Stephen: Bybit was the biggest crypto hack we've ever seen and today we have Yev Broshevan . She is the CEO of hack, and she's gonna tell us a little bit about the what happened with the buy bed hack, how cybersecurity and crypto is expanding, how she started this small startup in Ukraine and built it to over 140 people and they just celebrated their eighth year birthday with what is gonna be the future of cybersecurity pen testing audits.

They now have cast to invest compliance. This is a crazy episode. She tells us all the early conversations that were happening in crypto in 2014 and what projects made it and some that didn't make it. If you're building anything in crypto, whether that's payments, stable Coin infrastructure, running in exchange, or anything that involves custody or key management.

This is gonna be the best episode for you to listen to. We cover a lot in this episode and she just has concise answers, invigorating conversation, and I know you're gonna love it. If you do, reach out to me and Yev and ask us some more questions and we'll help you out. Talk soon.

Stephen: This is your host, Stephen Sargeant the Around The Coin podcast. We are extremely lucky today 'cause Hot off the press, Hacken is expanding. Hacken one of the biggest cybersecurity companies in crypto. we have Yev, the now CEO of Hacken. Yev. Tell us a little bit about yourself. We're gonna touch on your background and then get really into like the cybersecurity perspective of what's going on in crypto.

That's seeing us pla with a lot of exploits and vulnerabilities.

Yev: Hey, happy to join.

Stephen: I'm curious, like you started out, it looked like you were going the path of like aerospace and we've had a couple, you know, astronaut type professionals here, aerospace professionals that have gone into crypto.

which is an interesting transition. When you went to National Aerospace University, what were your career aspirations at the time?

What did you think you were gonna end up doing?

Yev: It is funny enough that, I

studied cybersecurity in National Aerospace University. So literally it was one of the few universities that were starting cybersecurity departments back then in

2012. So all the career I was in cybersecurity

and still here, just changing a bit angles, but it was, really interesting to study not only the main expertise, like basic computer science, then cybersecurity, and then I was studying like.

W how each part of the plane is called. And like I was drawing this in my classes and learning about, physics and thermodynamics and stuff like that. So it was kind of complex, but now I can see that, I'm spending in the airport probably third of the year. So really it was the inspirations from the university because I, I remember that in our territory we had a lot of different, airplanes and different, type of like parts of the airplane.

So I was always surrounded by that. And now I just change it from the old stuff to like real time, flights.

Stephen: I love that you're like on the tarmac and in the hangar going through the, with the mechanics of all the different parts of the airplane. When did you first hear about crypto? 'cause you know, computer science, cybersecurity background, you come from, you know, Ukraine, which is a very technical forward country.

When did you first hear about crypto and what were your first initial thoughts about crypto?

Yev: Yeah. Funny enough, I, first learned about crypto and university from my professor who told me about Bitcoin back in 2014.

We were discussing mining in the computers that we had and, Back then, like crypto for a lot of people from the

cybersecurity sphere. Crypto is for cryptography and they're kinda, you know, angry when they say crypto is for cryptocurrencies.

But back then, I, I, like, I learned about Bitcoin and, later that year I, visited first lecture about Bitcoin in iv, by Pablo Craft in Cohi. He like was just back from San Francisco, like really inspired about all this Bitcoin decentralized systems and was sharing this with the local students at the university.

And I visited the, one of his lectures and got really inspired about that

and that's how I got my first crypto job and starting working in this direction with him.

Stephen: That's crazy. 2014 is, you've seen probably a lot of projects, you probably heard a lot of people pontificate and talk about crypto. Is there any projects back then that you were like extremely bullish on and hasn't quite worked out the way you thought it would over the last decade? Like I know we were supposed to bank all the underbanked or unbanked people.

That hasn't exactly happened since I've been in the

industry. Was there any projects that really surprised you that like wow blew up that you're like, Hmm, I didn't really know about that project. And then vice versa, you thought it was gonna change the world and it kind of fizzled out, or the concept kind of fizzled out.

Yev: You know, my first job was doing security research from different crypto exchanges and then secure messengers. I don't remember any of them that

like survived till this time, but there were a lots of concepts around

that. But honestly, if you look, back

then for me it's about like surviving in this market and, what we like the companies that we started to work, back then was like stellar and ripple.

And they're still here, still on the top charts. So that's, that's definitely the guys who've been, who've been, uh, uh, for a long time. And, obviously Bitcoin, because I, I remember in 2015 we did quite a few lectures in Ukraine, for students about like what Bitcoin is, what the centralized system is, and how it works.

And as a practice, we sent, to all of them a bit of Bitcoin. it was, I don't remember what was that under, under one K for sure. and I remember in 2017, because my, my phone number was in all these lectures, people called me and said like, I remember you sent me Bitcoins. Can you like help me to, like recover my wallet?

How can I, how can I get access back to, it was like, I dunno, like $10 back then. But in 2017 it was definitely more. So that's the technology and the stories that, really. Make me interested because we see the progress and like how people were not interested

back then in 2015 and how they were like get their interest back in

2017.

Stephen: That's hilarious. The around the Point PO podcast for this, the original host had the same experience. He was

helping giving 70 people $20 and then obviously they lost the passwords, they the seed phrases and he was helping recover. So that seems like a very common story for early adopters in crypto is every, probably a lot more calls now, I'm assuming, but we all know they didn't make it past that 2017 without trying to sell for a new, for a car or a watch.

Yev: You know, in 2015 we were

organizing conferences here in Ukraine, gathering all different

cryptographers and developers back then, in Odessa. And, one of the guys

who visited the conference, he had the challenge

to live without credit cards for a year and paying everything

everywhere, in Bitcoin.

