The Breakdown - How Crypto Is Fighting Back Against North Korea | The Breakdown
Episode Date: April 28, 2026North Korea has had IT workers embedded in DeFi protocols since DeFi Summer — and they’re pretty good devs. Nick Bax, blockchain investigator and SEAL 911 incident responder, joins us to break do...wn how crypto crime has evolved from SIM swaps to nation-state social engineering. We unpack the Monero inflation bug, Arbitrum’s 9/12 multisig gold standard, how DPRK workers now use facilitators to rent real identities, and what it actually takes to break into onchain investigation. Enjoy! TIMESTAMPS: (00:00) Introduction (02:01) DeFi is Under Attack (03:11) Contagion Onchain (04:40) Nexo Ad (05:16) Nick Bax Interview (06:40) Incident Response Triage (08:43) Preemptive Due Diligence (10:20) From SIM Swaps To Remote Access (13:45) Multisig Best Practices (14:37) AI Speeds Up Attacks (15:36) Nexo Ad (17:14) Decentralization Tradeoffs (19:17) Monero Bug Hard Fork (20:05) Trusting Multisig Guardians (21:05) Two Of Five Risks (22:00) DeFi Decentralization Debate (23:41) Proactive Threat Hunting (25:25) DPRK Worker Red Flags (27:32) Security Teams And Intel (30:21) Thorchain And Laundering (33:26) Whack A Mole Reality (35:31) Becoming Onchain Investigator (37:06) Closing Thoughts FOLLOW GUEST › Nick Bax — https://x.com/bax1337 FOLLOW THE SHOW › David — https://x.com/dcanellis › The Breakdown — https://x.com/TheBreakdownBW SPONSORS › NEXO Nexo is the premier digital wealth platform. Receive interest on your crypto, borrow against it without selling, and trade a range of assets. Now available in the U.S with 30 days of exclusive privileges. Get started at http://nexo.com/breakdown Get top market insights and the latest in crypto news. Subscribe to the Blockworks Daily Newsletter: https://blockworks.co/newsletter/ DISCLAIMER As always, remember this podcast is for informational purposes only, and any views expressed by anyone on the show are solely their opinions, not financial advice.
Transcript
Discussion (0)
Somewhere between 10 and 25% of everything we look at is North Koreans.
That's the really scary thing that came up and drift is like they had real people with real resumes that worked at real tech companies and got the developers to download malware.
Every time we find a company and we ask them about them, we're like, hey, do you know these guys are like, yeah, they're pretty good devs.
And then you like sort of show them the red flags for DPRK IT workers and they're like, oh, shit.
You ask them about where they live.
You know, you're like, oh, you're in Houston.
What's a good restaurant in Houston?
and they say, oh, there are no good restaurants here. It's like, come on, man.
This episode is brought to you by Nexo. Step into a new era of digital wealth.
Earn interest on your digital assets, borrow against them without selling and trade all in one
platform. Get started at nexo.com slash breakdown.
Nothing said on the breakdown is a recommendation to buy or sell securities or tokens.
This podcast is for informational purposes only and any views expressed by anyone in the show
are opinions, not financial advice.
Host and guests may hold positions in the company's funds or projects discussed.
Crypto is really going through it.
On one hand, we have traditional finance finally starting to operate on chain.
Hyperliquid is also gaining steam, and it's now quickly becoming a primary and central venue
for weekend price discovery, particularly through oil perps.
So on the surface, crypto seems to be evolving past its perception as some degenerate internet casino.
What's grown into a weird mess of blockchains, protocols, exchanges, bridges and tokens
actually has morphed into its own legitimate tech stack that has the world's biggest institutions
practically one-shot it over the potential benefits of a tokenized financial system.
We're just at the beginning of the tokenization of all assets, from real estate to equities, the bonds.
So we look at that as the next wave of opportunity for Blockbrock.
