Unchained - How ‘Booth Babes’ Can Result in Huge Hacks Like Drift’s
Episode Date: April 6, 2026The $285 million hack of Drift took began in person at a conference … and unfolded like a spy novel. Multiple in-person meetings, $1 million deposited, professional histories and reputations. It was... long con based on what Pyongyang does best: setting up Potemkin villages. Amanda Wick, Head of Americas at VerifyVASP and Michael Lewellen, Head of Solutions Engineering at Turnkey, discuss how it happened and why it has every crypto project reviewing all their relationships. Plus: they cover the fact that seemingly inexplicable reasons Circle didn’t act in the six hours when the stablecoin issuer could have frozen the funds of the hackers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey everyone, welcome to Unchained, your no-hyped resource for all things Crypto.
I'm your host, Laura Shin.
Thanks for joining this live stream.
Before we get started, a quick reminder, nothing new here on Unchained is investment advice.
This show is for informational and entertainment purposes only, and my guest tonight may hold
assets discussed in the show.
For more disclosures, visit Unchained Crypto.com.
Bitcoin changed how money works.
Citrae changes how Bitcoin scales.
With a trust minimized BTC and a native stable coin, CTUSD,
Citraia enables Bitcoin capital markets with lending, privacy, Bitcoin yield, and more.
Get started at Citraia.xyZ slash Unchained.
EtherFi is giving Unchained listeners 15% cash back on food and ride apps,
and that's on top of the 3% you get on everything else.
Your bank is charging you to use your own money.
I switched.
Go to Ether.Fi slash Unchained to claim your discount.
Today's topic is the Hollywood thriller backstory to the Drift Hack and the backlash against Circle.
Here to discuss are Amanda Wick, head of Americas at Verify Vasp, and Michael Llewellyn,
head of solutions engineering at Turnkey. Welcome Amanda and Michael.
Good to be here. Hi, thanks for having us.
When we originally booked this podcast, we thought we were going to focus on how Circle handled the drift hack,
But over the weekend, when Drift gave its postmortem on how the attack was actually six months in the making, we realized we needed to cover that huge story as well.
So let's start with that.
For listeners who weren't on crypto Twitter this Easter weekend, Michael, do you want to catch people up to speed on what exactly Drift said about how they got compromised?
Yeah, I'd love to.
It definitely took up a lot of my Sunday in the Sunday of many other.
security professionals in the space that have been commenting on it.
I mean, the short version, like, we knew this was
probably a sophisticated attacker when the hack happened.
That was actually having dinner with some security professionals at ECC in
Con France when this all went down.
So I've been hearing the play-by-play since.
But then Sunday, I think what we learned was, you know,
lots of speculation that this was going to be a sophisticated attacker,
possibly DPRK link.
We haven't confirmed that, but it feels very likely.
And what it looks like, based on what the drift team reported, is that this was a long-term, at least six-month intelligence operation.
And what's really wild about this is that involved in-person professionals or crypto professionals ostensibly interacting with the drift team, building their confidence, interact with them, showing competence and understanding of their protocol as a legitimate actor that might be wanting to do an integration with their protocol.
And through that, it seems like they were able to convince certain engineers to install or clone certain repositories on their systems, take advantage of known vulnerabilities and VS code and other things.
And then it was very likely they were then able to get signatures on these admin wallets, including this two out of five multisig that specifically was the vector for the attack.
But they were able to essentially get those signatures weeks in advance of the actual attack.
and that was using durable knots as something on it,
but basically just a assigned transaction ready to go at a moment's notice
when the attack was ready to be launched.
And it does seem like they were rehearsing this based on some on-chain analytics as well.
So overall, what we've learned is that we knew this was likely sophisticated,
but it was sophisticated to the degree of a nation-state actor using proxies,
using in-person communications from people that didn't appear to be North Korean,
even though this seems likely that that was the attacker.
So in short, it means that, like, okay, we have nation state level attackers and very sophisticated in-person intelligence operations,
targeting crypto companies like Drift.
And the feedback that we're getting from the community of like other security professionals is basically,
okay, this seems like something that other teams are likely being targeted with like at this moment.