And it was like really interesting how he tried to get his way here in Ukraine. And, I was paying for his breakfast and he sent me Bitcoins. And I never sold that Bitcoin since, since

Stephen: That's amazing.

Yev: It was like really expensive

breakfast. If we calculate to current rates

Stephen: So, uh, some expensive, uh, eggs. Uh, Benedict, uh,

Yev: kind.

Stephen: you focused so much of your career on cybersecurity and ethical hacking, hacking. You saved probably billions of dollars worth of exploits and vulnerabilities for companies all throughout the blockchain. What has improved over the last decade when it comes to cybersecurity and, you know, what are we still not really doing well in crypto?

I would love to know the dichotomy of things that are like, Hey, we're really getting this down. and people that read your report And you know, chain analysis reports are like $4 billion in one year of exploits. Like, why aren't we doing better?

Yev: So starting from

2017, our initial idea was to launch a Bug bounty platform that we did called Hack and Proof. And I remember because I was

the person who kind of trying to convince first clients to use Bug Bounty and for sure it

was like ahead of time people didn't even understand why they need

to invest in security and like general security audit penetration testing.

But then when we were talking about back balance, I was like, oh my God, like why are you guys even doing this? So I remember first box was that wild, as you know, from, all the QYC documents that you submit to crypto exchanges that you can easily get like eye doors and get the, all these pictures that you're sending to them.

So this was definitely basic web to vulnerabilities, nothing to do with crypto, uh, just uh, basic web to stuff. so we started like, helping companies, since probably November, December, 2017. And obviously it was all started with different phishing campaigns, like stealing, Twitters, telegrams, fake websites and all this kind of stuff.

And then, i've seen that because I was working in traditional web two security and seen all these basics. Nothing more like super, you know, super special about crypto. then we saw like more sophisticated attacks probably around 2018, more with the smart contract vulnerabilities and this kind of stuff.

And people started like, think probably I should invest a bit into security before actually launching ICOs. And, um, that's how we started all the service line because we didn't, plan to, to do service business in the beginning. And like some of the friends just, reached out and say like, Hey guys, I know you're in cybersecurity.

Could you please help us? Because we, we all saw all this like attacks in 2017, especially October, December, with, like phishing campaigns, stealing, like Twitters and, telegrams just before the ICO. So that was kinda the situation back then. Of course, over the years we got better. We got better definitely in smart contract audits. now people understand, why they need bug bounties and now in the other stage understanding why we need on chain monitoring. So I would say that through all this 80 years we get through stages of understanding. It's needed. Okay. I need to invest for, for it. And now we're getting to the next layer.

But I still believe we have a lot of stuff to learn from Web two Security, where it's been like courageous and we, I mean we, we, I think that we are super like, novel and very, you know, smart, but in the end of the day, we're not doing the basics that we should do. Like looking at the traditional finance, security or traditional, like tech markets.

So we still halfway to go, but what I really like is to be kinda in this market ahead of time when people still don't understand why you need this. And, kinda building the solutions that would be used in couple of years. We, we got through this with the back bounties, with the smart contract audits and with all other services that we launched along the way, because I think we launched a layer one audits around 2020.

So not that long time ago and before it was more kinda black box in the market. And, also same happening now with the on chain monitoring solutions. It's, it's only kinda booming for the last couple of years, but if you look at web two practices, it's just a normal, like monitoring stuff that we, we should have done before.

Stephen: Are you shocked by a, the amount of companies,

protocols, projects that aren't implementing a preventative way of cybersecurity? We're seeing a lot of like, Hey, we got hacked. Now we'll offer you a bounty to give us the money back, like, or we'll offer you a job because you're such a great hacker. Are you surprised that we are still very reactive in the industry and not as preventative as we could be?

Yev: I am not surprised by anything in this, industry anymore. I've been too long here, but, it make me sad that with all this hacks on the market, with

all the efforts that different companies do to protect users and, funds, were still not

investing in this. And we can see this a lot from the communication in back bounties, for example, when like, companies don't care about the vulnerabilities, but it's like a real problem and like real issues that can, can be, you know, done by, by these vulnerabilities.

I mean, security. Security is.

Stephen: Right. It's an, i I don't like to think of it as expensive. I'd like to think of it. It is

an investment, right? Like you invest on the front end so you don't have to worry and be paranoid in the backend. And I think more companies need to think about that. I'm curious, are you, is it surprising that maybe like the consumers, like they're sending, you know, crypto to these DeFi protocols, they're getting hacked, some of them are shutting down, some of them are repaying customers, but are you surprised that consumers aren't a little bit more diligent about who they're investing their crypto with and demanding that, Hey, if we're gonna go with this protocol, it has to have these security measures, it has to go through this security audit, this, smart contract audit, this pen testing, or do you feel like we're still in the age where people are just throwing crypto at the highest yield project?

Yev: How people can think about security when you

can see all this, returns of their investments. It's crazy, right? If you see like 5% more, you just definitely go there, like whoever is like, security, whatever. But honestly, I think that we lost

quite a lot of trust in this market

with a lot of, situations that happened, over the

years. And, it's our responsibility right now to restore this trust from regular users because.

Having situations like uptakes or something like that, all these people who are saying, ah, it's just another pyramid or something like that, they're saying like, oh, you see, I told you So. It's up to us now to show that the products we build and the technology is like secure enough for mass adoption that we are all dreaming about.

And, I see a lot of, a lot of projects that deal with B2C specifically. They are doing their best to, to build security measures for users that they're kind of mandatory and preventing from all the majority of hacks. Like look at, any solar crypto exchange, they have all this like trading codes, two fas backups, like phishing codes, a lot of stuff to protect users.