But the crypto-native vision of an on-chain environment filled with Defi opportunities to earn yield,
to activate capital and trustlessly hedge all sorts of different risks, is actively under attack.
Can Defi survive? Let's see if we can figure it out.
I'm your host David Cannellis, and this is the breakdown.
Let's get to it.
Over the last few weeks alone, we've heard a new cluster of incidents across DeFi.
defy an adjacent crypto infrastructure, including major hits on protocols like Drift, Silo, Aether,
Hyperbridge, Raya, Zerion, and then Kelpdow, which at roughly $292 million was reported
as the largest exploit of the year so far.
And of course, it's not like there weren't any Defy exploits before this year, because
there have always been these types of incidents.
What's changing is that the threat model is clearly moving up the stack.
A few years ago, Defy was considered risky because smart contracts should have catastrophic
bugs.
Then there were flash loan attacks and other quote-unquote highly profitable
trading strategies involving price oracles that could result in major losses.
But the most recent wave of attacks on defy is much more threatening.
Recent events have emphasized that fishing, compromised credentials and other operational failures
who are driving a large share of losses alongside traditional exploits.
So even if the code gets better, that does not mean that the system is secure.
On top of the smart contract hacks, now developer teams have to think about access control,
key management, wallet compromise, social engineering, misconfiguration, validation
assumptions, cross-chain dependencies, front ends, team operational security, internal permissions,
liquidity routing. The list is effectively endless. Now, there is truth to the same as sometimes
the hardest things are the ones most worth doing, and building a resilient DeFi ecosystem is
incredibly difficult, especially one that prioritizes composability, the idea that everything
plugs into everything. But composability is also what makes DeFi exploit so brutal. There is usually
contagion to some degree, so the attacks are never really contained just to one protocol. It hits
liquidity, it hits trust, it forces other protocols to react. Reporting around the kelp exploit,
for example, tied it almost immediately to broader stress across defy liquidity and a major
drawdown in RV deposits, dropping from over $45.5 billion to under $34 billion in four days.
With all of this in mind, Defy is clearly under attack most prominently by North Korean linked hacking
crews like Lazarus. At the same time, it's worth making it clear that what's happening in
crypto and defy right now is a preview of what happens when traditional finance becomes more
composable, more internet native and more open, and we know that traditional finance is moving
in this direction. So the matter at hand is not whether defy can ever be perfectly safe. It can't.
No meaningful financial system is. The real issue is whether it can become secure enough to
support real stayer without losing qualities that made it worth building in the first place.
In order to do that though, we might need to start re-examining how we define big topics
like decentralization, permissionlessness and trust, especially in light of Arbitram's clawback
of $71 million in crypto stolen in the Kelpdow attack. I recently
caught up with crypto analytics and forensic specialist Nick Bucks to discuss all this and more,
and here's what we spoke about.
Step into a new era of digital wealth with NXO, the Premier Digital Assets Wealth Platform.
Earn interest on your digital assets, borrow against them without selling, trade a wide
range of cryptocurrencies, all in one place.
Nexo is now available again in the US with an evolved product suite tailored to today's
market.
For a limited time, new US clients can unlock 30 days of exclusive Wealth Club Premier benefits,
including enhanced interest rates, reduce borrowing costs, and up to 0.5%
crypto cashback on trades. Get started today at nexo.com slash breakdown. As always, investments in
blockchain technology involve risk. Terms and conditions apply. Do your own research. This week I have
crypto investigator Nick Bax with us today. Thank you for joining us, man. Thanks for having me on.
Great, great to talk to you, David. Cool. So yeah, to give the audience a little bit of background
on what you've been up to at least, at least this week, I can understand that you're close to the
metal in terms of this, the arbitrium situation with the, with the kelp down attack.
