By: @CryptoZPunisher
On October 8th, I sent the first signal to the community. I believe the charter speaks for itself.
It was a public recognition of work that, in my view, deserved to be evaluated at its true value.
I also won’t forget the interest shown by Const (@const_reborn), whose words carried particular weight. His recognition of this subnet was not insignificant; it served as an early validation that something important was being built. SN60 is a subnet banger, and some understood that very early on.
What stands out today is the quality of the communication that has since been put in place by John (@yubrew) . He took the time to lift his head from the handlebars, something rare among subnet owners, and made a deliberate effort to explain, share, and educate. As of today, he is one of the very few subnet founders engaging in clear, consistent, and effective communication.
In this article, I share the link to his very first video, as well as to his YouTube channel, which many of you will undoubtedly begin following. I also couldn’t not share the full transcription of that video.
With the humility I’ve always known him for, John now allows himself to highlight the breadth of his skills and experience. A strong individual is stepping out of the shadows, and it’s not just Bitsec that will benefit, but the entire network.
Transcription:
“Hi, my name is John. I’m the founder of Bitsack. We launched V2 last week, and I wanted to make a video to walk through my background, the inspiration behind Bitsack, why we chose to build on Bittensor, our long-term vision, what we’ve accomplished so far, our plans for V2, and why you should consider joining the project as a miner or as an investor. I’d also like to thank everyone who has followed, supported, and contributed to Bitsack up to this point.
My journey has been quite an interesting one, and I want to cover a few key topics: my engineering background, my views on AI, and why I decided to focus on this security problem. If I had to characterize myself, I’d say I’m someone who can quickly understand complex systems, identify structural weaknesses across different systems, and build practical solutions rapidly.
I’ve had quite a few notable accomplishments, but I’ll focus on three for now.
First, I have a strong background in probability and pattern recognition. A lesser-known proof of this is that I’m banned from playing blackjack in every casino in the United States. That experience deeply shaped how I evaluate risk, think about nonlinear payoffs, and approach opportunities. Being able to analyze an old game like blackjack, find an exploit, and execute it is very much the mindset of a security-oriented person.
My second experience was joining Law360 as engineer number two. Law360 is a legal news platform, essentially Bloomberg for lawyers. When I joined, the company had around 70 employees. Over four years, we scaled revenue from $30 million to over $140 million. By the end, the engineering team had grown from two people to five.
Law360’s main competitor was Bloomberg Law, a much better-funded company with around 50 engineers compared to our two to five. Yet we completely outperformed them, market penetration, adoption by the top 100 law firms, features, business outcomes, across the board. The key takeaway was this: with a small team, if you hire the right people, incentivize them properly, and empower them to make decisions, while maintaining continuous feedback, you can turn low communication overhead and high independence into a massive advantage. That’s an experience I want to bring to Bitsack: keeping the team small, efficient, and enabling each person to achieve far more than raw headcount would suggest.
My third major experience took place in the Cosmos ecosystem. I taught myself Rust and built some of the most critical infrastructure in Cosmos. Hundreds of thousands of users relied on my smart contracts and systems, which were highly performant. Feedback often highlighted how smooth our launches were, something that’s fairly rare in blockchain.
However, there was one defining moment: our team deployed a smart contract that contained a critical vulnerability, costing us $200,000. The team covered the loss, but for a startup that had just raised a seed round, $200,000 is a huge amount. A few months later, when ChatGPT was released, I tried to see whether I could recreate that same exploit. I managed to do it over a single weekend. I realized that if we’d had that tool just a few months earlier, we could have saved $200,000.
And that wasn’t the only issue. Audits are expensive and can delay launches by three to six months. When you’re trying to move fast and serve your users, it’s extremely difficult to follow every security procedure perfectly. And even when you do, you can still get hacked, as recent incidents have shown (Balancer was hacked again recently). This highlights just how broken security still is today.
That led me to look for an alternative. If we can improve the reliability of AI, we can systematically and scalably identify vulnerabilities. That’s what pushed me toward AI-based security auditing.
As AI continues to evolve, it’s transforming software development. When AI-generated code becomes ten times more prevalent than it is today, maybe not this year or next, but soon, how will we secure it? We’ll need solutions that can secure code as it’s being written.
AI code generation is already mainstream: Cursor, Claude, OpenAI Codex, Gemini, Devin, and even our own Bittensor subnet, number 62. If any of these solutions truly succeed, they introduce a second-order problem that many people haven’t fully recognized yet: security. There are some players in this space, like Oxbow in automated penetration testing, which recently ranked number one on HackerOne, but there’s still no clear leader in either Web2 or blockchain. Audits are often driven more by marketing than by performance, and developers know that audits don’t guarantee protection from hacks.
That’s where Bitsack comes in.
Returning to Bittensor and Bitsack V1: I built an AI audit tool and quickly realized there was no objective benchmark to compare solutions. V1 was designed to create a performance leaderboard. V1 was successful as a proof of concept. We found many vulnerabilities, some after exploits occurred (like Bittensor’s ππ exploit), and some before they were exploited. For example, on the Fish subnet (SN51), we identified GPU-based attacks. After sharing the report, a miner exploited a vulnerability described in our document in under two hours.
Another example is the Cetus protocol on Sui, which was hacked for $250 million. We identified the vulnerability after the hack, but if the protocol had been audited beforehand, it could have resulted in a multi-million-dollar bug bounty. What’s particularly interesting is that Sui uses the Move programming language, which is entirely outside the training sample, demonstrating strong generalization by the AI.
The conclusion of V1 was clear: yes, we can find exploits.
With V2, launched last week, we completely re-architected the system around a Ridges-style approach. Miners submit agents that are evaluated against a smart contract audit benchmark built from real-world audit challenges. These benchmarks are critical because they act as a proxy for quality. If agents perform well, they can then participate in real audits and paid bug bounties.
Ultimately, the final product will be a GitHub workflow: you submit a repository or a pull request, Bitsack agents analyze the code, and a report is generated. The customers will be developers, often not security experts, or even non-developers who “vibe-coded” a project. Rigorous benchmarking is what allows them to trust the tool.
Long term, our goal is to secure all code, not just blockchain code. For Q1 next year, our priority is to reach state-of-the-art (SOTA) performance with our agents, then build the product, the GitHub workflow, and actively participate in audit challenges.
The current team consists of myself, one extremely talented developer, and one marketing lead. We’ll likely hire a COO to manage the increasing operational workload.
From an investment perspective: the cybersecurity market is worth $200 billion, with $1.5 billion attributed to blockchain security in 2025, yet $2.5 billion was hacked in that same year. Our revenue model has two pillars: paid services (the GitHub workflow) and earnings from audits and bug bounties.
We are fully bootstrapped, no equity fundraising and no OTC deals. All value created accrues directly to the alpha token, benefiting miners and investors alike. The capital structure is clean and simple.
Bitsack isn’t just a security project, it’s an ecosystem. Thanks to Bittensor’s incentive mechanisms, this model can extend to other security domains: Web2 vulnerabilities, pentesting, model jailbreaking, and more.
In short, this is the right market at the right time. Our team is solid, our approach is defensible, and the need is obvious: if AI generates ten times more code, and a large portion contains vulnerabilities, then that code must be secured.
Thanks again for your support. Feel free to ask questions on Discord or Twitter, and check out the articles on the Bitsack AI X account. See you soon.”
Links:
Website: bitsec.ai
X account John Yu (Founder): @yubrew
Yuma Group: @YumaGroup
Taostats: taostats.io/subnets/60/chart
Be the first to comment