Careers in Cybersecurity: The HAPI Team on the Work of Cybersecurity Experts

The cryptocurrency industry faces incidents almost daily, through which attackers gain not only confidential data but also users’ funds. Protecting trading platforms and safeguarding assets, as well as tracking already stolen coins, are the tasks of cybersecurity experts.

In a fresh piece for the “Careers” series, ForkLog spoke with staff at the Ukrainian analytics firm HAPI about the specifics of ethical hacking and the coolest hackathons in the industry: COO Evgeniy Pshenichnykh, CCO Mark Letsyuk, and the CTO of the HAPI Labs department, Denis.

ForkLog: Denis, in your team you are the only security expert with experience outside the crypto market. Tell us, how did you end up in cybersecurity?

Denis: I chose this specialty by chance. It all started when I saw a computer at my grandmother’s workplace. The first personal PC — the ZX Spectrum — appeared when I was in 8th or 9th grade; I tried programming in Basic.

When it came time to go to university, I acted according to the situation: everyone was pursuing programming, and I chose information security, but I have no regrets. Because now I am a programmer, a sysadmin, and a jack-of-all-trades.

My professional path began in 2004 when I enrolled at Kharkiv National University of Radio Electronics in the specialty “Information Security with Restricted Access and Automation of its Processing.” When I mention the topic of my diploma, people get scared: “Using new scalar multiplication methods in the implementation of the Elliptic Curve Digital Signature Algorithm ECDSA.”

In 2009 I graduated. My first job was at the Lisichansk Refinery, where I was a second-category specialist in the information security department and was responsible for the security of the internal network. There I worked for four years.

Then I joined Glusco’s network of gas stations as Director of the IT department, but essentially all information security was also on me. And then Yuri suggested trying myself in crypto. That is how I ended up at HAPI in 2021.

ForkLog: Which specialists are in demand in the industry?

Denis: Cybersecurity is a very broad field. In demand are everyone from competent network system administrators to software testers.

Evgeniy: Pen testers, auditors of code and IT infrastructure, and specialists in cryptography.

ForkLog: What new specialties have appeared in cybersecurity at the intersection with blockchain and cryptocurrency?

Mark: First and foremost, smart-contract auditors, on-chain analysts and investigators. The latter respond rapidly to incidents and try to minimise losses for projects and users affected by hacks, by liaising with exchanges and colleagues from other cybersecurity firms, and coordinating with cyber police and similar authorities in other jurisdictions.

Evgeniy: Here we would also count automated roles — tracers who unwind transaction chains.

ForkLog: How in-demand are cybersecurity specialists? What is the entry threshold?

Denis: It was hard to study — of 90 people who joined the first year with me, only 30 graduated. Like in any profession, it’s hard to land your first job without experience.

Evgeniy: At HAPI we ran an experiment: we took three information-security students from NAU to bring them to at least middle level. Two left for various reasons, but one stayed. He moved into testing and now shows interest in auditing smart contracts.

I don’t think this market is closed to non-specialists. People with IT backgrounds and related fields can try this profession. The key is a willingness to learn, listen and adapt.

Mark: At the same time, a candidate for a role in a crypto-security company should at least understand how blockchain and cryptocurrency work and what the industry priorities are. Even an experienced professional without this knowledge will find it hard to fit into a dedicated team.

ForkLog: What skills and competencies are required from a newcomer?

Mark: A grasp of security in general and cryptography in particular. For software development, programming is essential. A mathematical mindset and analytical thinking are welcome. As narratives and trends shift quickly in crypto, one must continually learn new things.

Evgeniy: Essentially, blockchain is Big Data, so the ability to work with large volumes of information, interpret it correctly and verify it is a strong skill.

Denis: You also need a bit of laziness to be able to create scripts to automate workflows.

ForkLog: Should a candidate have white-hat hacking experience?

Mark: One of HAPI’s advisers, with whom the company’s story began, is a white-hat hacker. He remains anonymous and many in the team do not know him personally. Although the person has stepped back from day-to-day duties and our team is fully public, we still receive from him a number of narratives.

Evgeniy: This is where HAPI began. A security hackathon was announced, and this white-hat hacker won it. Ethical hacking is one of the ingredients of a good cybersecurity specialist. To fight someone, you need to understand how they think.

ForkLog: What courses can you recommend for entering the field and boosting qualifications?

Denis: One of the most respected and yet challenging certifications is Offensive Security Certified Professional. It takes about a month: you receive an 800-page textbook, video materials and a lab with several subnets and many machines. During the month you break them, accumulate points, to gain access to the exam.

There are simpler courses, but without certificates, such as Hack the Bot.

Mark: Cybrary’s advanced training. Also a series of lectures on Coursera about ethical hacking. In the crypto space, courses run by Chainalysis using their own terminal and databases also award a certificate on completion.

Evgeniy: There are also classic Cisco and Microsoft certifications, but they tend to be more narrowly focused.

ForkLog: What do the test tasks for applicants at HAPI consist of?

Mark: There are tasks on vulnerability analysis or testing; there have been tasks for investigators to untangle an incident of medium complexity.

