210: In this episode of Sales Bluebird, Andrew speaks with Victor Fang, the founder of Anchain, a Web3 security company. Victor shares his background in data science and discusses the challenges of working with Web3's decentralized model.
Anchain is a finalist in next week's RSA Conference Innovation Sandbox competition.
Anchain's machine learning and AI technology have found a market position with regulators, law enforcement, and the private sector. The company has targeted four markets, each with different security requirements, and has developed a framework to help with counterparty risk in web3 transactions.
Andrew and Victor also discuss the lack of workers in the Web3 cybersecurity market, the growing concern of cryptocurrency hacks, and the potential for Web3 security solutions.
[00:05:48] "Music and Math: The CEO's Unplugged Escape"
[00:07:33] "Blockchain Security Startup Traces Hackers with Smart Contracts"
[00:12:50] "AI-powered Security Solutions for Government and Crypto"
[00:16:16] Revolutionizing Web3 Security with New Framework
[00:21:09] "Barriers to Entry and Security Issues in Cryptocurrency Security"
[00:23:26] "New Framework Developed to Secure Cryptocurrency Transactions"
[00:25:49] "Improvising Security Solutions in Rapidly Shaping Market"
[00:27:53] "Blockchain Security Training Fills Critical Job Gap"
Victor Fang on LinkedIn
Andrew Monaghan [00:00:00]:
Anchain. AI has been selected as a finalist for next week's RSA Innovation Sandbox Competition. They do something that I know very little about in an area with very few competitors, and that's Web3 blockchain security. Their CEO, Victor Fang, came onto the podcast to talk about what the problems that they solve are, who they do it for, how they do it, and the the market in which they operate. Don't go away. Welcome to the Sales Bluebird podcast, where we help cybersecurity startups grow sales faster. I am your host, Andrew Monaghan. Our guest today is Victor Fang, co founder and CEO at Anchain AI. Victor. Welcome to Sales Bluebird.
Victor Fang [00:00:53]:
Thank you, Andrew. Thanks for having me here. Yeah.
Andrew Monaghan [00:00:56]:
Victor, welcome to the podcast. I'm looking forward to our conversation. Two reasons. One is you are a finalist or Anne Shane is in the RSA Innovation Sandbox Competition next week. We're recording this the week before RSA, so I'm always interested to hear what the innovation is and the exciting things that you have going on. And then secondly, even though Web Three has been talked about for a while, this is the first time I've talked to someone who's doing officially security. That Web3 Company. Or Web3 Security, as it were. So I'm keen to understand the use cases and what it is you're doing. So we'll dig into that in a minute. A quick break to say that this episode is sponsored by It Harvest. With over 3200 vendors in cybersecurity, it is hard to keep track of all the latest developments, as well as research and analyze categories and subcategories within cybersecurity, which is where the It Harvest cybersecurity platform comes in. Want to know which subcategories in cloud security are growing the fastest? You'll get it in a few clicks. Want to know and track everything about your main competitors and keep up with their hiring and news? Simple search to be done. Want to know the top 20 fastest growing companies based out of Israel?
Victor Fang [00:02:18]:
Andrew Monaghan [00:02:18]:
Just a couple of clicks to get that. It Harvest is the first and only research platform dedicated to cybersecurity and it's run by Richard Steenan, who has done it all in cybersecurity from the VP of Research at Gartner, a CMO at a cybersecurity vendor, a lecturer on cybersecurity, advisor to startups, advisory board member at Startups, and a main board member as well. The whole lot. Find out more by going to Salesbluebird.com Research. That's salesbluebird.com research. Now back to the episode. All right, so when I look at your LinkedIn resume, Victor, there's a lot going on there, so let me try and pick out a couple of things. I think the common thread through most of it is the idea that your background and your thing that you're doing is all run data science and there's various companies that you've worked for over the years where that's been a role that you have. I see Amazon on there. I see Dell EMC, you're part of the founding team at Pivotal, part of the founding team at Awake Security, and then you spent some time at Mandian, all in roles like that. You've also had various advisory roles and involved in various groups as well, kind of alongside your main work. And then fast forward to July 2018 is when you founded Anchain. Two things that I want to draw out of this that I felt were fascinating. One is that you said that your time in Amazon, that you were the person or you led the team that created the web gift card format or portal that we all use right now. Is that correct?
