When Drift revealed the details of his $270 million exploit, the most disturbing thing wasn’t the scale of the loss, but rather how it happened.
According to the team behind the protocol, the attack was not a smart contract bug or clever code manipulation. It was a six-month campaign involving fake identities, in-person meetings in multiple countries, and carefully cultivated trust. The attackers, apparently from North Korea, not only discovered a vulnerability in the system. They have become an integral part of it.
This new threat now imposes a broader assessment on the scale of decentralized finance.
For years, the industry treated security as a technical problem, something that could be solved through audits, formal verification, and better code. But the Drift incident suggests something much more complex: The real vulnerabilities might lie outside the codebase entirely.
Alexander Urbelis, Chief Information Security Officer (CISO) at ENS Labs, says the framework itself is already outdated.
“We need to stop calling these ‘hacks’ and start calling them what they are: intelligence operations,” Urbelis told CoinDesk. “The people who showed up at conferences, who met in person with Drift contributors in several countries, who put down a million dollars of their own money to build their credibility: that’s craft. That’s the kind of thing you’d expect from a file manager, not a hacker.”
If this characterization holds, then Drift represents a new playbook: a model in which attackers behave less like opportunistic hackers and more like patient operators who integrate socially before acting on-chain.
“North Korea is no longer looking for vulnerable contracts. It’s looking for vulnerable people… This is not hacking. This is agent operation,” Urbelis added.
The tactics themselves are not entirely new.
Investigations in recent years have shown that North Korean agents infiltrate crypto companies by posing as developers, interviewing for jobs and even obtaining positions under false identities. But the Drift incident suggests that these efforts have intensified — from gaining access through recruiting pipelines to conducting in-person relationship-building operations for months before executing an attack.
“Achilles heel”
This change is what many security leaders are most concerned about. Even the most rigorously audited protocol can fail if a contributor is compromised.
David Schwed, SVRN’s chief operating officer and former CISO at Robinhood and Galaxy, sees the Drift case as a wake-up call.
“Protocols need to understand what they’re up against. These are not simple exploits. These are well-planned operations that last for months with dedicated resources, fabricated identities, and a deliberate human element,” Schwed told CoinDesk. “This human element is the Achilles heel of many organizations. »
Many DeFi teams remain small, scale quickly, and rely on trust. But when a handful of individuals control critical access, compromising one may be enough.
Schwed argues that the answer needs to be updated. “The answer is a well-enforced security program that protects not only the technology, but also the people and processes…Security must be fundamental to the project and the team.”
Some protocols are already being adapted. At Jupiter, one of Solana’s largest DeFi platforms, the foundation of audits and formal verification remains, but executives say it’s no longer enough.
“Clearly, securing code through multiple independent audits, open source and formal verification is just table stakes. The attack surface has expanded significantly,” said COO Kash Dhanda.
This broader surface now includes governance, contributors and operational security. Jupiter has expanded its use of multisigs and timelocks while investing in detection systems and internal training.
“Since flesh is more vulnerable than code, we are also updating Opsec training and monitoring for key team members,” Dhanda said.
Even then, he added, “there is no end state when it comes to security” and complacency remains the biggest risk.
For protocols like dYdX, the Drift incident reinforces a reality that cannot be entirely eliminated.
“It is an unfortunate reality that crypto projects are increasingly being targeted by state-sponsored bad actors… Developers should take precautions to prevent and mitigate the impact of social engineering compromises, but users should also be aware that given the increasing sophistication of bad actors, the risk of such compromises cannot be completely eliminated,” said David Gogel, COO of dYdX Labs.
This evolving threat model also shifts responsibility to the users themselves.
“Users active in DeFi should take the time to understand the technical architecture of the protocols or smart contracts that hold their funds, and should consider in their risk assessment the role and nature of any multisigs for software upgrades and the possibility that these could be maliciously compromised,” added Gogel.
“Threat Model”
For some founders, the Drift feat underscores a more uncomfortable conclusion: Trust itself has become a vulnerability.
“The Drift exploit was not a code vulnerability. It was a six-month intelligence operation that exploited human-to-human trust,” said Lucas Bruder, CEO of Jito Labs.
In practice, this means designing systems that involve trade-offs, not just bugs.
“Smart contract audits are table stakes. The real attack surface is your team, your multisig signers, and every device they touch.”
This mindset is becoming central to how DeFi approaches security. SVRN’s Schwed says it starts by asking not only how a protocol works, but also how it might fail.
“Start with a threat model. Ask yourself how can I be exploited? If one of the project owners is compromised, what is the scope of this scenario?”
In this sense, the Drift exploit is perhaps remembered less for the lost funds than for what it revealed: that DeFi’s biggest risks may no longer lie in the code, but in the people who manage it.
Read more: How North Korea infiltrated the crypto industry