Because if you look at regular user, they definitely kind of storing their money on crypto, centralized crypto exchanges. And that's like why the key point of. Failure might be. And you know, in crypto it's different. It's like, yo keys, your crypto, not your keys, not your crypto. Right? And this shift is very hard for regular users to understand because we kind of stuck with this bank mindset when you can call support and they fix your problem.

But in crypto it's not like that. So also, you know, I, I think it's also about the awareness of the users and changing their mindset, like how the system is different. Like, why are you getting this like more, more yield? What, what is the difference in the technology itself? I understand that in the ideal case, users should not care about that, but we're kind of still early for this.

So I think that's where, that's where we need to also, users that think about this.

Stephen: Right, like in the traditional world, and we'll put our credit card in any website, we don't care. 'cause we know we can call the credit card company and say, Hey, that wasn't me. And it's, you know, wiped off of our bill in crypto, there's no one to call. You might be able to do a tweet that gets some traction, but that's not gonna help you recover your cryptocurrency.

Especially when you know the DeFi protocol is tweeting out that they want to give, you know, give a job to the person that has these customers money in order to get a percentage back. Is there a security standard within the industry for crypto businesses when it comes to security? Now I know you're part of one of my favorite organizations. the cryptocurrency certification Consortium, C four. you guys have the cryptocurrency securities. Standard, but it's more of a best practices. I know you were steering that committee, it's more of a best practice. Is there an actual standard or like when companies are like, Hey, we wanna start a blockchain payments company or a DeFi protocol, is there something that, a checklist that they can go through to say, Hey, we're at least trying our best to follow the minimum required, to protect our users' funds?

Yev: Definitely standards in the industry is a big topic, so

we, through the years, we've, we've been part of different, groups starting from Ethereum Enterprise Alliance and their IS trust group

for smart contract vulnerabilities. So then another group, also within the Ethereum Enterprise Alliance called the Drama for Defy Risks. And, definitely CCSS for majority, like key management and, building the, systems around this. I still think that it's not enough. There are different groups working towards this direction. If we look at the recent White House documents, they mentioned that standards is something vital for this industry that need to be taken into account.

And I was like really surprised to see security auditors as the important parts of this ECA system. And, it's really makes me happy because. Finally, it's something that we, we've been working on for long years, there on the government level and kind of required because like you, you mentioned about security, right?

So you do it in a couple of cases. First you're hacked and it's already kind of too late. Second, someone demanding this from you. It's either like changes, launch pads, VCs, all now regulators. And the third case you are like really security conscious, which happens not that often, honestly, but still like it's getting better year over year. So, we definitely need more standards. And, one of the like good mix of everything that you can do, especially for crypto exchanges, you can go to Coin market Cap or Coin and they have their, their trust score and there are a lot of like, different criteria that you can go through to kinda. Be compliant or get like maximum trust from the users.

So, and if we look at cybersecurity there, because we, we are the part of this project and providing them data, by, one of our initiatives. So it's more about the like regular penetration testing. It's about backbone, it's about the insurance fund, it's about having CCSS and some other, stuff that required for crypto exchanges, you know, to, to get the maximum users and maximum trust that they can get.

But we are still far and, contributing to standards is important. Not a lot of

people like to do it because it's not really, you know, that I don't know.

Stephen: I could say it's not fun or sex. Cybersecurity is not fun. It's not sexy, and it feels like, you know, you're, it's like, you know, paying the insurance for blackjack, you're putting money into something that may never happen or may never affect you, so why not just save that money and pay it on the backend?

Right. Just like compliance, right? Companies are not focused on compliance until they get the penalty. Then they're like, well, the penalty, the cost of doing business, like, we'll pay the penalty. but we already stole like 20% market share from not being maybe the most compliant exchange or the most compliant

Yev: but now it's important, right? You cannot operate bus crypto

business Right. now without being compliant, getting license, especially in some jurisdictions. So we are getting

there.

Stephen: Yeah, jurisdictional arbitrage is almost completely eliminated, especially with the EU Mika. We have, you know, Dubai, Canada, Singapore, Hong Kong. There's very few jurisdictions that you can operate like this

and still be able to maintain market share. I want to jump into hacking. The company's done a great job branding itself over the last few years, especially as being one of the leaders in crypto security.

But for those that don't follow cybersecurity for the reasons we just mentioned, can you explain like what is your core offering and you know, the clients maybe that you serve?

Yev: Definitely. So Haken is a blockchain security and compliance partner for everything born on blockchain and connected to blockchain. So we work with different crypto exchanges, wallets, L ones, L

twos, and what we started doing as well, working with different

regulators, banks, and like traditional businesses implementing digital assets and, blockchain related technologies to their operations.

And that's, that's the most interesting for me because I can see now that, you know, from that kinda sandbox in 2014, now we're having all the, like, majority of the businesses, operating and experimenting with, blockchain, that that's like really big journey through this more than 10 years. But now you see the reality of it, not just, you know, a group of nerds taking about like cryptography and decentralized systems.

So like just for offering you, you wanna

comment,

Stephen: sorry. Go

Yev: you wanna commend something on that?

Stephen: Oh no, I, I was curious when you say regulators, I'm like, oh, okay. All those crypto businesses, L ones, L twos, all of that makes sense. Payment service providers, stable Coin issuers. What are your position, what is your partnership when it comes to regulators? I think I saw the A DGM, which is based out of Abu Dhabi. What's your relationship there? And they're very forward thinking when it comes to digital asset and regulation because we're seeing more and more regulators, more and more public sector getting involved in digital assets, especially with the explosion and momentum in the us. If it's a regulator listening to this conversation, how could they partner with the company like Hacken, and what's their biggest benefit from making sure, is it the security of the reporting entities to them, or is it security over their own infrastructure where they're implementing stablecoin payments, cbdc, et cetera?