Maybe you just give a, give a brief rundown of, you know, what, what you're really doing day to
day in, in the crypto space. Yeah. So I'm a blockchain investigator. I do everything from,
you know, developing analytics methods. That's how I really got into it to the fun part is applying
them. So we, you know, I look at every type of crypto crime, everything from wrench attacks, which have been going,
up a lot in the past year or so to pig butchering, to, of course, I don't know, somewhere between
10 and 25% of everything we look at is North Koreans. So look at everything. Some of it I do,
you know, in my private practice, a lot of it I do at seal 9-1-1 as an incident responder. Yeah,
just do what has to be done. I have some questions about about all this, about like the split
between like individual attacks and these attacks on protocols a little bit later.
But, you know, and I'm sure that you, a lot of the stuff that happened with C-1-9-1 and
the Arbitrum situation is confidential.
But I'm wondering if you could like give a rundown of what that looked like as it was
happening.
Was it something that Arbitum reached out to you or was Cil-9-1 proactive about the situation?
Well, yeah, I can't really talk about who did what?
but who talked to who.
But, you know, the way CLE 911 works is someone reaches out to us.
They say, help, all my money's gone.
And then we say, can you tell us more?
And sometimes, you know, they got fish for $1,500 or sometimes $200 something million
got stolen from a smart contract.
And then we do triage.
So then triage, you know, it's like it's the same as an EMT coming to an emergency.
see, it's like, you know, stop the bleeding, which the kelpdout team did a great job at.
They actually did manage to freeze some funds when the North Greens were trying to steal more,
right?
And then it's, you know, okay, we've stopped the bleeding.
What can we do to fix this?
You know, you need to know who did it.
You need to understand exactly what happened where the money's at right now, and is there anything we can do to fix this.
and this is every single incident that we respond to, either at C.L.911 or in, you know, non-Seal incidents.
Yeah, and CLE 911, man, it is, the team is full of the best people I've ever worked with.
I've worked at studied and worked at some prestigious institutions, and they were always talking about imposter syndrome, but I never felt it until I got to CLE 911.
on. It's just we have subject matter experts for everything that could possibly have to do with
crypto. So, you know, people do their part. We figure out what the best parts are. And yeah,
you know, things, things get done. Yeah. How big is the team? It's about 30 people. Yeah. Yeah, yeah,
nice one. And yeah, I'm wondering like, you know, because I mean, I understand like every protocol is
different and then, you know, I mean, every chain is different, every protocol is different and
like every app is also different. Like I'm just wondering, like, is there any element to this of
like before incidents happened that you would kind of investigate how the protocols are actually
structured? And then so you, you kind of have an understanding of what tools are available to,
you know, protocol insiders or like DAWS and stuff like that to actually mitigate some of these
situations or is it really like when a when an incident happens that's when that kind of information
gets pieced together uh yeah you know i i have i have a significant amount of money in defy i i kind
of know what levers the various teams have yeah i i do a lot of due diligence before i park
i don't have that much money but i would be very upset if it got rugged so i i do a lot of due
diligence in what i parked my money in now that being said i could not i did not foresee the
the contagion that could happen because of like an issue with one project, you know, like it cascaded.
It really was contagion that nobody, you know, hindsight is 2020, but I didn't foresee it.
I don't really know a lot of people who did.
But yeah, yeah, we're crypto users first.
And almost all of us got into this because, you know, we got rugged ourselves.
and nobody else is going to fix it.
So you have to, right?
Yeah, yeah.
And I suppose it's a good time to ask, like,
because I'm just wondering, like, if security in crypto is getting better or worse.
And I think it's like a function of where the attack is.
Like, I know, like, the North Koreans are their own kind of cohort and their own army effectively.
And then it's up to like the individual attackers are like what they're targeting.
But it's like, for the longest time, it was.
like sim swaps were a big deal
and so like individual investors were getting
targeted a lot and then yeah you've brought up
wrench attacks and there's a lot happening in
France and across other parts of
like northern Europe too
but you know
it just seems that
like how much if that is still
happening compared
to the size of the
of the protocols that are being attacked
because it just seems like that
the defy in particular there is a big wave
of attention from from hackers
targeting like teams specifically, so like social engineering and stuff like that.
