Revelations about the $270 million attack on the Drift protocol have drawn attention not just because of the sheer scale of the loss, but the unconventional nature of the methods used. According to the team’s statements, the breach did not stem from a vulnerability in the smart contracts or any technical exploit. Instead, attackers spent nearly six months building trust through face-to-face meetings using fake identities around the world, gradually embedding themselves within the project’s team and network.
Social engineering through intelligence tactics
It has been alleged that North Korean operatives were behind the attack. Unlike typical cybercriminals who hunt for code-based weaknesses, these individuals are reported to have acted as if they were genuine members of the community. This incident highlights a growing vulnerability in the decentralized finance (DeFi) space, which has largely focused its safeguards on technical audits, code reviews, and penetration testing, while leaving itself exposed to more nuanced threats rooted in social dynamics. Alexander Urbelis, head of information security at ENS Labs, argues that such incidents should not simply be labeled as “hacks,” since they have taken on the scale of covert intelligence operations.
Urbelis emphasized that those responsible for the Drift protocol breach did not resemble traditional hackers. Rather, by engaging with Drift contributors at international conferences and investing significant sums of money to earn trust, they operated similarly to professional field agents. This shows a shift: the Drift incident is less about lucking into a technical flaw and more about patient infiltration and manipulation of social circles, revealing a new playbook for targeted attacks.
“North Korea is no longer targeting unprotected contracts, but unprotected people. This is not about finding flaws in systems, but about espionage,” Urbelis said.
Recent investigations have already documented cases of North Korean groups posing as software developers to infiltrate crypto firms, successfully passing interviews and joining teams while masking their true identities. The Drift case, however, shows that these efforts have become even more coordinated, evolving into carefully orchestrated, long-term campaigns.
Trust emerges as the sector’s weakest link
Modern DeFi projects often depend on close, trust-based relationships within small, dynamic teams. When critical permissions and access are concentrated in the hands of one or a few individuals, even a single breach achieved through social engineering can jeopardize the entire system. David Schwed, Director of Operations at SVRN and a former security leader at Robinhood and Galaxy, views the Drift breach as a wake-up call for the industry.
“Today’s threats are no longer limited to exploiting simple vulnerabilities; they now involve authentic identities, long-term planning, and a deliberate human element. Teams must treat not only technology, but process and personnel, as fundamental components of security,” Schwed commented.
As a result, platforms are beginning to reassess and upgrade their security practices. The Solana-based DeFi platform Jupiter, for example, continues with code reviews and open-source development, but increasingly prioritizes governance and operational security beyond software. Controls such as multi-signature wallets and timelocks are being expanded, while teams are investing in internal security training and advanced monitoring strategies.
Kash Dhanda, Chief Operating Officer at Jupiter, emphasized that while multiple layers of review and validation are now basic requirements, the real battleground has shifted to governance, community engagement, and the risk of human error. Dhanda noted that operational security training and oversight for key personnel have become more robust, but he also cautions that security must be seen as an ongoing process—never a job that is simply finished or perfected.
David Gogel, COO of dYdX Labs, echoed this sentiment, stressing that events like Drift prove technical precautions alone are insufficient. Gogel highlighted that DeFi users themselves also have a role to play: they need to understand system architecture, multi-signature controls, and the potential for human-sourced vulnerabilities.
Lucas Bruder, CEO of Jito Labs, observed that the core weakness exploited in the Drift attack was not embedded in code, but in the realm of interpersonal trust. According to Bruder, the principal area of exposure remains with team member access and the security of their devices. The sector must ask not only how a system functions, but how quickly a single point of compromise could lead to a total breakdown of defenses.