Yev: You see, like security can be applied

to anything of all this, ecosystem players. So starting from regulators,

what we help them is to first monitor all the

licenses and security of these licenses and

like what's happening in the ecosystem and whether they're kinda, like breaking any requirements, cybersecurity requirements that needed to be, to be done.

Or also from another side, we help companies who wants to get license to put all the cybersecurity requirements that's needed. For example, if we look at the A DGM or Dora, or for example. Bermuda requirements. You can see cybersecurity part where they require to have regular penetration tests. My contract audits on chain monitoring, incident response plan, you having like, SISO or virtual ciso.

So there are a lot of requirements related to the security operations because if we look at any business, cybersecurity, one of the top risks for business, especially when everything is in line and with all the digital assets. Now, it's not only about the centralized system that we can just push the red button, right?

It's about the everything going on chain. And there is like, in majority cases, no red button. So making this right and making it compliant in order to prevent future risks and, you know, breaking trust, of regulators of the regulated zones is, is the key here. So you can, you can comment more on the compliance side

from your perspective, how you see cybersecurity.

Stephen: I feel like it's one, it's hand in hand. I think the EU

has it right with Dora. It's like, Hey, crypto exchanges do you, if you want to use this service provider, it, there's certain requirements for using a service provider and that's gonna change the industry. Not so much for maybe the crypto exchange, but these technology service providers are realizing like, Hey, we have to have better cybersecurity.

We have to be more compliant, otherwise we don't get any customers. And I think that's the biggest way you impact things like cybersecurity and compliance is at the revenue stage, right? If you can't land the biggest customers, 'cause you're not following a certain level of rules. and you can't, you know, the consumers aren't pushing that kind of agenda.

It's a great way for regulators to say, Hey, we're not telling you who to use, but we're telling you the requirements in order to use them. What are your thoughts about Dora and has that really changed the framework of your business model and helped boost, you know, the message to other exchanges and companies?

Yev: Yeah, I mean we started doing this like, probably beginning last year

and I can see that only somewhere now

is getting momentum, you

know, and getting more popular

and companies actually taking care of that.

one of our, our clients as a by bit, we, we did the penetration testing for them, for them to get a license in Austria for mica.

And this is one of the examples, and we helped a lot more companies in this part of the requirements to getting license in like penetration te it's called TLPT, threat light penetration testing and like, and way more so I see that. This is, you know, for us as the cybersecurity company, definitely it's, it's great because someone pushes them to do cybersecurity.

Not we are saying that, ah, guys, probably you should do penetration testing on, at least like, review your, your code of the protocol, you know, and before launching it. So this is kinda third

party push and the real

implications if you don't do this properly.

Stephen: Are you seeing regulation like Dora emerge in other places, like usually a lot of countries around the world focus on what the UK and Europe is doing, kind of like copy their blueprint and especially what's happening in the us. Do you see other conversations like Dora around the world?

Yev: So, as you mentioned, we work in the UIE market and with A DGM, Andvar and some other guys

who has the cybersecurity requirements, in their, Requirement list for exchanges and any crypto businesses. this year I was also visited, Bermuda and, BVI and,

trying to learn what are their requirements when it comes to cybersecurity for, for like virtual assets, digital assets and like whoever, I don't know why we don't have like one name for this, but still in

every

Stephen: why cast and bass

Yev: Yes, exactly. Yeah,

Stephen: you.

Yev: exactly. Exactly. So I see that, in like some way there is cybersecurity part and in this requirements somewhere it's like more advanced. Somewhere it's less, but still, they're thinking about that which is, which is, which is great. And comparing to 2017 when it was

just completely like, do whatever you want and, you know, raise money for anonymous projects.

Now we're definitely getting more

mature as the industry and businesses.

Stephen: Well, we got 2021 was a very NFTV. Do what you want, kind of launch anything. And now, you know, people would argue 2025, we have the same kind of, you know, perspective when it comes to meme coins. What are your thoughts on things like meme coins where, you know, the, the people can launch them within five minutes?

Cybersecurity is definitely not an issue. what are your thoughts on how we can better protect ourselves as consumers? Is it, you know, the platform's responsibilities like, you know, Fun, fun pump. All these, you know, different ways of making NFTs. Whose responsibility is it to ensure that there's cybersecurity in such an emerging and trending, you know, token?

Like a meme Coin?

Yev: For me, it's like my playground, right?

For experiments and different kind of use cases. And of course, it's in the interest of the platforms to make the secure projects because in the end of the day, it impacts their, their reputation, right? So, having them making the, as much as possible to

launch the secure projects, is the key.

And then of course, it's re responsibility of the like guys doing this.

Stephen: You know, you mentioned bug bounties. We had a unified

CEO on the podcast, very

similar models around bug bunty. From an outsider looking in, I would think bug bounties is competing with your actual business of, you know, cybersecurity and smart contract audits. Does this go hand in hand? Is it, does companies choose one or the other?

Are bug bounties more of like a last resort after you've done all this testing?

Yev: So for, for us, from the very

beginning it was, being a security partner of the companies and helping them not with the small piece of security, but more looking at the system holistically and, building defense in depths for them. So like usually, you know, the best practices is, having proper security development lifecycle.

Then, having the like internal audits, external audits where, Hacken as the auditors came in place. Then having the external, like crowdsourced audits and bug bounties. So this is the Oun platform. I can prove that we have. Then having the, on chain monitoring and then having insurance. So this is kind of the like, stages that companies should do to minimize the risks of being hacked and for us, It's more about helping, customers holistically. So we definitely help them with all the penetration testing of the infrastructure, smart contract audits, protocol audits, cryptography, audits. And then when we done everything internally, we passed this to hacking proof team to organize the either public or private, program and, attract.