Victor Fang [00:04:06]:
I was one of the many engineers there, yeah. But I didn't hold the first version of that. It's called a web activated car. I think it is probably the one that you can get now. But back then, it was not that technology back then. It's probably like you're writing a database and they hook it up. Was not web. But that first version we built together is actually Web app activated. It sounds pretty cool, right? It's called WAC web Activated Card.
Andrew Monaghan [00:04:37]:
So when I get my gift card and I type in that code, am I typing that into what you've worked on back in the day? Is that the idea?
Victor Fang [00:04:44]:
I mean, this is like more than ten years ago now, but back then, I think there was a process of, okay, there was different way of selling the credit card. I mean, the gift card. So back then was hardwired, and they distributed, but Web activator is like, okay, you know those houses hanging on the shelf now, right before you scan it? Now they have zero value, but back then, there is value. You see the difference? Yeah. Okay. Back then, if you robbed that supermarket with the gift card, you're actually getting money. You actually got the money, but now they have that web activated car. So you did you scan it? And that's where we're in the database, we flagged, hey, this thing is ready to go.
Andrew Monaghan [00:05:31]:
That's awesome. And the other thing I noticed on your resume here on LinkedIn, you play music, and as a math, physics, data science, or guy, you combine the arts with the science side.
Victor Fang [00:05:48]:
Yes. And to me, music is I would say music and algorithm, they are the same thing. Music and mathematics. They're the same thing to me, actually. They're very structured when you really understand it. Although people may say, oh, music is so personal and sentimentals and all that. Right. But there was a music structure. My favorite music is actually like jazz. There's an entire series about it, and it's very mathematical if you really learn the series and all that. So, yeah, jazz. Actually, this is one of the CEO. Being a CEO and co founder is definitely a very stressful job. So I'm glad that music is with me. So sometimes you just have to unplug yourself. And music to me is actually unplugged myself from the stress and all that. I will play music, I will play piano, I will play electric guitars and all that. It's a very good way to socialize also, right?
Andrew Monaghan [00:06:54]:
Yeah, I love that. So we now got a situation where you need to decompress by being by the lake in your cabin in the woods and playing guitar as well. Then you got the perfect combo right there.
Victor Fang [00:07:07]:
Yeah. Piano. Yeah, sure. And better have a band.
Andrew Monaghan [00:07:15]:
Not on your own.
Victor Fang [00:07:16]:
Andrew Monaghan [00:07:18]:
Well, Victor, let's talk about Anchain. So back in July 2018, you co founded Anchain. Take us back to that moment. What was going on? What led you to the realization this is something you're going to devote your life to for a few years?
Victor Fang [00:07:33]:
Yeah, so, I mean, before that I was running the DS and all that at Mandiant. Right. So one of the tasks at Mandiant was actually tracing the WannaCry ransomware hackers. Right. They're using bitcoin. So, I mean, when we look at into the transactions and now that the money flow, bitcoin flow, I quickly realized that this is actually more than just for ransomware. Tracing this is a more fundamental problem. And then I happened to then I spent a little bit more time onto the smart contract, the ethereum that back then you just came out. Right. So I look at it, got pretty deep into the EVMs and smart contract authority, and then I feel like, wow, this is going to be probably going to be the layer that will become the software layer on top of the blockchain. Right. To me, back then, ten years ago, people in Silicon Valley keep saying, hey, software is eating the world, and stuff like that. To me, back then, 2018 is like, smart contract is going to eat the world. Right. Which is true right now, if you think about today, you talk about this cool stuff in web three, it's all about NFT D five stable coin. Guess what? They're all returning smart contract. There's very few people are building the layer one blockchain. There are people building that, but it's very hard to build those. Right, but then it's much easier to develop the smart contract software that is operating on top of the blockchain. Yeah. And then we started a company in the summer. Right. And then 2018, I think it's much easier to raise funding. And then also I have already zero entrepreneur, so I have my friends in the VC wall in Silicon Valley and then they say, well, one thing was actually we have a brunch together with the VC, with friends. Right. And I didn't even like thinking about pitching. I'm living very comfortably in Mandy and it's a great company to work for and there's a lot of cool stuff happening there. But then my VC friend look at the stuff, we kind of have some random conversation and they say, oh, Victor, you can be a unicorn in this web story of blockchain security. There's not that many people are doing that. I mean, back then, I mean, Chennas is still a very tiny little startup, right. And it's a very big problem that we are seeing. Tracing cryptocurrency and smart contract constantly got hack and all that, right? Yeah. And then we raised a little bit, like a couple of million dollars in the summer, and we start building the company, building the product. That's how we got started.