It's very likely like drift is not the only one.
And we have to consider like who else might be maybe not compromised,
but at least being targeted and needs to increase the level of protections they have.
that's like the big takeaway is realizing like this is serious and uh you know one month to the day
from the by bit hack it feels like the intensity of attacks on crypto is is increasing not decreasing
yeah i think like what really struck me was they met these people in person multiple times at
different crypto conferences and they were technically or i'm quoting the the drift um in blog post
about it said they were technically fluent had verifiable professional backgrounds and were familiar with how
Drift operated. They also deposited $1 million of their own capital. They, you know, onboarded
a vault into, onto Drift, which required them filling out a forum with their strategy.
I mean, this, this was so detailed. And the fact that the LinkedIn profile, or whatever it was,
the professional backgrounds, you know, like they just, Drift described it as that they were
fully constructed identities, including employment history.
public fees and credentials and professional networks.
So I was just like, oh my God, it's like they created this little Potemkin village that,
you know, like we're saying that the drift month hack was six months in the making.
But for that back history to all those people, it could have been, what, a year,
a year and a half, I don't know.
I mean, even years, like multiple years.
Amanda, what about you?
What details stuck out at you?
I don't know.
I remember reading this and thinking, I feel like not enough people watched Homeland.
And like, and I say that half jokingly only because about a year or two ago, me and Alex O'Neill wrote an article sounding the alarm on digitally enabled sanctions evasion. And the point that we were trying to make is that this is, to Michael's point, very rapidly becoming nation state sponsored level activity. And I think people don't realize the ramifications of that. I remember when I was at Chainalysis in 2020, I did this like risk training trying to tell everyone at the,
company, all of you in this industry have like a risk surface. That's not because of something
you necessarily do. That's because of who wants to talk to you, who wants to get access to you,
and who wants to get access that this company has. And I would defer to Michael on this because he
probably knows better, but I worry about the number of companies in the crypto sector that don't
think at that level, that don't train at that level, that they don't think of this necessarily
as financial services. People moving millions, sometimes billions of dollars are still kind of a little
relax about the security of what they're doing. And that's a terrifying thing. And it's not to say that
I expect everybody to check IDs at conferences, right? We don't want to get like insane about it.
And there were some things here that probably were going to take a lot more investigation.
But I think overall, anybody who's looking at security in this industry wishes that a lot more
companies, even some of the major ones, would take this a lot more seriously given how much
money they are moving on a daily basis. And I just don't think they realize,
who's out there trying to get it, right?
I think they tend to think about pig butchering.
Maybe sometimes they're thinking about organized crime.
Maybe sometimes they're thinking about really organized crime.
But they're rarely ever thinking about the operations of a country's military like
North Korea or Russia.
And they're not thinking about the resources, the time, the energy, the planning that nation
state actors put into this.
And that is, I think, a massive security problem.
And I'm sorry.
So I've always just thought it was pretty much North Korea.
but what are the other nation state actors that are trying to do this type of attack?
I don't know if anyone's as sophisticated as North Korea here.
I'll defer to Michael.
I think Russia like does, I don't think they're that.
I don't want to insult them, but I don't know that they're at the hacking level that
DPRK is.
I think they all have kind of, they are all developing their own methods and tools, right?
So like Russia has grant tax.
They've had other things like in terms of how they want to take money, launder, and see
their way in the space.
Michael, I'll defer to you. I don't, I don't, I think North Korea is kind of like a pretty good, well-respected hacker in the nation-state space. I don't know if anyone's done like a ranking of them, but I think it's a little naive to think that nation states that are adverse aren't actively doing this on some level. Yeah, I think North Korea definitely stands out as a particularly prolific actor in the crypto space, like just based on what a lot of security professionals out there have been able to trace back to them. I mean, yes, there are other.
like hackers that operate in like Chinese and Russian and other jurisdictions and like the level of
involvement or direct like relationship between those countries like actual intelligence operations
and cyber you know warfare divisions in terms of like how connected the are versus them being
loosely affiliated it varies a lot. They're definitely just criminal organizations that operate out
of Russia that aren't being prosecuted and are kind of being let's say tolerated in that jurisdiction
as long as they're targeting Western operators. But I think with with DPRK it does seem to be like
like this is literally a source of revenue for that country, like a significant portion of the revenue funding the North Korean state and especially like things like the nuclear program do appear to be coming from stolen funds from growth, cryptocurrency and other like sophisticated operations that they're running.
