When the details of the 270 million dollar attack on the Drift protocol were announced, the incident stood out not only with the magnitude of the loss but also with the unusualness of the attack method. According to the team, the attack was not caused by a vulnerability in smart contracts or technical manipulation. Instead, the attackers built trust and established themselves within the system by making face-to-face contacts globally using fake identities over a period of approximately six months.
Social engineering with intelligence tactics
While it was claimed that people of North Korean origin were behind the attack, it was stated that these people acted as part of the community rather than just looking for technical vulnerabilities. The DeFi market, where legal investigations have been limited to technical verification, code auditing and vulnerability tests in recent years, has once again shown with this incident that it is also vulnerable to the risk of social attacks beyond technical measures. Alexander Urbelis, who works as Information Security Manager at ENS Labs, underlined that such attacks should not be called “hacks”, they have reached the level of intelligence operations.
Urbelis emphasized that people who attend conferences, meet with Drift contributors in different countries, and gain trust by investing a significant amount of money into the system act like professional field agents rather than classic hackers. In line with this perspective, the Drift incident shows that not hackers looking for technical vulnerabilities, but people who patiently infiltrated the system in the social environment have developed a new road map.
“North Korea is no longer targeting vulnerable contracts, but vulnerable people. This is not finding vulnerabilities in the system, this is spying.”
In recent investigations, examples have been recorded of North Korean groups infiltrating crypto companies with fake developer identities, passing interviews and joining the team by hiding their real identity. The Drift case indicates that this approach has been transformed into more organized and long-term operations.
Trust has become the weakest link
In today’s DeFi projects, small, dynamic teams working based on personal trust can lead to critical access being concentrated in the hands of a single person. Disabling even one project member through social engineering can leave the entire system vulnerable. David Schwed, who is the Director of Operations at SVRN and previously managed security at Robinhood and Galaxy, sees the Drift case as a serious warning to the industry.
“The threats encountered are no longer limited to simple vulnerability exploitation; unique identities, long-term planning and a conscious human factor come into play. Teams should consider not only technology, but also process and people as basic security elements.”
Some platforms have started to update their security approaches. While code auditing and open source work continues on Solana-based DeFi platform Jupiter, the focus is on governance and operational security beyond direct code. While tools such as Multisig and time lock are becoming widespread, investments are being made in in-team security training and new monitoring methods.
Jupiter Chief Operating Officer Kash Dhanda notes that multiple auditing and verification are now essential, but the real attack surface has shifted to governance, community and human error. Dhanda reported that operational security training within the team and monitoring processes for key people have been strengthened. However, he points out that security can never be considered as a process that is completed and reaches an absolute result.
dYdX Labs Operations Director David Gogel also stated that the incident shows that we are faced with a reality that cannot be overcome with purely technical measures. Gogel stated that DeFi users also have a responsibility; He emphasizes that they need to consider the structure of the system, multisig access and potential human-induced vulnerabilities.
Jito Labs CEO Lucas Bruder stated that the Drift attack essentially exploited a trust vulnerability based on human relations rather than code. According to Bruder, the real attack surface centers on team members’ access and the devices they use. It is stated that the industry should not only ask how the system works, but also how the entire system can become vulnerable at some point.
