Welcome to Future of Finance, where Fortune asks prominent people at major companies about their jobs, how their firm fits into the crypto ecosystem, and what it all means for how we use money.
Over a more-than-two-decade career, Nick Percoco has helped companies build out their cybersecurity practices as hackers have gotten more creative. As chief security officer at Kraken since 2018, Percoco has helped formalize its security program, and he now oversees security, IT, and fraud at the crypto exchange.
Fortune recently caught up with Percoco to talk more about why Kraken often improves security by turning to friendly hacks and why Americans are particularly susceptible to exploits from bad actors.
(This interview has been edited for length and clarity.)
How did you first get into crypto, and how did you end up at Kraken?
I had a forensic lab [SpiderLabs, which Percoco founded, is now part of Trustwave] that had lots of GPUs in it that were used for password cracking. And so we would be doing forensics, we would get encrypted files, or we would get password files that we would have to decrypt, or we would attempt to decrypt—try to find the weak passwords in environments—but they mostly sat idle. Around 2011, 2012, some of the folks in our forensics lab started talking about Bitcoin, like, “Hey, we can mine some Bitcoins using these GPUs.” They asked if they could do it, and at that time, Bitcoin was worth almost nothing, and I’m like, “Yeah, sure. Let’s play around with it.” And then everybody would create wallets, and we sent Bitcoin between each other, and it was just sort of like exploring the future of money at that point in time.
It wasn’t really for any sort of investment or any sort of long-term strategy. It was like, “This is really cool. It’s this permissionless technology where you can send money on the internet and not have to go through anybody, like one wallet to another on this blockchain.” Today, it’s interesting for people to just learn about that technology, but a decade ago, it was even more like science fiction. So I got very interested in that, but didn’t really go very deep as far as, like, becoming a Bitcoiner. I didn’t say, “I’m going to mine hundreds of Bitcoin or thousands of Bitcoin.” I didn’t go down that path.
I was in the security community and the hacker community—there’s a little bit of overlap between the crypto community and the security community—so I primarily stayed in that world. After doing some security startup stuff—then Trustwave got sold to Singapore Telecom (Singtel), I worked at Rapid7, helped them go public, another cybersecurity company—I decided I’m gonna take a break. I went and joined an AI company, and was running security for them for a couple of years. A mutual friend of mine and Dave Ripley, who’s our CEO at Kraken, connected us. Basically, Kraken was looking for someone to come in and formalize their security program, mature it, grow it, expand it, and I started chatting with Dave—at the time he was our COO—and then got introduced to [former CEO and founder] Jesse [Powell] and others at the company, and then in fall of 2018 joined as Kraken’s full-time chief security officer. Today I run security, IT, and fraud here.
What’s the day-to-day of a chief security officer like?
I organize this in sort of like a stack, with the least technical things at the top and the most technical things at the bottom. At the very top of that stack, I have folks that I work with that essentially sit in a world that we call security strategy. We’re constantly thinking about, “Where do we need to go as a security program? What do we see? What trends are we seeing? What are the things that we’re learning from?”
The next layer is basically our information security governance group—policies and procedures, regulatory requirements around security, external audits, vendor due diligence and security audits, and then also client due diligence.
The next layer is the security operations function within the company. That is the Blue Team, which is monitoring detection response to security events, whether they’re internal or external to our company. That is a 24/7/365, many-people group within the company. It’s very critical for us. When something happens we need to know within seconds, not like three weeks later. We know within seconds when something happens within or outside the company that relates to us.
We also have a Red Team, which is essentially a team of hackers that I’ve recruited from my background that hacks us on a regular basis, from the outside, from the inside, social engineering—any sort of attack factor is completely free game, because criminals don’t have any rules. They will try every single possible angle they can.
We also have an application security team that essentially goes through every line of code, whether it’s in our mobile apps or on our websites. Every single line of code gets scrutinized with every single change—every dependency that we may be pulling into that code base is scrutinized. We constantly are detecting potential vulnerabilities, real vulnerabilities, fielding bug-bounty reports, and it’s a constant cycle of identification and fixing within this world.
How does Kraken support customers affected by a scam?