Evgeniy: We also asked them to write a simple token smart contract, deploy it on a test version of a DEX, and then perform a Pump & Dump scheme. For us, it’s important that the candidate does not merely crank an address on the blockchain; they should identify who owns the address, which platform it’s associated with, and in which incidents it has appeared. Depending on how deeply the candidate immerses in the work, we assess their investigative skills and associative thinking — whether they can understand the attackers’ logic and model hacks.

ForkLog: What is the average salary for a specialist in this field?

Evgeniy: A novice trying to break into the field can realistically expect at least $500 at the start. Personally, through one handshake I know people who in cybersecurity can earn more than $100,000 per month. Usually, that is work for large corporations where the topic is crucial. Salaries there can reach astronomical levels.

In Ukraine, under the standard pricing model where an auditor analyzes smart contracts on the fly, income depends on the amount of work done. Investigators and on-chain analysts in Eastern Europe earn roughly $3,000–6,000 on average.

Mark: In the US market, the salaries are the highest by a factor of about three. For example, Chainalysis pays its analysts in the New York metro area $15,000 per month or more. And these are not the top tier, not the leads, but ordinary staff. The same salary could be earned in the San Francisco metro area.

In Seattle, Chicago, Austin or Miami $12,000 is the ceiling for a mid-level specialist.

ForkLog: Are you aware of cases where cybercriminals moved into cybersecurity?

Evgeniy: This is a very delicate topic. We often see reports of hackers who breach an exchange or a bridge but use it not to enrich themselves, but to draw developers’ attention to a vulnerability in code or infrastructure.

Mark: Yes, that’s the classic white-hacker story. On the other hand, if a protocol had no bug-bounty programs from the outset, the person may take a criminal step and later strike a deal to recover a larger portion of the sum in exchange for dropping the case.

After asset theft, hackers often cannot cash out because their address is flagged as high risk in AML services. The only way out is a mixer, but even there the money comes out not entirely clean. So spending it is difficult, even if the hack revealed nothing about him.

As an example, the story of Ilya Lichtenstein and Heather Morgan, who hacked the Bitfinex exchange back in 2016. For many years the attackers hid, but once the bitcoins moved from their wallets, they were exposed.

The hacks most often occur in Bitcoin and Ethereum networks because those networks have the most liquidity. Yet their blockchains are completely transparent and easy to parse. As a result, there are frequent attempts by hackers to strike deals with the protocol teams.

Or the opposite story Avraham Eisenberg, who was known publicly as a white-hacker, later turned out to have hacked the Mango Markets DeFi platform by manipulating the price of an oracle. He is now under US scrutiny.

ForkLog: Does your company practice Bug Bounty? How popular is this program among major tech firms?

Mark: HAPI does not have Bug Bounty in the classical sense. But there is a Scamfari platform, where anyone can report incidents or cases involving criminals in blockchain and crypto.

We are now discussing paying rewards to users who promptly notify us about an exclusive hack or exploit that the hacked protocol team does not yet know about. Such a mechanism would let us stay ahead.

In addition there are bug-hunt quests from Layer3, Linea Voyage and others. HAPI, as an infrastructural partner, participated in testing the L2-protocol Linea from ConsenSys and the L2 protocol Aurora, which uses the NEAR blockchain and EVM.

Today many platforms lure people with retrodrops to use their product on a new blockchain. The surge of users drastically raises network load and makes existing bugs obvious. In return, users receive airdrops comparable to good Bug Bounty payouts.

ForkLog: Have HAPI staff participated in any specialized hackathons?

Mark: We already mentioned the 2021 Hackathon from Hacken and international partners, where a member of our team hacked the event’s site. We later helped restore it. Back then HAPI received the Grand Prix and began a long collaboration with Hacken.

As our company grew, we took part in hackathons from Solana, NEAR, Not Another Virtual Hackathon (NAVH) by ConsenSys and Kyiv Tech Summit 2022, which Vitalik Buterin attended.

Now, occasionally we send colleagues to such events under a fictitious project to see how judges evaluate a new unknown brand on the market. It also lets us test fresh ideas.

Evgeniy: Given the workload, attending hackathons isn’t always possible. We now mainly view them as a hiring tool to scout potentially interesting people, teams and ideas we could integrate into our internal products.

HAPI even has plans to organise its own hackathon in the first quarter of 2024.

ForkLog: What do you foresee for the future of the cybersecurity expert profession?

Mark: Whoever controls information controls the world. Data protection — particularly in blockchain, where user assets are stored — will stay a pressing concern for a long time. The cybersecurity market is blooming, competition is fierce, but demand remains, especially from projects hacked on a near daily basis.

Evgeniy: I’ll offer an unpopular view: in the next five years this field will be highly automated and replaced by AI. Algorithms can already read data from images, decipher and interpret it. Even on Scamfari we’re moving toward software modules that analyse incoming information and verify its reliability, though humans used to do this.

The human factor will persist until a global neural network needs training.

Mark: Each AI algorithm requires a high-quality mentor, so demand for on-chain analysts will rise. I’m less skeptical, but I understand that everything is moving toward automation. Machines will take over the world, and Sarah Connor will be too old to save it.

Interviewed by Lena Jess.

Earlier in the “Careers” feature we wrote about how to find your first job in the crypto market, and spoke with professionals in the fields of on-chain analytics, blockchain jurisprudence, smart-contract programming and trading.