Ethical hackers and researchers from all over the world to test the systems after us. And usually the best practice is to have not one auditor, but the, like, couple of auditors with different, you know, perspectives and, backgrounds. Because in the end of the day, we are like all human and we all make mistakes.

And the most important is to have this diverse background mindset, tools and like the way people work. For example, in our team we have around 30 nationalities and, for like, audits, we combine different auditors, different teams doing, doing different cross checks and quality checks. And then we pass all this to bound.

And of course there is cases when we miss something. And in this case it's really important to. Catch the bug first before it goes live. And you know, some cyber criminals uses this, weak spot to attack the project. So for us, the responsibility is to do as much as possible to minimize the risks and diversify the, like the, that background and mindset that, people, have who audits the code.

So definitely it's about the layers, not the substitution, because it's totally different. If you look at the traditional, like traditional web market and the players like Hacker one and background, who's been operating for a lot of years in the market, this is the part of the like. The general security practices and, also having stuff like vulnerability disclosure policies on your website is important.

And in some governments and in some countries, this is the part of the, the process that they have for, for their systems. And I remember now is exactly the time of Black Hat and Dcon in Las Vegas, the security conferences that's going for years. And I remember around like seven years ago, I, I was in one of the life hiking events where there were, I don't remember how like fifties, a hundred hackers were trying to hack the, Navi systems in the US and they like, were interacting with all these security researchers and like government to find the spots.

So no system is perfect and you should do as much as possible to minimize the risks and diversify the, set of eyes that looking at, at your code.

Stephen: You're now the CEO of hacking. You are the CEO of hacking proof. What is it like, because the cybersecurity, as you just mentioned, the cybersecurity industry is so collaborative. How do you view competition? How do you feel growing your business, you know, as well as working with your competitors and you know, probably being on SEAL teams with your competitors.

How is that dichotomy of like, Hey, we're trying to grow hacking to be the best business as possible, but we're also kind of working with some of our other competitors just to make sure the industry itself is more safer so that you know that we can protect consumers.

Yev: I like to do mass here. So if we look at web, Web3, security market and auditors and solo auditors, of course now it's getting better, but how many of them we have? Do you have any guess?

Stephen: I, I don't know. I, I, I don't like how born you block, everyone does a little bit different blockade. Like there's so many different, hyper native. I know you all do a little bit something different, but there's so many companies, especially coming out of Israel, it's like they have a assembly line of CSO type companies coming out where they fund them, get them customers, they raise a bunch of money, and they just kind of send them back through the, through the, through the conveyor line,

Yev: Honestly, I don't think it's enough because I mean, it's like 2030 probably specifically in this

niche. And, how many companies we have s like no. How many projects on Coin markets? Cap? No, I like, let's, let's not count all of them who takes, security. Probably not that seriously, but we have a lot and we're still not, not enough in terms of cybersecurity, specialists in like general in the world than in our small niche in Web3.

So, for me it's more about the competition because if you look on this crazy like ICO times when their lines could be like two months, forget audits, like, it was, was crazy. It's not like this anymore for a majority of the providers, but there is quite a few that have long lines. For me. So for me it's more about the competition and making sure that the industry will all work, together, secure, not losing trust, and we all contributing from different angles, which is important.

And you mentioned, different companies that are doing different part of security. If we look at the cybersecurity as, as the whole, we have so many different domains that we need specialists in. Like starting from different cryptography for like user protection, for physical security, which is also getting more popular in crypto for on chain monitoring, code analysis, like, and, forensics and way, way more.

So we're still not enough and it's a lot of opportunities, with the industry getting more mature. So hopefully we'll see

more and more companies rising in the sphere and, you know, doing great job.

Stephen: I love that you're coming from it from a creative lens. Like can we create more companies to help out the industry? Ver versus competing with all these companies? Because I think many of you are, you know, you've been in the industry for a long time. You've sat on panels, you've probably worked together on different projects.

You probably see like this is not really competition when we're still not able to service the amount of crypto companies, which is only gonna broaden as you know, everyone wants to be obviously a stable Coin company probably in the US now, I don't think we could leave this conversation without talking about buy bit.

You mentioned it before, you had a full investigation breakdown on the website that people should go check out the blog 'cause it's very interesting. Can you give us a high level, what happened? What are steps to avoid this in the future? And you know, maybe even just the community reaction to it. And did you see that collaborative nature of, you know, all the companies, whether it was crypto recovery companies, you know, cybersecurity companies.

Maybe walk us through that.

Yev: I think bait, was the case where we finally

saw how industries advanced, in collaboration and helping each other. It was not the case couple of years ago. so what's happened was the malicious interface, that's, was, related to, signing the transactions, while they're doing DeFi, like their regular hot and cold, checks, wallet checks.

So that was attack on the kind of, it was like really sophisticated attack and, involved like, the groups that we all know about. So. it's definitely about, it's not about the smart contract vulnerability, right? It's more on the operational security, on the, like key management and access controls.

So definitely something that we, we've been learning through all this year about the key management and the private key leakage is one of the top attacks that happening right now, especially with the guys from North, North Korea being responsible for a lot of this and. Like what you can do, you can, definitely secure your infrastructure, make sure that, you have multisig, you are operating properly, all the, of, providing access and revoking access and, having all this in place as well as protecting the end points like, computers, mobile phones and everything, and making sure that users are aware of this kind of attacks.

Because in the end of the day, you can protect your smart contract. But when you don't have people who understand what can happen and clicking and downloading something like what it doesn't matter, as, as they say, or you like the, you are that strong as your weakest link. And weakest link is usually people.

So we definitely need to invest in multiple fronts in the cybersecurity, starting from people, education, operational security practices, and then go into application security like all the smart contract, and protocol, attacks.

