When Drift revealed the details behind his $270 million exploit, the most disturbing part wasn’t the magnitude of the loss, but how it happened.
According to the team behind the protocol, the attack was neither a smart contract bug nor clever code manipulation. It was a six-month campaign that included false identities, in-person meetings in several countries and carefully cultivated trust. The attackers, supposedly originating from North Korea, not only found a vulnerability in the system. They became part of it.
This new threat is now forcing a broader reckoning in decentralized finance.
For years, the industry has treated security as a technical problem, something that could be solved with audits, formal verification, and better code. But the Drift incident suggests something much more complex: that the true vulnerabilities may lie entirely outside the code base.
Alexander Urbelis, chief information security officer (CISO) at ENS Labs, maintains that the framework itself is already outdated.
“We need to stop calling these ‘hacks’ and start calling them what they are: intelligence operations,” Urbelis told CoinDesk. “People who attended conferences, who personally met Drift contributors in various countries, who put down a million dollars of their own money to build credibility – that’s craftsmanship. It’s the kind of thing you’d expect from a case officer, not a hacker.”
If that characterization holds, then Drift represents a new playbook: one in which attackers behave less like opportunistic hackers and more like patient operators who integrate socially before making a move up the chain.
“North Korea is no longer looking for vulnerable contracts. They are looking for vulnerable people… That’s not piracy. That’s executing agents,” Urbelis added.
The tactics themselves are not entirely new.
Investigations in recent years have shown that North Korean agents infiltrate cryptocurrency companies by posing as developers, passing job interviews and even landing positions under false identities. But the Drift incident suggests that those efforts have intensified, from gaining access by contracting pipelines to executing in-person relationship-building operations that last months before executing an attack.
‘Achilles’ heel’
That change is what worries many security leaders most. Even the most rigorously audited protocol can fail if a taxpayer is compromised.
David Schwed, COO of SVRN and former CISO of Robinhood and Galaxy, sees the Drift case as a wake-up call.
“Protocols need to understand what they’re dealing with. These are not simple exploits. These are well-planned operations lasting months with dedicated resources, fabricated identities, and a deliberate human element,” Schwed told CoinDesk. “That human element is the Achilles heel of many organizations.”
Many DeFi teams remain small, fast-moving, and trust-based. But when a handful of people control critical access, compromising one may be enough.
Schwed maintains that the answer needs to be updated. “The answer is a well-enforced security program that protects not only the technology, but also the people and the process… Security must be fundamental to the project and the team.”
Some protocols are already being adapted. At Jupiter, one of Solana’s largest DeFi platforms, the foundation of formal audits and verification remains, but leaders say it is no longer sufficient.
“Clearly, protecting code through multiple independent audits, open sourcing and formal verification is just a matter of tableau. The attack surface has expanded substantially,” said COO Kash Dhanda.
That broader surface now includes governance, taxpayers and operational security. Jupiter has expanded its use of multisigs and timelocks while investing in detection systems and internal training.
“Since meat is more vulnerable than code, we are also updating opsec training and monitoring for key team members,” Dhanda said.
Even then, he added, “there is no end state for security” and complacency remains the biggest risk.
For protocols like dYdX, the Drift incident reinforces a reality that cannot be completely eliminated.
“It is an unfortunate fact that crypto projects are increasingly being targeted by state-sponsored bad actors…developers should take precautions to prevent and mitigate the impact of social engineering compromises, but users should also be aware that, given the increasing sophistication of bad actors, the risk of such compromises cannot be completely eliminated,” said David Gogel, COO of dYdX Labs.
That evolving threat model is also shifting responsibility to the users themselves.
“Users active in DeFi should take the time to understand the technical architecture of the protocols or smart contracts that hold their funds, and should factor in their risk assessments the role and nature of any multisig for software updates and the possibility that they could be maliciously compromised,” Gogel added.
‘Threat model’
For some founders, the Drift exploit underscores a more uncomfortable conclusion: that self-confidence has become a vulnerability.
“The Drift exploit was not a code vulnerability. It was a six-month intelligence operation that leveraged trust between humans,” said Lucas Bruder, CEO of Jito Labs.
In practice, that means designing systems that make commitments, not just errors.
“Smart contract audits are up for grabs. The real attack surface is your computer, your multi-signature signers, and every device they touch.”
That mindset is becoming fundamental to how DeFi approaches security. SVRN’s Schwed says you start by asking not only how a protocol works, but also how it might fail.
“Start with a threat model. Ask yourself: how can I be exploited? If one of the project owners is compromised, what is the blast radius for that scenario?”
In that sense, the Drift exploit may be remembered less for the funds lost than for what it revealed: that the biggest risks in DeFi may no longer lie in the code, but in the people running it.
Read more: How North Korea infiltrated the cryptocurrency industry
