How North Korea's 6-month long secret espionage program has crypto community rethinking security
When Drift disclosed the details behind its $270 million exploit, the most unsettling part wasn’t the scale of the loss — it was how it happened. According to the team behind the protocol, the attack wasn’t a smart contract bug or a clever piece of code. It was a six-month campaign involving fake identities, in-person meetings across multiple countries and carefully cultivated trust. The attackers, allegedly linked to North Korean intelligence, spent half a year embedding themselves in the protocol’s ecosystem before finally striking.
This new threat is now forcing a broader reckoning across decentralized finance. For years, the industry has treated security as a technical problem, something that could be solved with better code. But the Drift incident suggests something far more complex: that the real vulnerabilities may lie outside the codebase altogether.
Alexander Urbelis, chief information security officer (CISO) at ENS Labs, argues the framing itself is evolving. If that characterization holds, then Drift represents a new playbook: one where attackers behave less like hackers and more like intelligence operatives.
The tactics themselves aren’t entirely new. Investigations in recent years have shown North Korean operatives infiltrating crypto firms by posing as developers, passing job interviews and even contributing to open-source projects for months before executing a theft.
'The Achilles' heel' That shift is what has many security leaders most concerned. Even the most rigorously audited protocols remain vulnerable to social engineering and internal threats. David Schwed, chief operating officer of SVRN and a former CISO at both Robinhood and Galaxy, sees this as the industry’s 'Achilles' heel.'
Many DeFi teams remain small, fast-moving and built on trust. But when a handful of individuals control the keys to hundreds of millions of dollars, that trust becomes a massive liability. Schwed argues that the response needs to be updated.
Some protocols are already adjusting. At Jupiter, one of Solana’s largest DeFi platforms, the baseline for security is shifting toward 'holistic protocol health.' That broader surface now includes governance, contributors and operational security. Jupiter has expanded its internal security team and implemented more rigorous background checks for key contributors. Even then, he added, “there is no end-state for security” and complacency remains the biggest risk.
For protocols like dYdX, the Drift incident reinforces a reality that can’t be engineered away entirely. That evolving threat model is also shifting responsibility toward users themselves. “Users who are active in DeFi should take the time to understand the technical architecture of protocols and the operational security of the teams behind them,” a spokesperson for dYdX said.
'Threat model' For some founders, the Drift exploit underscores a more uncomfortable conclusion: that trust itself is a bug. In practice, that means designing systems that assume compromise — not just bugs.
That mindset is becoming central to how DeFi approaches security. Schwed of SVRN says it starts with redefining the threat model. In that sense, the Drift exploit may be remembered less for the funds lost than for what it revealed about the limits of technical security in a decentralized world.
