Kevin Gosschalk wants to make cybercriminals give up their day jobs, so occasionally he hires them.
“Yes these people are doing the wrong thing, but they are a force of nature,” the 33-year-old says of the nefarious netizens he battles at his Arkose Labs, whose success has won him a place on the Financial Review Young Rich List, with an estimated wealth of $137 million.
Arkose’s software aims to identify fraudsters who are using bots and stolen credentials to hack into online accounts, then seeks to frustrate their progress enough to destroy their return on investment.
“Cybercriminals work longer hours than any security team do, they’re more entrepreneurial than most people who call themselves entrepreneurs. Their life is like ‘How do I get in and make money out of this?’, so we on the defence side need to be just as passionate,” Gosschalk says.
Founded in 2016, the California-headquartered business has attracted clients such as Microsoft and Paypal, which are also among the investors to have poured in $180 million and fuelled revenue growth of 1480 per cent in 2021-22.
That funding also helped Gosschalk this year audaciously create the role of “chief criminal officer” at Arkose, and fill it with Brett Johnson, one of the world’s most infamous cybercriminals. Johnson was dubbed “the original internet Godfather” by the US Secret Service in 2007, when he was on their most-wanted list as a leader of ShadowCrew, a precursor to today’s Darknet.
“It’s such a unique opportunity for us and our clients to be able to ask questions to somebody who’s been on the other side of the fence,” Gosschalk says of Johnson, who, after pioneering most modern forms of cybercrime, reformed as a security consultant last decade, after serving nearly eight years in prison.
”To disrupt a hacker you need to know their thinking and their business model, and Brett understands that like nobody else.”
Gosschalk’s path to founding and running a headline-grabbing Silicon Valley cybersecurity start-up has been circuitous.
While studying games design at the Queensland University Of Technology, Gosschalk had specialised in computer vision – the field of artificial intelligence that aims to build machines that can process, analyse and interpret visual data like humans can.
He was employed by QUT for four years after completing his degree, first helping its biomedical institute develop an early detection system for diabetes by mapping images of patients’ eyes, then building an immersive “touch floor” game to help socialise adults with intellectual disabilities.
A gamer himself, Gosschalk was getting increasingly frustrated at how often his gaming accounts would be hacked, forcing him to reset his passwords, and at other gamers’ cheating by using performance-enhancing bots and scripts that a game’s administrator had not detected.
These bad actors are meant to be blocked by “CAPTCHAs”: those tests of image or pattern recognition that are supposed to determine whether a user is human or robot. However, as Gosschalk worked on a start-up that was trying to sell branded games on the pages where these CAPTCHAs appeared, he realised many of them didn’t work.
“The problem with character recognition tests, or those ones where you have to click which squares have a picture of traffic lights in them or whatever – these are valuable problems for a computer to be able to solve in all sorts of scenarios, so there are off-the-shelf bots available to hackers that can beat them,” Gosschalk says.
“In my career to that point, I’d been building computer vision software that could recognise motion and human behaviour, but the original thesis for Arkose was the reverse – it was to find a test that machines can’t do, and for which there’s no commercial value in building a bot for, outside of beating that particular CAPTCHA test itself.”
Gosschalk knew that understanding the movement of three-dimensional objects was one of the biggest challenges in computer vision. He built challenges that were easy for humans – such as rotating a 3D render of a piglet to an orientation specified by a 3D arrow in another panel – but which most bots find impossible.
With some funding from the Brisbane Angels syndicate, he struggled for months to get interest in Arkose’s solution from Australian clients.
“The size of the problem here is just not what it is in the US,” Gosschalk says.
The breakthrough came in 2017 when Kik, a then-popular instant messaging app from Canada, reached out to Arkose “in desperation” after a spate of its users’ accounts were hacked.
Using a suite of traffic classification tools – “we can tell if you’re coming from a cheap ISP in Russia,” Gosschalk says – Arkose was able to vastly reduce Kik’s rate of “false positives”, where a genuine user suffers the inconvenience of facing a CAPTCHA.
Then its CAPTCHA challenges, which compete against Google’s “reCAPTCHA” system, were able to siphon off most of the would-be fraudsters’ bots. Even if a human fraudster passes an Arkose CAPTCHA, they still won’t be let in if the rest of their “behavioural biometrics” are deemed suspicious enough – the use of a disposable domain in their email address, for instance.
“You raise the adversary’s cost and effort higher than their profit margin, and they stop,” Gosschalk says.
Arkose’s clients now include Roblox, Adobe, Dropbox and Snapchat, and its founder is hoping more big names will be attracted by last year’s introduction of a $1 million warranty for clients who still suffer a “credential stuffing” attack – one in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.
Gosschalk had no shortage of meeting requests on a visit back to Australia earlier this month, in the wake of the Optus data theft. Arkose could not have prevented the hack – its software is not involved in network security – but its policing of sign-ups and log-ins could reduce the fallout.
“Usually, adversaries have a spray-and-pray approach but here they have very clean, Australian-centric data on half the Australian population, so they know any Australian business is fair game,” he says. “The Australian banks’ breach rates are going to go up dramatically because of this.”
Gosschalk won’t disclose Arkose’s revenue or at what valuation its last funding round – a $US70 million Series C led by Softbank and Wells Fargo in May 2021 – was struck. The Financial Review Rich List research team estimated Gosschalk’s paper wealth by relying on the valuations and founder dilution rates experienced by comparable software-as-a-service scale-ups.
Gosschalk does share that some of Arkose’s early investors, which include Brisbane Angels stalwart Richard Moore, have made more than 100 times their money.
Arkose’s success has also been good for employment in Brisbane. Thanks to the federal government’s research and development tax breaks, nearly half of Arkose’s 200 staff globally are based in an engineering hub in Gosschalk’s home town.