Stephen: You mentioned access controls, we read over it. You have probably the, and I don't wanna

shed light or you know, dim the light of maybe

some of your other Web3 security reports, but you probably have the best one in the industry that I know that people talk about. And the number one threat you put in that report in Web3 today is an access control exploit.

You kind of explain a little bit basics, give us the basics of what that is and why Web3 companies have to start taking this a little bit more seriously.

Yev: literally it's about like who holds the keys and that holds all the crypto you have

and, how you, you know, how you sign transactions,

how you make any operations there, and, where you store the keys, right? So we have

different methods. How you can do it, definitely you can just store it like, on your computer. You can have hardware devices, and, so there are a lot of different ways how you can operate this. And, the, the most important here is having multi-six and not a single point of failure. Making sure that all the people involved in the singing is secure. So. For me, it's a complex, you know, for cybersecurity is kind of art because you need to think creatively and think out of the box.

That's why I like hackers and this hacker mindset because you need to think like what can go wrong and how can I trick the system? I really liked, I had a yesterday called the, with hr and we were talking about passing the tests for like getting to Hacken. So we have different type of tests and they were presenting the system that kind of like, make screenshots, track your ip, like your, camera and blah, blah, blah, blah.

And, and they were like, okay, how can we trick this system? That was the, like, that was the discussion over all the leads. Like what? Like what can go wrong here? And the belief hacker, like Hacker Mindset is different. That's why while building the system, you need to make the full like threat landscape and understand for each asset what kind of threats you have and how you minimize all the, all the threats with the, actions that you do.

Same comes to operation management, key management, educating people, indicating the Like personal responsible for signing this. And also I think, what, comes, like more and more often, unfortunately this days is the physical security issues. And having like physical, like cold wallets with you at the conference.

This might be not the smartest movie you can do because I remember this, conference in Columbia, it was, DeFi Con right? A couple years ago when they say, please don't wear your branded t-shirts, no crypto signs in you that you have some money. And the, they came here, you know, for the crypto conference.

So general, you know, paranoia and, being, cautious is important. Not, you know, it's not only in the digital world,

it's also in the physical world these days.

Stephen: Are you worried as you're better protecting the digital world? We're seeing a lot more kidnappings. We saw some in New York, in Canada, you know, one of our friends here, Dean Ska that, well, it's now Robinhood, but was with Wonder at the time, are you seeing that pick up more as like cyber criminals? Like, Hey, we're not getting that kind of traction that we once were.

Let's just go back to, you know, kidnapping people and stealing their tokens. We're seeing, I, I forgot what it's called in Europe, where they kind of like set you up at a restaurant and tell you have to send funds and then like there's cameras all over the place looking to access. I forgot the name of it.

It's not a ripoff

Yev: Uh,

there is a piggy begging shoulder, shoulder. what is that? When you're like kinda looking on the

Stephen: Yeah, like a rip scam. I.

remember the word, it was rip

scam. Are you seeing more physical, like lately we kidnapping and crypto has always been there, but like even the ledger and the ledger founder and their wife, like, are you seeing more cases like this? Because now it's a little bit more difficult to digitally remove, crypto from these victims.

Yev: I believe it's, different groups that operating in physical and digital world. So for sure it's, it's not, related, but we seem more such cases and I think we're, should be like more cautious because, you know, everyone knows that crypto has something fancy and you can get a lot of money there and all

this like rich kids and blah blah.

blah. And a lot of people sharing all this in the air, like social media. So I think we should be more cautious and definitely, think about this as well, especially going to all these script conferences where we're all have there together and people know who is who. And there were a lot of bad actors of course.

Stephen: Awesome. We don't have any sound effects on this show,

but we wanted to say like, happy, happy birthday. 'cause hacking just turned eight years old. And as a birthday present to the industry, you're now unveiling a new suite of service offerings, including CASP and VA compliance, AI security, proof of reserve audits.

Can you talk about some of these new services and what prompted you to bring them to the market?

Yev: Yeah, definitely. So, At Hacken, we always, been looking in the industry, and seeing like how, how we can help customers in different layers. So for, for the proof of reserves, we started to do it like, right after f takes happened. And we already help a lot

of, crypto exchanges to prove the

solvency and,

showing its life, on, on our website so you can, easily check it. we, we do this, for compliance. We briefly discussed this, that for getting license and different jurisdictions, you need to go through cybersecurity check marks, including different penetration testing, having, proper incident response on chain monitoring, back balances, and lot of stuff that we help companies with.

So actually it's kinda our like traditional, service suite, but more towards the compliance and the, with the proper wording and the exact requirements from re regulators and different jurisdictions. And another one is the AI security, which, brings us more and more, new threats coming. It's not that popular yet, I would say, but we're slowly but steadily getting there, with all the like tricking, lms, prompt injections and stuff like this. So even like Ava top 10 now have the LLM, security checklist where you can go and look at all the possible vulnerabilities. And there we can see from time to time more cases about like data leakage or manipulating the models or hallucination and, getting, more threats out of that. And we see how corporates, kinda firewalling the requests from the, From different copilots and, how they're trying to control it, not to leak, any corporate information. So this area where we'll see more and more, products and, threats. So I'm, I'm like particularly really excited about this one.

Stephen: Are you seeing like any AI

horror stories that you're like, oh man, this has like led you to branch out some of these security packages. Especially AI feels like crypto in 2015. It's new, it's flashy. Everyone's making money. It's even worse 'cause like people are actually making a lot of money now and people are just throwing all of their information, all of their company data into these LLMs to try and figure out the best competitive advantage.

