Profile / Web3 Security
Fernando Reyes
The founder building an immune system for Ethereum - and the operator hackers least want to hear is looking for them.
FDR on the Flywheel podcast. The caption read: "I'll find you."
The founder building an immune system for Ethereum - and the operator hackers least want to hear is looking for them.
Drosera is the genus name for the sundew - a carnivorous plant that sits still until something lands on it, then closes. Fernando Reyes named his company after it on purpose.
Reyes, who signs everything as FDR, is the founder and CEO of Drosera Network, a decentralized incident response protocol for Ethereum. The pitch is biological: most security in crypto is a wall you hope holds. Drosera is an antibody that activates the moment a protocol shows signs of being attacked. The mechanism is called a Trap - a customizable Solidity smart contract that watches on-chain data and fires an emergency response when something looks wrong. Protocols deposit funds into Traps, independent operators run the Drosera client, and the network reacts faster than any human committee could vote. In February 2025 the company closed a $4.75M round led by Greenfield Capital, with Anagram, Paper Ventures, Arrington Capital, UDHC and Pulsar joining. By then more than twenty-five protocols had already committed to the testnet, among them Ion Protocol, EtherFi and Gravita. Then mainnet went live. The immune system was no longer a metaphor.
Traditional monitoring tells you the building is on fire. Drosera is closer to a sprinkler that arms itself, watches for smoke, and douses a single room - automatically, on-chain, with no one waiting for a multisig to wake up.
A protocol writes a Trap - a Solidity contract encoding its own security parameters. →
It deposits funds into the Trap, creating an incentive for operators to watch it. →
Independent operators run the Drosera client, monitoring on-chain data for risk. →
On a detected breach, the response fires automatically - the antibody closes.
Exposed an Advanced Persistent Threat tied to North Korea's Lazarus Group operating in the Russian Far East, using blockchain forensics and OSINT.
A London-based effort run in collaboration with British authorities.
Tracked a developer behind fraudulent tokens through OSINT and GitHub forensics.
Before Drosera traps the exploit, Groom Lake hunts the people behind it. Reyes founded the firm and staffed it with former US military and intelligence personnel skilled in offensive security, forensic investigation and what he openly calls psychological warfare. The team can be on the ground almost anywhere on earth within a day.
The name is a tell. Groom Lake is the codename for the airfield the world knows as Area 51 - a place that officially does not exist. The firm's product line reads the same way: REAPER, a real-time threat feed for whales and VIPs, sits alongside Drosera in the catalog.
The resume is unusually literal about where the instincts came from. Reyes did not pivot into security from product - he carried military doctrine into DeFi and never put it down.
Served with the Army's Cyber Protection Brigade - Linux systems analysis, threat hunting and cyber threat emulation for the Department of Defense.
Provided security advisory services and mentored technical teams on secure development.
Led secure deployment for DeFi products and built hybrid Web2/Web3 monitoring to surface exploits early.
Stands up a Web3 security firm modeled on military rapid-response units.
Greenfield Capital leads; 25+ protocols already on testnet.
Traps ship to production. Ethereum's immune system comes online.
It is a nickname, not a press release. And it is the kind that follows you whether you want it or not.
The phrase comes from the way Reyes runs incidents. In interviews he describes a typical Groom Lake response measured not in weeks but in hours. "48 hours is long for us," he has said. "Normally it's 24." The goal is to move faster than the launderer - to trace, freeze and recover before stolen funds disappear into mixers and bridges. When it works, the public sees a quiet headline about an arrest. What it does not see is the OSINT, the blockchain forensics and the exchange coordination that got there first.
His threat model is blunt. "When you look at the typical perpetrator," he has said, "it comes down to either an insider threat or a nation-state actor." That framing explains a lot about Drosera. If the people attacking DeFi are organized, patient and state-backed, then a security model built on hope and a pause button is not a security model at all. You need something that reacts at machine speed and does not need permission. You need an immune system.
The two companies are really one idea seen from two sides. Groom Lake is the human reflex - operators, intelligence tradecraft, a team that shows up. Drosera is the automated reflex - code that watches the chain and closes the trap without a human in the loop. One finds the attacker after the fact. The other tries to make the attack pointless in the first place. Both borrow the same doctrine Reyes learned in uniform: layered defense, least privilege, rapid response, and the assumption that a determined adversary is already inside.
He is also practical about the boring stuff that actually saves people. Use an authenticator app, not SMS. Assume least privilege everywhere. Have an incident plan before you need one. For all the talk of psychological warfare and shock and awe, the everyday advice is the kind any good security officer would give - which is the point. The theatrics get the headlines; the fundamentals do the work.
There is a reason the immune-system analogy keeps coming back. An immune system does not negotiate, does not wait for a vote, and does not care whether the threat is famous. It recognizes a pattern and responds. Drosera is an attempt to give that reflex to software that, until now, has mostly relied on humans noticing in time. The history of DeFi is a long list of people not noticing in time - more than 3,700 protocols have been exploited, billions of dollars gone in transactions that cleared in seconds. A pause button is only as fast as the person whose finger is on it, and attackers count on that lag. Reyes is trying to delete the lag.
"48 hours is long for us, normally it's 24."
On Groom Lake response time"When you look at the typical perpetrator, it comes down to either an insider threat or a nation-state actor."
On who actually attacks DeFi"This funding will enable us to scale and push the boundaries of what's possible in protocol security."
On the road aheadMost crypto security gets sold the way insurance does - after something has already gone wrong, to people who wish they had bought it sooner. Audits happen once and go stale the moment the code changes. Bug bounties depend on a friendly hacker finding the hole before an unfriendly one does. Both are useful. Neither is awake at 3am when an oracle gets manipulated and a lending market drains in a single block.
Drosera's wager is that response belongs in the protocol itself, as a standing piece of infrastructure that every serious application runs by default - the same way they run a price oracle or a relayer. A Trap is not a report you read. It is a live contract with its own funds, its own watchers, and its own trigger. The "hidden security intents" framing matters here: a protocol can define how it wants to defend itself without broadcasting the exact tripwire to the very attackers studying it. You cannot easily route around a defense you cannot see.
That the round was led by Greenfield Capital - with Anagram, Paper Ventures, Arrington Capital, UDHC and Pulsar following, plus a roster of angels - says the thesis has buyers. So does the testnet list. When EtherFi, Ion Protocol and Gravita sign up before there is a mainnet, they are not buying a logo. They are betting that the next exploit is a matter of when, and that a reflex beats a regret.