Like is the sim swap era over or is it really just, is it really just a mess of everything?
Yeah.
We sim swaps lasted for years, right?
They started up 2015.
I got sim swap in 2017.
They were still happening frequently until the end of 2019.
And then finally the telcos made some improvement.
It's pretty rare these days.
You occasionally hear about sim swaps.
Yeah.
But somehow that problem solved itself.
And I don't know the exact answer for why that went away.
I think a lot of companies stopped using SMS2 factor.
It took way longer than it should have.
So, you know, the industry does respond to security issues, and it's gotten a lot better.
You know, sim swapping lasted for years.
And a lot of other problems, you know, got fixed pretty fast.
So ClickFix was a big issue on Macs where, you know, people were,
attackers were telling people to copy and pay something into their terminal.
And of course, it wrecks you.
So now the new Mac OS actually warns you and prevents you from doing that, which is fantastic.
Right.
And it happened a lot faster than sim swapping was fixed.
So they're, you know, but attackers are innovative and they know it works.
And especially the North Koreans are really good at getting remote access to your computer.
computer and crypto projects haven't been doing a fantastic job at defending against that.
There's all of these centralized issues, right?
You know, two of five, three of five multi-sigs.
And let's say, you know, they have a 20% or a, yeah, 20% success rate of getting someone to download a payload
and getting remote access to their computer.
And you have, you know, five targets.
You're going to get one of them.
And then you just have to figure out, you know, keep, keep putting shots on goals and
attacker eventually you'll get that two or five multi-sig that you need and that's it's scary it
happens a lot. I view of mind that a lot of this is avoidable because I mean I guess it like comes
from yeah the structure of the multi-sig's okay but then it is also like it still comes down to the
individual person so it's like I mean is that like an org issue like it's it's it's very hard to
see how it isn't solvable and it's more of like a culture problem like I wonder how you see
it. Yeah, there's a lot of things that projects can do to at least make it harder for the attackers, right? So Seal puts out all sorts of multi-signature frameworks that give a list of best practices. One of the really good ones is EDR. It's like endpoint detection on computers that, you know, control important things. And even then, all of the EDRs aren't equivalent. Some are better than others.
So there's little things that certainly help.
And every time we see an attack, we figure out what would have prevented this.
And sometimes we update the framework to include those.
But security is hard, man.
And there's a very big incentive and a lot of money being spent by the attackers invested into these attacks.
I'm just curious, like this is a little bit of a tangent.
Like it's only because everyone always talks about AI and like is cybersecurity and AI.
and like is how do you view that like you using that as a tool like is it is it actually or is it like
an attack vector like i'm just curious it's both and i think in the long run it's going to help the
defenders more than it's going to help the attackers but right now it's helping the attackers a lot
it can automate a lot of stuff that you couldn't use before on the flip side it it does help
you know if you see an issue and it helps analyze it it helps write the code or figure out how to fix
the issue very quickly. So everything just happens faster. And that's, that's scary when you're an
incident responder and you have to stop the attacker, but it's also really helpful. So I know, I hope that
the AI stuff plateaus soon. And then we can just focus on using it to make systems stronger and
more robust, right? But right now, the attackers, you know, they just move faster. We're reacting to them.
Let's take a moment to talk about NXO. NXO delivers a premier digital assets wealth platform designed to
help clients build, manage and preserve their wealth, earn interest on your digital assets,
access crypto-backed credit without selling your holdings, trade with advanced tools, all supported
by 24-7 client care. Now back in the US, NXO offers new clients 30 days of exclusive World Club
Premier Access, that means enhanced interest rates, reduce borrowing costs, and up to 0.5%
crypto cashback on trades. Benefits typically reserve for wealth club members and private clients.