We saw Sam Altman say, Hey, like, you're not protected here from like a privilege perspective. And if we get, you know, subpoenaed by the government, we're turning over all the information that you've uploaded the chat GPT, what are your thoughts? Have you heard any bad stories and like, are, why are customers using this AI security that you're offering?

Yev: I would say,

something that we, we heard before was about, AI fakes and a AI fakes on the calls and, like,

different North Koreans using AI to go through interviews. That's more interesting for sure. Because we are kind of tricking the system and tweaking the like, usual operation, processes.

And I know that there are a lots of solutions right now in the market that trying to spot this AI fakes on the Zoom calls And trying to notify users about any suspicious activities there. As for like AI security, services is kinda like red teaming of, different agents. AI security becoming more important when we have, we see all this agentic, agentic future rights and sharing credentials and payments and, like kinda, uh. how it's called, like making them, like agents make some like important,

actions like paying for something like trading now and making decisions.

So that's where we should test how it's implemented, what are their, like risk levels we are okay with and, where we should, you know, be more cautious and, find a way to protect it.

Stephen: Very similar to smart contract audits and pen testing that you're doing. Right. We're letting agents go on our behalf and book holidays. Hackers are just sitting there like, oh, this is perfect.

Yev: Yeah.

Stephen: I'm, I'm curious, you've mentioned, you know, ethical hacking and black hat conferences. You know, are there differences between, obviously there's differences between black hat, white hat, and everything in between.

Over the years, maybe the decade that you've been in the industry, have those lines started to become blurred as to like, what's a black hat versus white hat? Who's bad, who's not bad? or are they very distinct classifications still?

Yev: Yeah, it's interesting. So as I mentioned, for me, hacker is about the mindset. And of course now we have this, like, white head hackers, black head hackers, and great head hackers. personally for me it's about your personal values

and ethics that you follow. And if you look at the majority of security researchers that are public on all the back bounty platforms participating in all the contests, it's about their, you know, public, public journey, their cv.

So you will not risk. This, the skill you have, no, you will not risk this in your career to get something bad. And from other side, all these guys who are cyber criminals, they're not ga great in public, right? They're hiding, they're like being someone else. And this is two different types of people and it's about values.

If you look at the like, physical world, it's the same. There's people who can harm others and there's people who cannot because I mean, they are, it's not about them at all.

Right? So same goes for white

hats and the black hats for me.

Stephen: You know, you mentioned your HR department, having that kind of like hacking mindset. We've seen that North Korean employees, IT employees is one of the biggest problems we've seen. Even, you know, non-North Korean people hold five six jobs with VC backed companies without them knowing. What are your thoughts?

Is there any offerings that you have that better protects companies that are hiring employees? Is that something, maybe your HR department

and you could be like, Hey, we have this checklist. This is something that

companies need to implement because we're literally hiring, you know, the same hackers are gonna exploit

our smart contract codes.

They're the ones holding the keys. 'cause they're the ones developing a lot of this technology, especially because they have the expertise that these companies are rushing into the industry, especially when it comes to AI needs.

Yev: Yeah. I believe the problem with HR security is a big in this industry because as you mentioned, we are like rushing to deliver the code. There is not enough specialists in this industry. So we are hiring globally and we even don't know these '

people. And we had quite a

few, hacks in this industry. I don't remember the names, but the when it was like just, like really anonymous developers that holds all, all the keys.

Like how, how, how you can, you know. Trust this to someone you don't know, you don't have documents and you're like, no traces, right? So for me it's about the companies, building proper like, recruitment processes and going through, all the like background checks, QYC checks and doing like reference check with the previous, places of work.

So really taking care about this because now we can see that we're, you know, we have like smart contract vulnerabilities, which is a big problem. We have access control issues. Now we have this HR security issues that we need to think about as well. If you are building, you know, sustainable company, you want to scale, you definitely need to

check the people you work with because on the day, at the end of the day, it's all about people.

Stephen: What are your thoughts about the future of cybersecurity? You know, you've seen it evolve over the last 10 years. What does the future look like? Especially we're getting to the point where every company is gonna be a blockchain or digital asset company in some way. Just like every company has a social media presence, we're getting closer and closer to that for those companies to be competitive.

And, you know, every company is gonna be utilizing ai. Now, what does the future of cybersecurity look like in your perspective?

Yev: So my dream for this industry, we have a standards that's wide accepted by the industry players and governments, and we are kind of playing, in the same, like rules in terms of cybersecurity. and we are protecting the

trust of this industry. Finance and

users, this is the first second definitely is about more collaboration.

So in the buy Bit hack, we saw how competitor they are competitors helping them. And, how different security companies helping them to freeze funds, to track them, to find the hackers to operate these bounty programs. So this is kind of the collaboration we'd like to see more in the industry and helping each other.

'cause I, I believe our like, kind of, crypto crypto pond is not that big yet. and you probably, if you go to conferences, you see the same people over and over different parts of the world. So for me it's about building the trust and cooperation, in this circle. And also building the products that address the needs.

And we see that Web3 security sphere is super dynamic and, we need to keep, keep the space, with the both pro like, offensive and defensive side. And we need to build products that help us to automate a lot of work we do. and prevent as much as possible before it happens, not after we need to investigate it.

Stephen: I love that. It makes so much

sense. You know, you on a personal level, you co-founded this company, but for the first time, you're now the CEO and sitting in that CEO role of over almost 150 employees. What is it like from your perspective, especially now as you're emerging into, you know, a, a stratosphere of new product offerings and new services?

Yev: It's a really new,

exciting role to be in. And, I'm trying to apply same hacker mindset that, I've been

like following all over the years and trying to

optimize the processes, you know, optimize,

the like, people and structures that we have right now and make sure it works efficiently. I really love numbers and the dashboards, so that's, that's what I'm trying to, to, to get right now or for, for the whole company and as much as possible and the different metrics.

