect the dots. So if there is even 1% that this is true, we need to eliminate this risk.

Stephen: And let's just say they gave that information. Let's just say they said who their shareholders of Revix was. They announced the corporate VC fund, they explained, you know, that was just a, a gap that seven months with a gap, here's the true ownership and, you know, and the breach. Right? I think the breach was a huge one where it was a significant breach, not very widely talked about.

Uh, what are your thoughts from a cybersecurity lens on that breach of what seems to be their ticketing or customer ticketing system?

Dyma: Oh, there should be, uh, an audit of this, uh, of the smart engines, uh, uh, tech from 1722. There should be an audit of what they, they using now a very robust forensic audit. Uh, there should be audit of their infrastructure, um, and even probably some, um, um, like in depth regulatory requirement, uh, requests on all the people that were involved in.

But this is already a little bit too much. But like, just that sums up integration, 1722. And after that, uh, that will be more than enough. But look, it's, I, I wasn't, uh, I found out that I wasn't the first one who was asking it. Uh, so they, they just don't have answers.

Stephen: You're probably the richest one though. With your 33 Bitcoins, you're the only one that can't sue away. I'm curious though, isn't this what Dora in the EU is for? To analyze these IT service

providers and make No, that's not what Dora's gonna do.

Dyma: no. Dora is very broad, like SOC two is focusing on some other risks. Yeah. They're not focusing on tech. They're not focusing on data leakages. Yeah. They're not doing the, like when you do SOC to the station, you don't do like. The security and forensic, uh, code review assessment of every component, of every, every critical component, unfortunately.

Yeah. So, yeah,

Stephen: What do you think the outcome of this is going to be? Do you think this is just a great catalyst to start asking more questions? Do you think customer, do you

think lawsuits are gonna

Dyma: my main goal

is some regulator or some, I don't know, uh, authority. That gives a grant for some sub to operate on that territory, will pay attention and do a proper investigation on all these matters. That's all I want. If uh uh, there will be such investigation, they will say. Uh, that we didn't find anything.

I would be more than happy to, I don't know, to excuse myself, whatever, do whatever, but, but I don't think it's gonna happen.

Stephen: And you know, I think you've seen enough protocols, enough exchanges to really. There's like the Swiss cheese analogy. There's holes in everybody's system. There's holes in everybody's infrastructure. Like some sub might be looking at you like, why are you picking on us? For everyone has holes here. Why aren't you looking other places? And are you looking other places? And are we gonna expect a lot more contributions to you to direct news?

Dyma: Look, uh, right now it's easier to write researches with the pl. Yes. So, yeah, uh, we have, we have some other topics that the crowd needs to know for sure.

Stephen: And what are you doing now?

Dyma: not, it's not that we, we, we are Ukrainians who want to go after Russians. No, I think it's just a very important, uh, thing to know for all the, all the people who are using crypto.

Stephen: As we end the conversation, talk about, you know, the future. I know Yev is handling as A-C-E-O-I believe of Hacken. You have a ton of groups under Hacken and, uh, a ton of groups there. Uh, what's the future? Is it Core3? How do you balance all of this? You know, you have free time and instead of worrying about your, your new business, you're worrying about doing research with perplexity to figure out the infrastructure of some sub.

Uh, how are you balancing your time and what would make 2026 successful for you?

Dyma: Uh, IPO for sure. Um, yes, so we, we were doing building the group for the last couple of years, so that's why I translated to kind of chairman of the group position and with one with the Core3 as the primary responsibility. We have service business with Jeff. We have backbone supply from hack can proof.

Uh, and uh, also one sa that we are not disclosing yet that's also going to relate to AI security. And yeah, we, we are doing the group four companies. Uh, everybody has a CEO and, uh, going public, uh, is is the.

Stephen: Can you give any advice for any CEOs out there looking to do this? Seems like a huge, you've been working on this for so long. What's some advice you can give to some of the builders? You've seen bear markets bull markets a dozen times by now. What's some advice you can do or provide for the sustainability and longevity of your business?

Dyma: Look. Yeah. The, the, the bear markets is the hard part of, uh, what we do. Yes. Um, yeah. Stay honest with your team. Uh, even when it's the hard time like this, this is, um, this is the way to build long relationships. Yeah. If you need to cut people, um, show the, show the books, explain them the, uh, why you are doing that, um, offered, um, certain salary, uh, cuts.

Yeah. Uh, temporary or depending on the revenue and profits. Um, so yeah, the, the transparency, uh, is works not only with the public, uh, appearance of the company, but also inside the company.

Stephen: As we leave this conversation, where's the best place for people to find you? Obviously, we'll link the rec news article and the, you know, the website for Core3 and Hacken, but where's the best place for people to find you? I see you interacting with Zach XVT sometimes on Twitter. Where's the best place for people to find you?

Dyma: Twitter, telegram, my surname. Telegram. Yeah.

Stephen: Awesome. Dima, thank you so much for sharing these

insights and I'm excited about Core3. I

Dyma: Thank so

Stephen: what the industry needed for the last 10 years, but it's at least now we have somewhere we can point to for some kind of validation of what a safe exchange looks like. Are you just doing crypto centralized exchanges?

Are there other protocols

there? Is there

Dyma: there are protocols. The initial is centralized exchanges protocols. Soon it's gonna be integration, uh, for staple points for L twos and, uh, from the two beats. And then, uh, uh, we're gonna. Focus only on LWA yields.

Stephen: I'm sure that's where a lot of the attention will be over the next year. I think we were both at ECCI was surprised to hear a lot of RRWA regulation compliance conversations. It looks like everyone's trying to promote themselves to. Institutional dollars. Thanks so much, diva.

Dyma: Thank you. Thank you.

‍