Nexo is also expanding its global presence, becoming the official crypto partner of Tennis Australia,
the organization behind the Australian Open
and the digital asset partner
of the Audi Revolut Formula One team.
If you're ready to approach digital assets
with a more structured wealth strategy,
visit nexo.com slash breakdown to get started.
As always, investments in blockchain technology
involve risk, terms and conditions apply.
Do your own research.
Yeah, and is that like,
you would kind of push people more towards
using like their own offline models
rather than kind of like the always online ones?
like it those those AI data breaches scare the crap out of me right there was one at lovable
earlier this week that was really really bad right and now they're saying it wasn't a data breach
which is insane but yeah like if if you know if anthropics data leak that would be really bad
everybody's uploading keys to their AI all the time it's it's like hard to prevent so yeah I think
in the long run,
AI privacy has a long way to go.
Yeah, for sure.
Cool.
And maybe just bear with me with this,
with this kind of next thing I'm wondering about
because it's like this,
it's like you're damned if you do
and you're damned if you don't with,
with crypto and the blockchain space in general,
because like, okay,
we have very decentralized protocols.
You know, you can't just go and hack Ethereum.
Like, that's very obvious.
So, and also,
though a lot of layer ones aren't,
super efficient. So you have to go and use more centralized protocols, you know, layer twos and stuff
like that in order to do the the most interesting stuff like trading and stuff like that. So, you know,
but you end up having this situation where you do have protocols that have some element of
centralization to them. And that is exactly what makes it attractive to attackers. But at the same
time teams and protocols don't really want to admit that they do have these tools available to
them because that would admit that they are somewhat centralized. And then that also brings
some amount of liability of investor protection, user protection, if they do have those
controls. So like I somehow feel like we're just kind of stuck at this point where it's like
it can't be solved. Like it does take industry-wide culture
of really admitting that we do have these tools available to us to defend in these situations,
but nobody wants to admit that they do have these tools.
I was just wondering, like, do you, how do you think about all of that?
That's, that is a hot topic this month, huh?
Yeah.
Okay, so everybody always wants to think or believe that blockchains are immutable,
but the reality, even, even Bitcoin has always relied on social consensus.
Right. And I think it's great that Arbitrum is the center of attention right now because I think
they're actually one of the protocols that's really doing it right. Take a step back. Look at how Monaro
handles it, for example. So Monero is one of the most decentralized cryptocurrencies. They're,
you know, they're like very crypto-anarchist libertarian types. Right. And back in 2017,
they actually found a crypto note inflation bug.
And it allowed an attacker to create essentially infinite amount of Monero.
And they had to keep it secret for months.
They had to somehow sneak the code into a hard fork.
And if even a single person leaked it, it would have destroyed their entire network
and every other network that used the crypto note code.
So, you know, they managed to pull it off, which is amazing.
And then, you know, now you've got arbitram.
They've got a 9 of 12 multi-sig.
Every society has had people that we delegated secrets to.
We, like, trust them.
You know, like, I don't expect the FBI to be completely transparent about their ongoing
investigations.
And I sort of see that 9 of 12 multisig the same way, right?
It's 12 very transparently elected people or companies that we trust.
They're staking their reputations to not screw us around.
And they do have.
handle these really sensitive secrets because there are things that, you know, there are vulnerabilities
that could destroy a network or cause, you know, some major issues to the integrity and loss of
funds. So you do need to have these people at least right now. And even going forward, I don't
really know how you can ever fix that, right? Because we're talking about edge cases, things that
nobody could have predicted. So I do think, you know, having nine or 12 people that you trust to
secretly handle these issues is the right way to do it, at least for now.
Now, on the other hand, you have a two of five multi-sig that can only, it's only supposed to be
able to change parameters, but it turns out if you change those parameters in just the
right way, you can steal all the money from a protocol, that's really problematic.
And that's something that has to, auditors have to really shine a light at that.