And, also what is important for me is people with whom I work and, like developing these people and investing in their education and making sure they we're kinda sustainable business and resilient business. I think resilience in cybersecurity is, is really the key. And we've been like, go through all these cycles, all the like COVID wars and everything, and resilience is definitely one of the, key, key stuff that we have.

Stephen: Are you noticing a cultural, or at

least you know, technological shift? Maybe within your organization, maybe within the industry, we're seeing, you know, a lot of blockchain companies, like they're reducing this DEI agenda. They're leveraging AI means re, they're reducing their staff a lot and we're getting more into like the go fast and break things.

Kind of like bro culture that we all know in traditional tech and in traditional crypto. As a woman in this space, do you see this shift away from diversity and, you know, people back to like robots and math and solutions that incorporate the latest and greatest technology?

Yev: You know, I was reading an article yesterday and it really reminded me about the early days of blockchain. It was about ai,

like, first, do you really need AI there? What problem it solves and can you do it without ai? And it reminded me like all days about same, same stuff, but with

blockchain. And, I don't think that, I think that people will have more creative work to do and controlling and the automated processes and making sure it works properly, especially if cyber from cybersecurity standpoint, I don't trust it and like we definitely need to verify it and control it. So people would be still the key for me, but just in different angle.

And, as for like diversity, I see we have more diverse environments right now and crypto is global, right? We have all this teams, that are distributed all over the globe and it was like really hard to find the spot to have a call for majority of the teams, like from, from us to Asia. So diversity is definitely a big plus in this industry and like gl globalization, if we look at different type of businesses, it's not like this crypto has really this charm and being that global and decentralized and

diverse.

That's why I also really like it.

Stephen: Any exciting announcements? I know you have, the whole announcement is like hacking, growing up, you're maturing now. You have all these different offerings. Is there anything that maybe one of those offerings you're like, oh, you kind of pushed it internally, that's kind of like your baby that you really want to see come to market?

Yev: for me it's more about like where we apply this. So, we are the biggest auditor in the

Europe, in the European market. And now, our next, big step is the US market and, scaling there, hiring there making operations. And, you will definitely hear more, from us on this market. So that's, that's what makes me more excited.

Stephen: Everyone's coming to North America, the us my phone's ringing off the hook as a content creator. And you know, working with some of the big companies is like, yeah, we just want like instant traction right now. it's been a busy summer.

Yev: It doesn't work. It doesn't work like this. Instant traction and instant

Stephen: that's what I tell them. You have to build. And that's why they come to our company 'cause they're like, Hey, you already have an audience.

Can you just introduce us to your audience? It's like, well you have to kind of build something here. I think people are confused. similar to probably, you probably see it now. too. Everyone wants to work in cybersecurity and get paid the big bucks. You're like, Hey, it does, doesn't quite work like that. you have to get acclimated to the communities. What are some of your nerdy, and I say nerds because in crypto nerds is a sign and the term of endearment. What are some of your nerdy tech friends doing, playing with in their free time? Is are we still on the cold plunges? maybe, you know, mushroom, mushroom medicines to help us alleviate our childhood drama.

What's, what are people playing with that you're like this is kind of nerdy and people will probably be doing this in the next five years?

Yev: You are just into the point because coal plunges is

my favorite thing to do.

And I got really interested into like, bio hiking. Last year I created

my community of Web3 founders And that we like discuss all the stuff, regarding like faster recovery, you know, better sleep, more productivity and how to survive all this, like international flights and crypto conferences.

So, definitely for me it's more about the tracking my health with different devices, doing different, you know. like saunas and coal punch is for sure. It's my weekly routine and, experimenting with different supplements, like personalized supplements based on my DNA and going through different you know, stimulating my vagus nerve and the calm coming me down.

But because let's be honest, like crypto and cybersecurity is like really, stress stressful environment where

you definitely need to recover faster and calm you down faster, so,

Stephen: I was gonna say, you know, for eight years in crypto and cybersecurity, it looks like you're getting young. I've known you like, seen what you've been working on for, you know, quite a while now. Looks like you're getting younger, so maybe you can, you know, send us a one pager on what to do, to look younger in crypto, even after founding a company, that's probably up every day.

Every day there's some cybersecurity related event happening, so sleep is probably not something that you're known for. Yeah, this has been an enlightening conversation. I think everyone knows you for hacking and all, you know, you do a ton of speaking engagements, but it's fun to get the personal side of entering into the CEO role and taking this company to, you know, what is gonna be on another eight years of fruitfulness.

Where can people find you? What are the actual social media platforms that you might respond to? even though I'm sure you're opsec heavy,

Yev: Yeah, definitely. We're still on x follow us on hiking club and, myself and, yeah, hiking. Are you LinkedIn? I'm still checking it even though it's kinda full of ai, written messages, but I still do my best

to go through all of them,

Stephen: you don't want to connect with like-minded professionals that have synergies and want to

collaborate.

Yev: of course. Especially those like, longevity focused and, conscious about their health and being, like building sustainable businesses

and

Stephen: love, I I love it. I love, I love the ai. The AI comments have me like unhinged right now. That is like, oh, thank you for summarizing my whole post and reading it back to me in a paragraph in the comments section. Yeah, this has always been great. Thank you so much. I'm excited to see the offerings. I'm excited to go offline with you and talk about compliance and what you're seeing and what I've seen in the crypto industry.

'cause now I think cybersecurity and CL compliance similar to how like compliance and fraud weren't in the same silos. They were being very, you know, separate. I think now all of these kind of business units need to come together and have a conversation because it's all falling under similar regulations around the world.

Yev, thank you so much for joining the Around The Coin podcast.

Yev: Thank you. It's been a pleasure.

‍