In the enterprise, fraud and cybersecurity are often stove-piped: operating with different tools and as different teams; even though cybercriminals are increasingly vertically integrated and digitally sophisticated with their malice: they use bots to upload child pornography and AI-generated profiles into target networks; swamping software with alerts that allow other intrusions to go undetected and which drain stretched resources; password breaches and social engineering to access accounts — and the money they steal along the way is eye-watering.
A PwC survey of 1,200+ executives this year found that they had lost $42 billion to fraud. That’s pocket change compared to the trillions the UN believes are stolen annually, in a form of crime for which a negligible number will get prosecuted. (Losses due to payment fraud alone may exceed $343 billion between 2023-2027.)
Alisdair Faulkner has been at the coal face of trying to tackle this problem for a long time. ThreatMetrix, the company he co-founded, then ran product development for, grew into a $100m ARR player in in the fraud detection industry, working to protect one billion global accounts across four billion devices for the world's largest global banks and brands, before being acquired by LexisNexis for some $830 million in 2018.
As he puts it bluntly: “At large enterprises you typically have one organisation responsible for trying to protect automated attacks like attempts to try and guess passwords. Then you have on the other side you have fraud prevention [checking] people trying to buy stuff… the problem is that the layers are disconnected; but fraud and [cybercrime] have adapted, and most organisations’ ability to adapt with it is non-existent.”
The Australian entrepreneur is now back with a new startup called Darwinium, which aims to merge fraud and security systems by building sophisticated digital footprints of customers across applications, the browser and beyond whilst pushing a lot of the compute to make this happen back onto attackers themselves – by making initial checks and analysis in the browser and then at the Content Distribution Network (CDN) layer.
That’s been made possible in large part by an engine built from the ground up in Rust, then leveraging the powers of WebAssembly; an open standard for running binary programs in browsers with near-native speed.
Darwinium this month raised $10 million in a Series A funding round from VC firms Airtree and Blackbird.
Faulkner believes that Darwinium can help integrate cybersecurity and fraud detection toolings (reducing cost) and support customers – whether in banks, gaming, ecommerce or beyond – tackle a “a tsunami of digital robots probing for weaknesses in our infrastructure, applications, financial systems and identities” by using digital footprints to not flag anomalies, but create digital signatures and even identities through the use of automated markers, biometrics, devices, locations, digital content and user profiles, running at the edge.
We’re making Darwinium The Stack’s latest “One to Watch” – a startup selected every month (when we find one we like) that The Stack believes has the potential to become an important part of the enterprise IT stack.
What is Darwinium?
Darwinium aims to build complete “signatures” for both every digital interaction.
The cloud-native Darwinium (large customers may be able to deploy via their own Kubernetes cluster, company collateral suggests) works by integrating with customer-facing applications across each of their delivery channels. This includes web, API, android, iOS apps and CDN (edge networks). It uses the industry standard Web Workers (adopted by all major content delivery and cloud infrastructure providers including CloudFlare, AWA, Akamai and Fastly) to process traffic in a way that can execute arbitrary code safely at packet scale.
Using WebAssembly and Web Workers lets it pull in third-party business and threat intelligence, machine learning and API orchestration at low latency and with no risk. (Mary Branscombe has a useful piece on the wonders of WebAssembly here: As she notes “Think of it as a small, fast, efficient and very secure, stack-based virtual machine that doesn’t care what CPU or OS it runs on, that’s designed to execute portable bytecode — compiled from code originally written in C, C++, Rust, Python or Ruby — at near-native speed. WebAssembly doesn’t only run in the browser: It started on the client, but is proving very useful on the server.”)
Speaking to The Stack Faulkner emphasises that existing fraud detection orchestration engines have real issues: “Depending on the use case, you call out the different services. For onboarding, maybe a document check, or a KYC service; when someone's logging in, maybe an API call to a known compromised password list... it's basically orchestrating the various different API's. Now, the problem with orchestration engines as they exist today is that they become the bottleneck, because the vendor has to update API's when those API's update.
“But with the way Darwinium’s architected, it's effectively a risk Operating System that customers can develop on themselves natively. We can actually run untrusted code on Darwinian code and run it safely. That means that customers can build their own integrations and their own orchestrations… they can also run other fraud models from other [sometimes untrusted] systems in our environment securely; that’s the true game change.”
As Faulkner puts it: “This technology [WebAssembly] enables our decision engine to be portable across essentially any environment. [That’s important because] let's say that you're trying to screen for images…
“For example you have an ecommerce marketplace and people upload a profile – or you’re a bank that needs to match a selfie image against the driver's licence. What we're seeing here is a big asymmetric challenge. We've seen in some banks, that what's happened is crime gangs will upload the selfie images, and you can tell they all look the same. They're not even trying to fool the authentication method, they're just trying to drain your fraud budget, knowing that you have no way of processing this image. When you do a call off to a Jumio or LexisNexis, that's going to cost you a buck every time. A similar type of problem is image analysis”, he adds.
“Organisations also have problems where members can send [illegal] images to each other, or with marketing automation companies sending emails on other companies' behalf [that get full of] crypto spam.
“But because Darwinium can run in a browser, or on your edge within your CDN, you can do image recognition in the browser, prior to someone even uploading it. If someone's trying to attack you, you use their compute to do the first level of image analysis (we have similarity matching engine that works across devices, images, texts, names, addresses, that can be matched in real time) – then the next level analysis can happen at the CDN layer.”
Faulkner’s keen to emphasise that Darwinium’s data and risk decision platform can “cater to almost any use case with custom code and models” to enhance risk decisions. The idea is to build “risk-defined networks” with AI beyond the device with SDKs plugging directly into gateways, servers, and access points that will allow accurate classification right down at the packet level for fine-grained control. All PII, regulated data and device information is processed within the enterprise environment prior to being analysed by Darwinium, the company notes, saying this will “close down a large source of angst for data leakage and supply chain risk compared to how data is shared with third-party fraud and identity intelligence solutions on the market today.”
He believes that the platform could also strip out a lot of customer friction.
“A lot of false positives happe precisely because security and fraud are disconnected. For example security at the front end is trying to prevent against automated attacks. The problem is that those automated attacks are typically looking at things like ‘what device is it coming from? What networks? Is it high velocity?’ but this doesn’t have any business context. It doesn’t capture if you’re a VIP or Gold customer, and that you should be given priority: It has no idea, it just sees you as any other device. The fact that you’re connecting from a hotel probably means systems will trigger a CAPTCHA or potentially block you because security sees one perspective, fraud sees a different perspective, and none of them communicate with each other. If they were integrated your fraud solution would be telling your bot detection solution that ‘yes, this is unusual; they're coming from a different location; yes, this hotel network does generate a lot of bots; but we also know they responded to a campaign six months; they normally use that device and those credentials and nothing else seem askew.”
Slow moving and large companies of the sorts that Darwinium is going after are going to take some persuading and a lot of lifting the hood and checking the mechanics. Do you have to manually configure a tonne of SDKs, for example? How robust is the security? etc. Darwinium’s brought in a strong executive team, many with extensive experience from LexisNexis that may reassure those at the first step.
Configuration meanwhile can be as quick as 15 minutes, Faulkner claims, adding: “For web-based and API interactions the system automatically performs profiling with no additional overhead needed... For mobile apps we provide SDKs that provide additional profiling enrichment. Integrating these involves a small code change on the customer’s side. Otherwise, Darwinium can easily ingest your existing fraud and threat intelligence signals. In 15 minutes, you can be safely monitoring with a 'fail open' approach that leverages your existing CDN investments by simply configuring Darwinium with your existing CDN account credentials.”