Andrew Monaghan [00:10:20]:
But, Victor, before we go any further, let's get to know Mitt Bore about you. I've got a list of questions here. If you give me three numbers between one and 35, I'll read out the corresponding question. Oh, 1717 is what was your best subject in school? In high school?
Victor Fang [00:10:43]:
Andrew Monaghan [00:10:45]:
Victor Fang [00:10:46]:
Andrew Monaghan [00:10:47]:
I'm surprised. I thought it'd be given your background. It might be math.
Victor Fang [00:10:51]:
Math is too abstract, and I like math. I'm good at math also, but physics has a real world sense. You always feel like you're solving a real world problem, create impact. But math is, like, very abstract and all that. I like math, too, but top one is definitely physics.
Andrew Monaghan [00:11:09]:
Actually, though you say it like that. I get what you're saying for sure. It's a lot of abstractness in math we learn in high school. My eldest daughter is 16, and she's in a math class, and I look at what she's working on, and my eyes go cross side, so I'm glad she's doing it, not me.
Victor Fang [00:11:27]:
Yeah. And I need to pick two more numbers, correct?
Andrew Monaghan [00:11:30]:
Yeah, two more numbers.
Victor Fang [00:11:32]:
Okay, let's do seven.
Andrew Monaghan [00:11:33]:
Seven. What is your favorite summer pastime?
Victor Fang [00:11:37]:
Oh, summer pastime. Do you mean summer vacation or what.
Andrew Monaghan [00:11:41]:
A summer hobby or thing you do in the summer that you do more in the summer than any other time of the year?
Victor Fang [00:11:47]:
I see. I mean, swimming in a lake.
Andrew Monaghan [00:11:52]:
Victor Fang [00:11:53]:
Andrew Monaghan [00:11:54]:
Get back to nature. All right, one last question between one and 35.
Victor Fang [00:11:58]:
Let's go 25.
Andrew Monaghan [00:12:00]:
25 is sweet. At the Four Seasons or Cabin in the woods.
Victor Fang [00:12:06]:
Well, wow, that's a tough one. I mean cabin in the woods. So I need to unplug. I've been traveling like crazy recently. Unplug a little bit. Cabbing the wood.
Andrew Monaghan [00:12:20]:
What you need to do is find that lake you can swim in that's. Got a cabin right by it. And there you have both together, right?
Victor Fang [00:12:26]:
Yeah, I already have some candy there, actually. Yeah, like Lake Tahoe and all that. Awesome. Yeah, it's fun.
Andrew Monaghan [00:12:38]:
Who are your customers? I'm trying to piece all this together in my mind because it's not an area I'm not familiar with. Who actually buys stuff from you and how do they use that to actually solve some real problems?
Victor Fang [00:12:50]:
Great question. So four sectors. Four sectors. One is the government. Government, including the regulators, like the SEC, and also, I mean, the law enforcement side of it like including IIS and finxins and all that. So the second sector is the layer one blockchain, including solana algorithm ripple, those great layer one blockchain. Right. The third category is the crypto exchanges or crypto businesses. And then the fourth category is the enterprise and traditional finance. So there's four categories. We develop the same AI power kind of the security technology, but every sector will need slightly different kind of solution. And under the hook it's the same technology. So for example, the regulator, they're going to use our smart contract analytic tool to look at the source code to find out inconsistencies in the code filing and all that. Right? And then law enforcement using our AI auto tracing to trace down the bad guys, to kind of paint a picture of the risk score, the attribution of the wallet. Each wallet is just like IP address. You have to put the entire context around it. Right? So contextualize it. So by then on the private sector it's slightly different. So that's why we feel super exciting in the private sector also. I mean the preventative side of it, right? So for example, we have the API, real time risk scoring API that you can just cook it in. And then whenever you about to make a transaction with this counterparty, a wallet, you send another cryptocurrency to another wallet, you can call our API and we will tell you. Is that safe to go or not? The biggest problem right now is actually the anti money laundry. My team just got back from the Tokyo from the Fata FATF conference, right? So it's a conference for the hosted for the global regulators. All the important regulators are in the same room as us. And we are one of the three company private web, three security company invited. On that table. There's only 40 seats, right? Square. They have two seats on the table. So, I mean, to teach you the private sector, actually they need to be compliant with all these rules. There are some serious regulations out there. The anti money laundering rule out there and then the counterterrorist financing. You do not want to fund those bad guys. And crypto, I mean, every wallet address looks exactly the same. They randomly look straight. Right. But with machine learning and AI, we can kind of attribute a lot deeper and then also a lot faster. Yeah. So that cover our offering to the private sector and the public sector.