Okay. So, you know, one other thing about like just the fact that this, you know, clearly is something where these people were meeting others, you know, not.
only Drift, but other crypto teams at these conferences, you know, somebody tweeted at me,
you know, why didn't they name these people? And I wonder what you thought of that choice,
because presumably they did need other teams. So it might be helpful for the other teams to know
their identities. Possibly. I am not familiar with exactly what the Drift team is like sharing
maybe privately with security professionals. I do think that like, oh, I can't speculate
necessarily in their decision there. But, you know, I do hope that like, and this was definitely
happened in past incidents where a seal 911, who's been very involved in working with Drift
in this incident, has been, like, privately sharing, like, profiles of, like, known bad actors.
This is something they've been doing ever since DPRK started to more actively try to infiltrate
crypto teams through hiring and other things.
So I leave to them on, like, you know, what is being done behind the scenes.
I hope something is.
But I could speculate at least to say that if they haven't revealed the details of those names,
it's because it's better not to post it publicly until they've decided and talked to maybe on a private
level, you know, what is going on, as well as knowing, like, we don't necessarily know
how involved the, like, individuals they were meeting at the conference and the proxies were,
were they aware, were they not?
We don't know.
I think what we were just working off of what we have in the drift report so far.
So definitely, I think it's just because this is an ongoing investigation that we still
need to get to the bottom of in terms of, like, who exactly was involved and where exactly
these exploits occurred.
But we're getting more of the picture as time goes on.
And so going back to this thing about how they had professional.
identities that appeared to have been, you know, I don't even know what to make of it.
Is it that these are working crypto professionals who agreed to be hired by DPRK?
Or is it that they're actors and that these were, you know, fake identities that were crafted
over time?
Like, who do you think these people were, you know, in relation to DPRK and to the crypto industry?
I think we have to entertain the possibility that all of these things.
like factors are possible in terms of attack factors.
It could be a team that was like unaware of like the DPRK links.
Maybe they thought they were part of something criminal but very different.
Maybe they were fully aware.
Maybe they had very little awareness and they were operating at the direction of someone
that they didn't realize had ill intent.
I think like maybe the takeaway here is like we don't know in the case of drift.
We'll hopefully learn more.
But I do think that like for a lot of teams that are out there,
they should consider the fact that all of these things are possible,
which kind of comes down to the security lesson here, which is regardless of who you're interacting with,
whether they're trusted individual or not.
Trusted individuals can be compromised in the sense of their machines, the things that they send people, their communication channels.
So when it comes to your own security, like it has to be a very tight, like possibly even air-gap system that you're using for highly sensitive signing operations on admin.
Multisigs like the Drift Protocols Multisig that was compromised here, because there's just so many potential ways that someone could get in and fully comprehensive.
And it could be a friend that doesn't even know they've been compromised.
I also hope that some companies will take this as a lesson to like really think about
who they let into their spaces and access to their potential customers.
I don't know if you've heard of the booth babes phenomenon, but I remember like my first Bitcoin
Miami conference talking with somebody for about five or six minutes in a booth before
realizing that they had been hired for the day and that booth babes are actually a
terrifyingly frequent thing.
And these are just companies that will literally hire attractive women for the day to man their booth to bring a predominantly male audience into the booth.
And to Michael's point, you really need to ask yourself, who are you allowing access to prospective customers at a conference?
Who are you allowing to be in your booth representing your space?
What information are they allowed to collect?
Like, I just think some companies are a little lax with their security protocols.
And they don't necessarily think about every single one of these places being an attack vector.
And it's like, you know, who does think about that is DPRK, right?
And so you may think having an attractive woman lure men into your booth seems like a really
great idea, but what conversations are they collecting?
What PII are they collecting?
