Whalesbook
DeFi Faces a New Threat: Exploiting People, Not Code
The recent $280 million exploit of the Drift Protocol signals a major shift in decentralized finance (DeFi) security. Threat actors are now moving beyond technical flaws to target human trust and social engineering. Investigations suggest this was a six-month intelligence operation by state-sponsored groups, likely from North Korea. This tactic, which involves building relationships and impersonating others to compromise individuals, means attackers are "scanning for vulnerable people" instead of just vulnerable code. This strategic change requires DeFi platforms to fundamentally update their security plans.
Sophisticated 'Intelligence Operations' Replace Hacking
Experts like Alexander Urbelis, CISO at ENS Labs, now classify these incidents as "intelligence operations" rather than simple "hacks." He points to the complex methods used, including in-person meetings at conferences and making significant capital deposits to gain trust, similar to espionage tactics. This means even protocols with thorough audits can be breached if key team members are compromised. David Schwed, COO of SVRN, stresses these are "well-planned, months-long operations with fabricated identities and a deliberate human element." He calls this the "Achilles' heel" for many fast-moving DeFi teams. The Drift exploit itself did not come from a smart contract bug, but likely from compromised control over legitimate Solana tools.
DeFi Must Adapt: Focusing on Human Security
DeFi protocols now realize that traditional security measures like audits and code checks are not enough. Kash Dhanda, COO of Jupiter, noted that attackers have "many more ways to target us," including governance and operational security. Jupiter has improved its use of multisigs and timelocks, and invested in training for key team members on operational security (OpSec), recognizing that "people are more vulnerable than code." David Gogel, COO of dYdX Labs, adds that while developers must guard against social engineering, attackers' growing skill means the risk can't be eliminated entirely. This puts more pressure on users to understand how protocols and multisig systems work.
Trust Becomes the New Vulnerability
Lucas Bruder, CEO of Jito Labs, believes "trust itself has become a vulnerability," turning a six-month deception into a costly exploit. This new mindset requires designing systems that "assume compromise." The real attack surface now includes not just smart contracts but also "your team, your key holders, and every device they use." Asking "how can I be exploited?" and assessing the "scope of impact" from compromised individuals is now crucial. DeFi's decentralized nature and transparency make it ripe for these evolving threats. While many focus on technical defenses like audits, protecting people through operational security, careful vetting of personnel, and secure key management is vital. Groups like North Korea's UNC4736, known for previous exploits, show this is a strategic, long-term threat.