Many ways clients end up getting harmed are through things like phishing sites, or impersonations, or scam sites. Clients can wander outside of our ecosystem and interact with these at any given time, so we have folks dedicated to doing takedowns—on average, we’re taking down three to four websites, social media accounts, and other scam sites per day.
What are some examples of common crypto scams?
Many of the times, the scams are very or rather low tech. They’re more social engineering than what people would say are hacks. What typically happens in these cases is that somebody befriends them that they feel like they can trust and starts telling them to do things that they don’t quite understand—and then their funds get stolen. That thing may be like, “Oh, there’s going to be some AirDrop, and we’re registering people’s wallets in order to get all of the tokens, so you need to go into your wallets and give us the seed phrases that are in there. And then we’re going to register you, and then you’re guaranteed to get $10,000 worth of tokens for this AirDrop.” Then people do it, and like 10 minutes later the wallet is empty and they get kicked off the Discord.
Other really low-tech scams are literally just investment scams—people see an investment site that looks somewhat legit, end up sending funds to this company, which in turn steals their funds.
Can you talk about a time when you all tracked down an exploit or a series of exploits and what that process looked like?
Here’s an example: We had a client that had a problem with their account. They claimed that they were talking to our support group. They said that someone logged into their account and had sent the funds from their account. During that conversation with our support staff, they mentioned a mobile app that they were using, and how they were describing the mobile app just didn’t line up with our mobile experience.
And so the support person asked for them to send some screenshots of the mobile app. Sure enough, it was not our mobile app. It had the same name, and it had our logo in it, but it was not our mobile app. It was just a very rudimentary Kraken app. We then asked where they downloaded the app from and it turned out that they were using a store where you can basically sideload applications. It was not, like, Google Play or the App Store. There were a bunch of crypto apps there.
How does cybersecurity in the U.S. differ from abroad?
Criminal groups tend to target U.S. citizens more. The main reason why is that in the U.S., there’s far more ability for a criminal group to get identifiable information about their victims. In the U.S., you have this concept of data aggregators, that for a fee can let you find out basically anything you want about any individual. You can find out all their past addresses, their family members, their email addresses, their phone numbers, everything. Outside of the U.S. that’s a little more difficult because of some of the privacy laws that exist outside the U.S.
As a criminal, if I want to target people that are active in the crypto space, I might find them on social media. Maybe they’re very active on crypto Twitter. I may be able to do some research and identify who they are, but if they’re outside the U.S. that might be difficult. In fact, as a criminal, I may find an individual and I don’t necessarily have to target them—I might target a family member that lives in the same house, who may not be as security savvy. Once I’m on that family member’s computer, I’m now on the same network as the person that I want to go after.
How is AI going to affect cybersecurity?
AI is giving those Blue Teams the ability to scale much more. For example, you can train an AI model to detect potentially malicious activity in vastly larger datasets. With traditional tools, it’s more static rules that you typically have to apply. With AI, those rules don’t have to be so static, it can be more human logic—like you get a human looking at a log file and maybe able to determine whether something looks suspicious versus just a simple rule set. The rule set might miss it, the human could detect it, but only at a certain pace. You can’t feed a billion logs an hour to a human, but you can feed a billion logs an hour to an AI. That’s where I think it’s helping on the defender side.
On the attacker side, AI is also helping. Things like deep fake for video calls, deep fake for voice changing—from a scammer perspective, it could make it more believable to the victims. In fact, our Red Team did this. They took all of my videos that I’ve ever done, or a selection of them, and they fed them into an AI. They created my voice to call various employees and ask them to do things and to see if the employees would actually do it because it sounded exactly like me. It sounded a little uncanny when I heard it—it made me sort of, like, cringe because it’s like my voice but not quite.
What does this all mean for the future of finance?
I think the future of finance is a world where it doesn’t matter who you are or where you live, you have the freedom to transact with whoever you need to, in your world, in a permissionless way. That’s the promise of crypto. That’s what we’re here for, to allow people to do that. A lot of people are disadvantaged on the planet where they can’t do those types of things with traditional financial systems, and so the promise of crypto is to allow people to do that.