The Guardian of the Encryption World - Interview Record with BlockSec CEO Zhou Yajin

Host: Alex, Research Partner at Mint Ventures

Guest: Zhou Yajin, CEO of blockchain security company BlockSec

Recording time: 2025.3.28

BlockSec's service scope and target customers

Alex: In this episode, we are going to talk about a topic that is closely related to everyone, which is the security of the encryption world. Before we encounter real risks, we often think that we will not become victims of security incidents in the news. How to build a firewall for our assets and invest in a safe environment is a mandatory topic before we start our encryption journey. In this episode's podcast, we have invited Zhou Yajin from BlockSec to discuss the topic of encryption security with us. Please, Teacher Zhou, say hello to us.

Zhou Yajin: Hello everyone, I am Zhou Yajin, currently the CEO at BlockSec. I am also a researcher in cyberspace security at Zhejiang University. It’s a pleasure to meet you all.

Alex: Okay, let's get into today's main topic. I believe many listeners may not be very familiar with security companies and services in the blockchain space. Teacher Zhou, could you please introduce BlockSec to us? What kind of services do you provide, and what kind of people or institutions become your clients?

Zhou Yajin: Okay, BlockSec is a Web3 security company that was established in 2021. When it comes to Web3 security, the first thing that might come to mind is security audits. In fact, BlockSec's scope of business is not limited to security audits; we also offer a range of other security products and services. Specifically, our services can be divided into three major areas. The first area we call security for on-chain protocols. On-chain protocols refer to smart contracts deployed on the blockchain for activities such as DeFi, NFTs, or other operations. How can we ensure the security of these contracts? BlockSec provides secure auditing services and security monitoring products. The second area we focus on is asset security. Asset security refers to the assets that users hold, for example, whether these assets are in their contract wallets or invested in on-chain protocols, how to ensure the security of these user assets is also one of BlockSec's service areas. The third area is compliance and regulation. We have noticed that an increasing number of traditional financial institutions are entering the crypto industry. Recently, we have seen news that traditional banks in the United States are issuing stablecoin assets on-chain, and cryptocurrencies are entering the cross-border payment industry. The entry of these traditional financial institutions into the industry has posed a challenge for regulators, as regulatory bodies are unsure how to regulate, while these institutions are also uncertain about how to comply. Therefore, we are also helping regulatory agencies to oversee these players entering the crypto industry, or assisting traditional institutions entering the crypto industry with compliance. This is the scope of our business.

Our clients cover a wide range. What everyone can think of are projects that do decentralized finance on the chain or other services, such as platforms that provide lending on the chain and platforms for decentralized trading. These project parties are our clients. We can help them conduct security audits from a security perspective before deploying their smart contracts on the chain, reviewing whether their developed smart contracts have security vulnerabilities. If there are security vulnerabilities, they need to be fixed in a timely manner. Additionally, once their protocols are deployed on the chain, we will have a 7×24 hour monitoring platform to monitor the security risks of their protocols. If any security risks occur, our platform can promptly notify the protocol and automatically block risks and attacks. Therefore, developers and project parties who deploy smart contracts on the chain are a typical category of our clients. The second typical category of clients is asset holders, possibly some high-net-worth clients who have assets in contract wallets or who invest in some protocols on the chain. Our services and products can help them better monitor the security of the protocols they are investing in. Just like the front and back of a coin, from the perspective of the protocol project parties, we can help them improve the security of their protocols. From the perspective of high-net-worth clients investing in their protocols, we can help them monitor the security of the protocols they invest in. Once a protocol they invest in has security risks, such as being attacked, they need to be able to withdraw their funds immediately. The third category of clients is the regulatory and compliance ones I just mentioned. This category mainly includes regulatory agencies, such as the Hong Kong Securities and Futures Commission, which is also our client, and some overseas law enforcement agencies that need to investigate digital currency crimes. They need to use our tools and platforms to facilitate evidence extraction, fund tracing, and other investigative activities. This basically summarizes our overall business and the scope of our clients.

Three suggestions on encryption security

Alex: Understood, just now Teacher Zhou talked about customer types, what their needs are, and a general situation of the industry. So the second question may be more related to individual investors, especially since many of our audience are newcomers to Web3 who are learning and trying to invest. If you have a friend who has just entered the encryption investment field and knows that you provide encryption security services, what three pieces of advice would you give him about encryption security?