Andrew Monaghan [00:15:54]:
Yeah, let's take the private sector one example then. I just want to understand that a bit more. So if I'm in an enterprise, I've got to do anti money laundering things, I got to follow the regulations, make sure I'm doing all the due diligence that I can. What exactly am I looking for in the transactions that is beyond just like KYC and things like that.
Victor Fang [00:16:16]:
Yeah, this is a great point. Right? I mean, KYC right now is required by the BSA, the Bank Secrecy Act and all that, right. But it's more like a steady kind of requirement, right? So when you open a bank account or crypto exchange account, you give away all your passports for all the driver's license, right. So they prove that Andrew is eligible to open account here. Right. But then the transaction side is where most of the problem came from. Let's say there's a website out there and using you want to donate Bitcoin or pay a payment in cryptocurrency. A lot of people are now doing stable coins for these cross border transactions and all that. So every wallet address looks like it's actually set. It's that random stream looking, right. So our tool can give you more visibility into what you are dealing with. This is called the counterparty risk. Okay. And this is more fall into the transaction risk. So our technology can tell you a lot more insights about the counterparty you're dealing with. Is that exchange? Is that just a regular unhosted wallet? Right, or is a guy from North Korea or some sanctioned countries? Right. And then when you're dealing with those, you want to be extremely careful. You need to know what you're doing, right? Yeah. So I think this is one of the technology we enable the customer. And also I think that although the private sector, I think this Isa conference, we have this web three sock framework being selected by the Isa, right? It's going beyond that, right? Going beyond. Basically, Webstery Soft is a security operation center for Webstery digital assets. So basically anybody that touch cryptocurrency or digital asset will get value from our platform. We're focusing on the operation side of it. So basically the five steps are the NISS framework, right? They identify, detect, protect, and then what? Respond and recover. Right. So we kind of have a systematic approach out there. So the biggest problem is, last year we find out it's $4 billion of asset being hacked in web three, and it took them at the NTTD the meantime to detect is seven days. It's mind blowing. Seven days to realize you are hacked and 32 days to remediate MTTR. 32 days. And the average hack size is $200 million. Okay? Those are the real number that come up from our research. It's mind blowing. And compared to the cybersecurity world, it should be less than 5 hours. Okay. And you see this huge gap there. And that's because probably like, there's no systematic framework. People are oh, that people are saying that, wow, smart contract auditing is important, let's do smart contract auditing. That transaction screen is important, let's do that. But no, those are little point solutions. We need a more holistic framework here. If you go to the Isa conference, you see these 6000 companies, right? They're solving, and some of them are solving the more heuristic problems out there. Right. But it's very important to understand the workflow first. We need to come up with a systematic approach. And the challenge in this industry is the blockchains and smart contract. They are all decentralized. They are not running the AWS or GCP or your data center. They are literally that transaction being mined anywhere globally. As long as you can have the hash power to compute it, right? And literally that payment is borderless. Anybody can make a point that transaction. So all these different factors and the uniqueness about the Web Three is making it super challenging and we step in to try to come up with a systematic framework to let's solve. Let's come up with some metrics first, right? MTTD and MTDR. Can we do better than that? With our effort, we hope to cut down 30 days of MTTR all the way down to maybe seconds. It's possible, but you need to have that mindset there. And this is a lot of lesson I learned from my past experience and Mandians and Away securities and even Pivotal. Pivotal was running the Cybersecurity data science team. So we actually have turned a lot of the machine learning and the automatic AIS and all the into production. So it's possible. It's just like we happen to be the first one I consider super lucky to kind of tackle this untapped market.