The other problem is like those two of five signers, they're like in the same building.
they're sending each other emails in code all the time.
If you hack one, you can pretend to be him and send code to the other and he'll run it and then
you've hacked two, right?
So, yeah, decentralization is a spectrum and we really have to push towards, you know,
at least the arbitram level.
I have a lot of money in arbitram.
I'm not worried at all about nine of 12 with those signers getting hacked and rugging my funds,
right?
But that's not the same for all.
other protocols.
Yeah, it's so difficult, Chris, you know, I, I mean, there's just so much shit posting,
you know, and it's like people, people see the arbitrum stuff and then they make jokes about
defy and decentralized finance and stuff.
And, you know, and then my knee-jerk reaction to that is that it's like, I mean, by
this might be a little bit silly, but by default, defy is decentralized just because there are
so many protocols.
Like, there is such a wide array of different things going on.
you know, from all parts of the world.
So as a whole, it is decentralized finance.
But there is still thresholds that apps and protocols operating within that space
do need to meet in order to really have that title.
You know, and I mean, do you see it getting better?
Like, it's just so painful that it's like we have to have these big giant incidents
for it to make sense.
And like drift was a very different thing because that was like a long-term social engineering
thing.
you know, at the business level.
You know, and it's like, do you see it getting better?
Because it just feels like a lot of these things are like recipes for copycats and
and all of that kind of thing.
I hope it gets better.
I think all we can do is shine a light at the, you know, practices that aren't the best.
And, you know, the market is putting a lot of pressure on people now,
especially, you know, you're not going to park a million bucks in a protocol.
if you know that two of their developers get hacked and then you lose all your money.
Right.
And I think people are finally starting to take those risks into account.
That's really what it takes.
And it's scary.
Like I mean,
I know you work closely with Tay and then I read some of Tay's posts.
And it's like it all may like,
like some of the things that she says it's almost like there are like sleeper cells in
Defi that have worked at all these protocols.
Like maybe the maybe these are protocols left over from Defy Summer.
like a few years ago or something like that.
You know, and it's like,
does it take like a proactive screening of protocols
that do exist now and like and what they're doing?
Like that seems like the next logical step
that you would kind of root out projects
that do seem quite sketchy
or at least there's question marks over what their provenance is
as an organization, I guess.
Is that part of what Seale is doing?
Like it's a very responder like,
a responsive unit, I guess.
But I guess there's room to go out and really kind of proactively analyze what the protocols are.
Yeah, and we do a lot of that.
So there's a group of people that I'm a part of that specifically tries to root out DPRK IT workers.
Tanuki 42 is really big on that.
And then there's guy Black Big Swan who's also heading up those efforts.
that's it's it's very fun um we there there are IT workers that have been working in
defy since defy summer and uh pretty good devs every time we find a company and we ask them
about them we're like hey uh do you know these guys are like they're pretty good devs and then
you like sort of show them the red flags for dpr k i tprkit workers and they're like oh shit
uh it's it's pretty unusual that a company will be like no i try
trust that guy. As soon as you tell them, you're like, oh, yeah. What are some of those red flags?
Okay. So, and they've changed because the IT workers have gotten better over time. But, uh,
you, you know, sometimes they like push code from different GitHub accounts, which doesn't make any
sense. Like, everybody has one GitHub account. So you got a guy using two or three different
GitHub accounts and constantly getting, you know, new email addresses. Like, that's kind of weird.
And then you ask them about where they live.
You know, you're like, oh, you're in Houston?
What's a good restaurant in Houston?
And they say, oh, there are no good restaurants here.
It's like, come on, man.
And like you try and meet them in person.
And of course, they'll never show up.
They'll always make an excuse if you invite them to a company offsite or whatever.
Now, that being said, they've started using facilitators.
So it could be anybody in any country.
There's people who will go to meetings and pretend to be someone else.
So like you're literally talking to or they may rent your identity.