Zhou Yajin: This question is very good. My friends often ask me for security advice as they also want to enter this industry, but they have heard that many people seem to encounter some risks. We used to have a joking saying: if you enter the Crypto circle and haven't been phished or scammed, you won't become a seasoned player in this field. Of course, this is a joke, but you can indeed find that there are many risks in this industry. If I were to give three pieces of advice, the first one that everyone would definitely think of is about private key protection. In the Crypto field, how to prove you own these funds is actually by using the private key you possess to prove your ownership of the account. The private key is a string of numbers, and it is not linked to your personal identity in any way. Once this string of numbers is lost or leaked, others can have the same control over your funds as you do. This is very different from our real world. In the real world, if your bank password is leaked, you can call the bank to freeze your account, and others cannot withdraw money. However, in the Crypto world, if your private key is leaked, the person who has your private key can transfer your funds from your account without restrictions. Generally speaking, there are several ways to protect your private key, such as using a hardware wallet, a contract wallet, or a mobile APP to protect the private key. Each method has its own advantages and disadvantages. Based on my own experience and the overall experience of some security friends around us, the basic principle is to take the mnemonic phrase of the private key, write it down, and put it in a safe, whether this safe is in your own home or in the bank. Store it well and do not touch it; basically, you won't need it. Then use a relatively trustworthy device, whether it's a hardware wallet or a phone, to store your private key. This phone must be a dedicated device; do not engage in any other operational activities, just use it to manage your digital assets. This is the first piece of advice. The second piece of advice is to always have a sense of security and risk awareness when trading on-chain. Essentially, just remember one thing: there is no such thing as a free lunch. We find that when trading on-chain, users face significant phishing risks. Many well-known KOLs and OGs in the crypto circle have encountered phishing attacks and lost a lot of funds. If an unknown website asks you to connect your wallet to receive so-called airdrop rewards, you need to be very careful and always have a safety awareness. The third piece of advice is that you need to have a basic understanding of encryption assets. Basic knowledge refers to the concept of authorization in encryption assets. This is different from traditional finance. For example, if you own a type of digital asset, USDT or USDC, through on-chain signatures, you can authorize the asset to a contract or other users to use it. Such authorization only requires you to sign a bunch of incomprehensible things through your wallet. Therefore, when signing wallet signatures, if you do not understand or are deceived into signing an authorized transaction, others can use all your digital assets. So you need to have some basic understanding of authorization so that you won't mistakenly sign such transactions when signing wallet signatures. In summary, the basic advice is: first, protect your private key and provide some actionable methods; second, always be cautious during on-chain transactions, be aware of security, and avoid phishing; third, have a basic understanding of the Crypto authorization mechanism so that you won't mistakenly sign some authorized transactions.

Alex: I actually have quite a few high-net-worth friends around me, and they are also OGs or veterans in the industry. Logically speaking, they have some level of the security awareness you mentioned, but every year I hear about some wealthy individuals getting robbed. There’s a saying in the industry that if a professional hacker has set their sights on you and knows that your wallet has funds, if they use all available resources, it’s often very difficult to escape. Do you think there’s some truth to this? Is it really like that?

Zhou Yajin: Your question is excellent. In fact, security issues, especially those related to encryption security, are essentially an unbalanced confrontation. If your wallet contains a significant amount of assets, you can easily become a target for directed attacks. Once you become a target for others, they will use a lot of resources, whether it is social engineering resources, technical resources, or other resources, to design targeted attack methods based on your daily behavior patterns, lifestyle habits, etc. In this situation, it cannot be said to be a hundred percent, but the difficulty of your defense is very high, because others are using a lot of resources against you, while you only have yourself. Therefore, it is a very asymmetric confrontation. Under such circumstances, I think the basic principle is that there is a saying among us Chinese: 'wealth should not be revealed,' meaning you should not publicly disclose the assets you possess and avoid leaking the relationship between your personal offline identity and your on-chain asset identity. The second point is that even if you are a high-net-worth user, who may have already been leaked by others, you need to isolate your assets as much as possible. This means that the assets you regularly operate with should be in a dedicated wallet that contains at most 100,000 yuan, so that if someone targets you, they can only deceive you out of this 100,000 yuan at most. Your other substantial assets should be placed in a wallet that you generally do not need to access. If you need to use these assets, you should seek help from security experts to review a better operational process and standards, which can help avoid significant risks.

The three security incidents that left the deepest impression

Alex: Understood, this suggestion is indeed very important. Could you share with us the three most impressive security incidents you've encountered since you started your career? They could be experiences you've personally gone through, or those of friends around you, or some observations you've made.

Zhou Yajin: I can share with you some security incidents that we have personally dealt with and left a deep impression on me. The first example I remember is in mid-February 2023, when a protocol on the blockchain was attacked. It is a platform that combines lending with other functions. This protocol had a security vulnerability, and hackers exploited this vulnerability, approximately