Andrew Monaghan [00:20:59]:
You mentioned being the first one and I get it difficult, but why are there so few other players trying to tackle this right now? It seems like there's just not many of you out there.
Victor Fang [00:21:09]:
No? Yeah, I mean, one is I don't think crypto is even a mainstream. Right. It's still very niche market, I would say. But one thing we know and then the second is the barrier to entry is super high. Look, to own a crypto wallet right now is not like starting an email in Google, right? You have to know what those different for example, how the wallet was created. You have to understand the cryptography of it. Otherwise if you share the private key out there, anybody can wire the funding. Right? The security and the Usability is pretty hot right now. Right? But hey, the cryptocurrency market, the entire website industry is a trillion dollar business now. It's a trillion dollar alternative asset and it's going to continue to grow. And then last year Excel $4 billion were hacked. It's a big problem. And some of them are involved into the Apt group back in the day at Mandy. And we already deal with those guys before. The North Korea Lazarus group is not new. It's just the same group of people. And no, now these guys are innovating into the exploiting the blockchain and Webstery because they figure out, hey, this is actually more lucrative and a lot faster than trying to hack into a bank to exfiltrate the data and then they have to try to sell it in dark webs and all that, right? But hey, if you hack into that, for example, the harmony and the roaming network, you're making $600 million from that roaming hack. They got their money, they hacked like $600 million in one night. And then that roaming team, it took them like a week to realize their hack. It took Harmony one day to realize their $100 million are gone. Slightly better than roaming, but still, it's a day to realize that you're hacked. Those are the big problem right now, that we aim to fix.
Andrew Monaghan [00:23:08]:
It's interesting you say that. I mean, I look at the ransomware as a big thing these days, but people are looking for $50,000. And you contrast that with you said the average was 200 million. Very lucrative. Compared to 100K rent somewhere attack, right?
Victor Fang [00:23:26]:
Yeah, exactly. It's because like the cryptocurrency, because it's borderless and so fast, right? You can run your smart contract or whatever infrastructure there, you set a wallet there and people will start chipping your money into that pool. And what if that pool has a hole only the hacker knows and boom, they can siphon the fund overnight and then they will start using those crazy technology like chain hoppings or cross chain bridge or like tornado cash to obfuscate the fund and then eventually they will sell it in some of the big exchanges like finance and corpses and all that, right? That's usually the flow. But the point here is the apt groups and all that, now they're seeing that, hey, this is actually much easier to make money out of this other than 6000 companies in, I say, right. A lot of them, I mean, they had all these big banks have like $100 million of budget, security budget every year. They ended up buying everything. That makes the hackers job a lot easier, a lot harder to penetrate into those parameters. Right, but then they realize that, hey, the layer one blockchains and all these B five protocol NFTs and all that has a lot of loopholes there and they're making a lot of money. I mean, the hackers apt groups like Lazarus group, they're quite successful monetize those. So it has to be fixed. So we come up with a framework. The Webstery sock. Yeah, let's see. I think we're very confident that this is going to finally have a more formal kind of approach towards it. We come up with some physics to the world.
Andrew Monaghan [00:25:19]:
So when you said the start victor that you're going after four groups for target markets, a little shiver went down my spine as I thought about a startup trying to figure out the go to market for four different groups of targets. How are you doing that? Is it centrally led and really you're doing a very big top downs approach or is it more about the cliff face trying to work on a BD side to get going in some of these markets?
Victor Fang [00:25:49]:
Great question. Right, and that's kind of resonate one of my hobby. I'm a musician, I play jazz. So as a startup founder, you got to improvise. But improvise doesn't mean random, okay. The structure you need to know, for example, if you're improvising in a band or like improvising jazz, you need to know where the key you're using, which scale you're using. Right? So it's the same thing here. So we're a technology company and we're solving a security problem that set the tone, right. But eventually I would be trying to fool you if I say I know all the answers in day one 2018, our first customers back then was one of the layer one blockchain that now I think they already disappeared. Right. This is how fast the industry is moving. Right. But then turns out that, well, hey, the same technology, the machine learning and AI product, I mean the technology we develop actually find its marketplace. I mean it's market position for example, the regulator and the law enforcement and then also the private sector and all that, right. But there's a certain pockets that we already identify in the space Bdwise, those different offering, right? They're the same exact under the hook. It's the same engine that we built. But there's a different form factors where you try to sell to different sectors. So there's a product marketing side of it, right. We learn a lot. We learn a lot. And I think there's a startup in this early and emerging market, rapidly shaping market. Right. You got to know how to improvise. Right. But in the core we are technology company, we're very laser focused on the security problem.