We've spoken to these facilitators who rented their social security number and sent copies of their birth certificate to North Koreans.
So the North Koreans could work for them.
They rent out their freelancer or their Fiverr accounts.
It's getting harder.
And that's the really scary thing that came up and drift is like,
they had real people with real resumes that worked at real tech companies who were,
you know,
claiming to be biz dev or engineering at a company and,
you know,
got the developers to download malware.
And that's terrifying.
And like,
it's really hard to defend against.
These are people they met in person.
So that's,
there's no social defense against that.
Like,
these are developers that I would have hired,
right?
they had good resumes.
So that's where you really have to do the security.
You have to assume that, you know, two multi-sig signers can get compromised.
Yeah, it just seems like the obvious thing is that every, at least every VC-funded company operating in crypto needs some kind of, I mean, maybe they already do.
And maybe you have some insight there, like a dedicated team within the org that is purely hunting this stuff constantly.
you have a few people on the payroll that that's just their whole thing you know
do you see any of that happening like maybe it happens at crypto exchanges and and that that
happened because so many exchanges were being hacked in the past half decade but are you
seeing that trend at all so yeah we've gotten a lot better especially about information sharing
between companies so yeah any any company with you know five engineers will have one guy who's
well versed in security but they may not be you know it may be a guy who is a
developer and he does security on the side.
And, you know, he follows crypto Twitter, so he kind of knows the threats, but he may not
know the exact details.
So that's one of the things that Seal 9-1-1 really helps bridge the gap.
And that's also, there's the Dow Security Fund is trying to, you know, it's more efficient
to have, being centralized is more efficient sometimes, right?
So we're kind of, and having, you know, you don't necessarily need a dedicated security
person at every company.
you might want, you know, a network of people who can share Intel.
And that's one of the things that's unique to crypto is because all the DeFi companies all kind of interact with each other,
either, you know, like on chain or actually in person with agreements.
So they're all kind of one big company in a way.
So you do need some joint security.
So I think information sharing about like the emerging threats is really, really important for that.
I'm wondering like you're like the difference between your advice.
for like individuals who who might just have a bunch of money caught up in Ave or something like
that like compared to to protocols like is it the same same advice really like it depends i mean
how rich you are right if if you're below a million dollars i think a hardware wallet is probably
pretty good um if you're a bigger target you need to you know there there are services for high net worth
individuals that help them improve their OPSEC, you really do need to think about all the different
things that could arise. Security is hard. I mean, it's, you know, the idea that I have like
12 words hidden in a safe deposit box somewhere that control most of my net worth is, is terrifying,
right? And I know what I'm doing. I know, like, most people don't. It's really, it's really scary.
And those are things that I think the industry is starting to fix, especially for individuals.
makes a lot of sense
and we're only of time for maybe a couple more
but I wonder your take on Thorchain
because I mean
I think just the concept of developing mixes
in particular is like
it feels kind of over because of everything
that happened with tornadoescation.
I know tornadoes still functions
but it just seems like
at least the DPRK is like focusing on
laundering their funds through Thorchain
and then when I
read the discourse about Thorchain, it's like, well, you know,
its brand is that it's really decentralized.
And they are really avoiding involvement at all in stopping a lot of this stuff.
Like, is it as decentralized as they're claiming?
Like, can they actually do something?
Or is it just, you know, it's a function of the crypto space that if it's not going to be
Thorchain, it's going to be another one, you know?
So, you know, I wonder and how you're feeling about it.
That's a tough question.
So up until I think February 2025, they did have admin keys that could basically have
shut down Thorchain and it was centralized.
And they actually did use those admin keys to shut off the lending and I think maybe also
the trading.
I think they did remove those admin keys a little over a year ago.
So then the next question is, I believe they're run by 100 nodes.
Now, how many of those node operators are unique?
That's a tough question, right?
I don't have a very solid answer for that.
I can tell you it's not 100 separate individuals, right?