What are your protocols for assessing that?
Or do you just care about dragging people in and you're not thinking about that?
But those are the kind of practices that God willing, folks like Michael and the security
industry will start getting an industry to rethink because every single attack vector surface
really needs to be reconsidered.
Okay, so basically, like in their little postmortem, when they describe the people that, you know, these like hackers basically met with, they were always described as drift contributors.
And I remember thinking that phrasing is interesting.
Like I didn't know why it was phrased that way other than simply the fact that like sometimes in a more decentralized space, you know, you don't really have.
have a title for somebody. So, but you're saying that potentially it could even be somebody who
didn't work on drift, but only was hired for just the purposes of that conference.
Yeah, I'm, I think, Michael, I don't want to put words in your mouth, but I feel like all of this
is coming in. We don't know. You get facts. Like, like, this is Ryan Law enforcement investigations.
We're very, very careful. Everything's a possibility. You have to investigate everything. You have to
kind of like rule things out based on the evidence that comes in. And like so much in crypto comes in
so fast. Sometimes it's real. Sometimes it's not. And you really have to filter through. I would not
make any assumptions that these people were necessarily, quote, DPRK, right? You could create an identity,
give it to somebody, right? It's kind of like the victims in pig butchering that go on both sides, right?
You have human traffic victims who are then creating victims in the scans. And a lot of people didn't know that for a
long time. And so they just assumed that the person on the other line was a scammer. They didn't
necessarily know that that person was also being basically, sometimes physically beaten to commit
that. So you just don't know what situation these people were in. Were they willing, were they
lied to to say certain things? Were they told they would be actors? Like, I don't believe anyone
knows that yet. And that's what the investigation will likely have to detect. And I could speak to like
maybe the broader issue of like these kind of like contributors that can come into projects.
And you know, these are many crypto projects operate kind of with an open source framework that anyone can come in and it can contribute.
And what has been noticed over the last year or two is that like this is one, certainly a vector for DPRK to get more involved in a way to build trust with teams.
And two, what I think is like particularly like concerning is that these are actually very good developers.
Like they're very good at actually laying in wait and being disciplined, not like doing something silly like trying to introduce a back door, you know, on day one.
or even like shortly in, like, they're usually more interested in gathering intelligence on operational
security. They're not necessarily going to try to insert some sort of a backdoor or vulnerability
into the code base itself because that can be easily noticed and it's a very quick way to be,
you know, effectively burned. But instead for these teams to be gathering intel on the people
they work with, on the operational security of the system and the people operating sensitive
functions like admin keys and reporting that back to a team that they can leverage that information
to create a more sophisticated attack.
And I think that's what people need to be really considering.
When it comes to your operational security,
what details could someone through open source intelligence gathering
or even from close associations with team
learn your vulnerabilities?
Even if you're not publishing details about your operational security,
assume that people are going to be able to learn it over time
and that you need to prepare for them to target your weakest links
and for you to harden that as quickly as possible,
especially if you start out as a small project,
you have a small amount of money, but then you grow and you become a very, you know, a large attack factor.
Once you get past 50, 100 million, you're absolutely on the DPRK chopping block.
They're going to be noticed eventually.
You need to be prepared to have like an operational security practice that's going to scale with that.
And I don't think we necessarily have an explicit, you know, we don't have a practice in the industry.
Like some teams absolutely do this well or do it as well as it could be done.
And some teams, I think, do struggle to graduate to that as their team grows because they don't have someone like very much in their face.
That's either a dedicated security professional on their team.
team or even a community that is like necessarily aware of this and demanding the transparency
around security practices to advocate for okay, this is the time when we have to up level security.
And unfortunately sometimes happens reactively as opposed to proactively.
Okay. And then I just want to ask about one other thing, which is, you know, it like it felt
like starting from Friday after TRM and Elliptic published some blog posts saying that
they felt that the digital fingerprints of this hack indicated that it was DPRK, and it was DPRK.
But and so everybody's been talking about that, but both of you have been kind of hedging.
So like what probability would you give to that?
And like, like basically I wrote my whole script, presuming that is DPRK.
