When Drift revealed the details behind its $270 million exploit, the most disturbing part wasn’t the scale of the loss — it was how it happened.
According to the team behind the protocol, the attack was not a clever contract flaw or a clever piece of code manipulation. It was a six-month campaign that involved false identities, face-to-face meetings across several countries and carefully cultivated trust. The attackers, allegedly from North Korea, didn’t just find a vulnerability in the system. They became part of it.
This new threat is now forcing a broader reckoning across decentralized finance.
For years, the industry treated security as a technical problem, something that could be solved with audits, formal verification, and better code. But the Drift incident suggests something far more complex: that the real vulnerabilities may lie entirely outside the code base.
Alexander Urbelis, Chief Information Security Officer (CISO) at ENS Labs, claims that the design itself is already outdated.
“We need to stop calling these ‘hacks’ and start calling them what they are: intelligence operations,” Urbelis told CoinDesk. “The people who showed up to conferences, who met Drift contributors in person across multiple countries, who put up a million dollars of their own money to build credibility: that’s craftsmanship. That’s the kind of thing you’d expect from a case manager, not a hacker.”
If that characterization holds, then Drift represents a new playbook: one where attackers behave less like opportunistic hackers and more like patient operators who integrate themselves socially before moving up the chain.
“North Korea is no longer scanning for vulnerable contracts. They are scanning for vulnerable people… It’s not hacking. It’s running agents,” Urbelis added.
The tactic itself is not entirely new.
Investigations in recent years have shown that North Korean operatives are infiltrating crypto companies by posing as developers, passing job interviews and even securing roles under false identities. But the Drift incident suggests these efforts have escalated — from gaining access through renting pipelines to running months-long, in-person rapprochement operations before executing an attack.
‘Achilles’ heel’
That shift is what has many security leaders most concerned. Even the most rigorously audited protocol can still fail if a contributor is compromised.
David Schwed, Chief Operating Officer of SVRN and a former CISO at both Robinhood and Galaxy, sees the Drift case as a wake-up call.
“Protocols need to understand what they’re up against. These are not simple exploits. These are well-planned, months-long operations with dedicated resources, fabricated identities and a deliberate human element,” Schwed told CoinDesk. “The human element is the Achilles heel of many organizations.”
Many DeFi teams remain small, fast and built on trust. But when a handful of individuals control critical access, compromising one can be enough.
Schwed argues that the answer should be updated. “The answer is a well-reinforced security program that protects not only the technology, but the people and the process… Security must be fundamental to the project and the team.”
Some protocols are already being adjusted. At Jupiter, one of Solana’s largest DeFi platforms, the baseline of audits and formal verifications remains, but executives argue that is no longer sufficient.
“It’s clear that securing code via multiple independent audits, open sourcing and formal verification is just table games. The surface area for attacks has significantly expanded,” said COO Kash Dhanda.
The broader surface now includes management, contributors and operational security. Jupiter has expanded its use of multisigs and timelocks while investing in detection systems and in-house training.
“Given that flesh is more vulnerable than code, we are also updating opsec training and monitoring for key team members,” Dhanda said.
Even then, he added, “there is no end state for security,” and complacency remains the biggest risk.
For protocols like dYdX, the Drift event reinforces a reality that cannot be completely engineered away.
“It is an unfortunate fact that crypto projects are increasingly being targeted by state-sponsored bad actors… developers must take precautions to prevent and mitigate the impact of social engineering compromises, but users should also be aware that given the increasing sophistication of bad actors, the risk of such compromises cannot be completely eliminated,” said David Gogel, Lab COO.
The evolving threat model also shifts the responsibility onto the users themselves.
“Users active in DeFi should take the time to understand the technical architecture of protocols or smart contracts that hold their funds, and should include the role and nature of any multisig for software upgrades in their risk assessments, and the possibility that these could be maliciously compromised,” Gogel added.
‘threat model’
For some founders, the Drift exploit underscores a more uncomfortable conclusion: that trust itself has become a vulnerability.
“The Drift exploit was not a code vulnerability. It was a six-month intelligence operation that exploited trust between people,” said Lucas Bruder, CEO of Jito Labs.
In practice, this means designing systems that allow for compromise – not just failure.
“Smart contract revisions are board games. The real attack surface is your team, your multisign signers, and every device they touch.”
That mindset is becoming central to how DeFi approaches security. SVRN’s Schwed says it starts by asking not just how a protocol works, but how it can fail.
“Start with a threat model. Ask yourself, how can I be exploited? If one of the project owners is compromised, what is the blast radius in that scenario?”
In that sense, the Drift exploit may be remembered less for the funds lost than for what it revealed — that the biggest risks in DeFi may no longer reside in the code, but in the people who run it.
Read more: How North Korea infiltrated the crypto industry