There's definitely some people running more than one node or very closely associated people running nodes.
It's more of like an ethical issue, right?
Like what value are you creating if your biggest user by a lot is North Korea, right?
right? Like, yeah, you're making lots of money and you bought a helicopter. Good, good for you. But like,
you're still a piece of shit, you know. I'll just say it. It's not, they're not creating value for
most users. And could they stop it? I think there's, you know, they know their system better than I do.
They could have stopped it when they had the admin key. They probably could still figure out how to at least
add a lot of friction for DPRK, but they don't want to.
Yeah.
Yeah, there is always a way.
Like it's, you know, I mean, a decentralized protocol is great, but there's, there's so
many layers, you know, that you can work through to actually kind of like, yeah, make life
more difficult.
And it's just so difficult because it's like, there'll always be something else as well.
So it does take a proactive approach to stuff that's happening.
And I suppose that that does just make everything more interesting because there is always
something to respond to, which I guess is, you know, it's good if you're in the, if you're in
the investigation business, I guess. Do you, do you feel like that, that it is just a constant,
like, whack-a-mole game or it's like, we are heading to some kind of equilibrium where it's like
these are the tools that exist and we just kind of need to operate within the space that has been
built? Yeah, I hope that we hit an equilibrium where all,
Only the secure protocols are left.
Yeah.
But no, it is wackamble.
And I hate being reactive and it's getting harder to react, right?
You know, $71 million was a very big win.
And we don't get a lot of those.
Sure.
Now, now that being said, now that that cat is out of the bag,
I don't think DPRK is going to go and raid Arbitrum for liquidity anymore.
right and that's actually going to protect them in the long run they're just not going to risk it
so they do stay away from from protocols that fight back the Nia is another one that like they don't
really go there and you know I think I think Tay may have scared them off there's there's a few
other services that they don't use anymore because they've gotten burned so the question is
what can we do and there's always something and yeah i point it circle that they're really easy
to point at because they're deliberately not doing anything yeah it's really tough and i think it also
just goes back to like decentralization is a brand and it's like you you can you can adopt that
brand even even though the the reality of the matter is that you don't really have a claim on that
brand also and it's like this kind of standoff between wanting to admit that you that you that you
do use these these tools available to you to freeze and i mean even even clawback it's it's
it's very different and it's like that it's such like a flimsy thing to have to battle against
this this concept of decentralization as a brand it's just it's super frustrating but and so i mean
i think we might end on like it your advice for like people wanting to break into the
on-chain investigation game because if anything, the space needs more on-chain investigators
who really know their stuff and know the tools available and all of that. It's like, is it possible
to break into this without having a lot of funding yourself to like go and pay for chain analysis
or something like that? Like how, if you were like a 16-year-old kid wanting to do this, like how would
you get into it? Yeah, I mean, Zach didn't have TRM for the first few years, right?
Archim Intel is a very effective tool.
Tay uses Arkham all the time.
I, you know, like you said, chain Alice is expensive.
But the way, there's two things you can do to get started.
One is follow every other investigation that you see on Twitter and just try and repeat the steps and see, you know, just master the skills.
And then the other is just start helping random people.
And that's hard.
And you have to be careful.
you don't want to give people bad advice, but there is no shortage of cases to look at.
That's how I got my start, right?
I was just helping random people who, you know, the police weren't going to help them because they didn't know.
So that's, there's no shortage of people to help.
And as long as you're careful about it, you know, I think about 10% of cases are solvable or actionable.
So just do it because you can.
Cool, man.
Cool.
Well, I think we might leave it there.
Thanks so much for joining us today, Nick.
And I hope to have you back on the breakdown soon.
Hopefully, after not a catastrophic incident for this space,
but just back on under better circumstances.
Yeah, thanks for having me, David.
See it.
That's about all the time we have for today.
Let me know how you're feeling about Defi
and the North Korean hacking spree in the comments.
And we'll see you next time.