Andrew Monaghan [00:27:40]:
One of the things you said was that you're getting the word out and trying to educate people on the risks out there in this whole world. What are you doing that's really working for you to try and evangelize that problem to people?
Victor Fang [00:27:53]:
It's a great question. In fact, in the past three, four years, we lecture at UC Berkeley. That's where we're affiliate with by the way, we came out from the Berkeley A blockchain accessorator back in 2019, right? Berkeley. We've been lecturing the Berkeley and then also harbor. Right. We realized it's not enough to lecture the academia and we actually just launched earlier this year the Entrance University. We turned some of those training into those course that everybody open to everybody. And I think that's our way of to kind of raise the awareness and then also provide some knowledge that how the experts in house engine are doing, are trying to that we can correct some of the problem using our technology. Right. And we open up our product for the students that take the course other than some of the competitors, they just keep their tool super secretive. But I think it's a technology we all need to learn. And then this is definitely, I think the cybersecurity job market that's short for like 600,000, right? But the cybersecurity market in general, there's a shortage on the tail end of 600,000. But in web three, I mean, in blockchain security. Oh my goodness. It's not even like, let's say, Andrew, you post a job opening there looking for a blockchain security guy, guess how many you will get? Probably close to zero. Right. I think it's our mission to kind of not it's very hard. I mean, if you try to hire this guy and the day one they can start working on the smart contract and all that. No, you're not going to find anyone. Right. So with our training programs and all that, yeah, hopefully we can help educate and bring more awareness and those problems are real. Like the apt groups now are getting into that and that's probably why I say conference. Also see the reference, the reverence of what we're doing there's a close link to what they like. For example, the incident response companies threaten company. The cybersecurity are already doing, like, for example, Lazarus Group. We know that for what? It's not new.
Andrew Monaghan [00:30:20]:
Well, Victor, it's fascinating hearing about this. A lot of this is new to me, so trying to understand it and learn about it has been a really useful exercise for me and hopefully for the audience too. Wish you every success and luck for next week. On Monday is the actual day of the innovation sandbox, and I guess you all get to present and then the panel will choose the winner. So I wish you good luck for that. If someone wants to get in touch, what's the best way to do that?
Victor Fang [00:30:48]:
So I'm on linking, right. So Victor found school my name. And also I'm on Twitter. And yeah, those two channels are probably the best way to reach out. Me to me.
Andrew Monaghan [00:30:59]:
Yeah, that's great. And I'll catch up with you next week at RSA. I'll make sure to find you out and we have a quick chat. And I wish you and the team every success for the rest of the year and into next year.
Victor Fang [00:31:10]:
Thank you so much for having me.
Andrew Monaghan [00:31:12]:
Well, Victor is very knowledgeable and passionate about working in the Web three space and solving these real pretty substantial problems that everyone's facing in that area. A bunch of takeaways, I'm sure, for you two for me today. One was going after four markets. At first glance it seems like a lot, but I don't think from what he was saying, they need to do big top down sales, lead, go to market motions in each of those areas, and there seems to be some overlap between them as well. So I wonder if the success they're going to have is going to be maybe more favored to one or two of them just naturally, or they're going to be able to do well in all four of those markets. And the second takeaway for me was how hard it must be to work in this area. As you said, there's not many people that had the knowledge and the skills and the experience to really understand it. And then develop products for it. And it's very complicated by the different players that are in there, the nature of what you're dealing with in terms of a decentralized model and things like that. So really tough to bring that into market, which probably helps in terms of making sure there aren't that many competitors in the space. I think even said there's a big barrier to entry. So I wish Victor and the Nchain team every success and luck for next week at the Sandbox competition is on Monday of next week. Record this on April 20, 2023. And I also wish them every success for 2023 and beyond.