And then now that you're saying this, I'm like, wait, so what, what percentage, you know, confidence you have that it is?
I out's 80% and 90%.
Like I would say I'm holding back on that just to say like we haven't confirmed it.
Mandi gets ongoing.
But like this is like almost certainly DPRK.
Even if it's not 8%.
When you say we haven't confirmed it, like, would it be that you would need to hear from them that they take ownership of it?
Like, what would you consider confirmation?
Specifically, Mandia, just because I think they're like a trusted security source in the industry.
They're, they've known to link to DPRK.
So like at this time, we haven't gotten confirmation from them.
But like a lot of other security professionals have given like very high confidence, if not outright confirmation that in their view, this was DPRK.
So I think it's a safe assumption to make.
But, you know, investigation ongoing.
Okay.
Okay.
And just for the live stream viewers, we did have to record this like just a few hours before we're going to live stream it.
So who knows what will happen in the gap between that.
But anyway, okay.
So then, so let's talk about, you know, what TRM and Elliptic said.
Because in light of the fact that they believe it was North Korea, this just blew my mind.
Drift Road in their postmortem.
It is important to note that the individuals who appeared in person were not North Korea nationals.
So, you know, for me, you know, I've said it multiple times in the show. I literally have ancestors from North Korea. Like, you know, the whole shebang in terms of what you could imagine about how we ended up here. So, so like, you know, most, like the vast majority of people in North Korea are literally not allowed to leave the country. They are not allowed to consume any information from outside of the country. So how would North Korea high.
non-North Koreans, if they are indeed hiring non-North Koreans, like what nationalities do they tend to hire?
And the people who agree to be hired by North Korea, do they know that they are being hired by
North Korea and that the reason, like the purpose of their mission is to steal people's money
so that the North Korean dictatorship can buy nuclear weapons?
I need to understand this backstory.
I mean, I'm already surprised that somebody, and maybe this is just my own naivete, that somebody thinks they can tell the difference between a North Korean and a South Korean on site.
Like, I didn't know that was actually.
I don't think that's.
Like we looked at them.
They didn't look North Korea.
I'm like, I don't know that that's a thing.
But even if you just assume the Korean part, it's a wildly naive view, right?
Like, I could tell you as a former federal prosecutor that if I was going to hire somebody, it would be white Brad, Tad, or Chad, crypto, bro to run around these conferences, not looking like.
like anything, right? Like, you want to hire the people that you, that make people feel the most
comfortable, that look the most innocuous, like, maybe attractive women. Like, you see this all the
time on LinkedIn, right? Like, a lot of the, like, Photoshopped profiles that aren't legitimate people,
they get, I mean, let's be honest, they're able to get connection requests accepted because of,
like, what the photo looks like. People don't even look at the job title. Like, if you're a malign actor,
whether you're a nation state or whether you're a criminal, you just play to human.
weaknesses, right, and biases and preconceived notions. So what these folks probably look like when
they released their picture is probably whatever worked at that conference, right? Maybe it's a local,
maybe it's, you know, white visitors from the West. Who knows? But like, the bigger point is the
building the backstory and then putting somebody in who's comfortably able to kind of talk the talk
and play that role. And I just think that people need to understand, like, that's, that's,
That's just how criminals work, whether you're a nation state actor or organized crime.
The idea that there's like a criminal look or that you're going to be able to visually identify somebody who's got bad intentions, that's a wildly naive viewpoint that is capitalized on by every criminal, terrorists, money launderers, organized crime, nation state actors.
Do not think you're going to spot a malign actor who's coming at you.
I think that's why, to Michael's point earlier, you need to have all these other tools to be able to look at all the other signs, to be able to do the due diligence, to be able to do the things to go past beyond like, does the person look legit or speak legitimately about the industry.
Yeah. And speaking more to like how intermediaries have been used, like this does, I don't think we've heard of something this sophisticated before in terms of like this level of engagement with a protocol at conferences, multiple touch points. But like there's absolutely precedent for this.
I mean, there are many, like, what are called laptop mules or, you know, people that will stand in for, for North Korean hackers that are interviewing companies that, you know, are U.S. nationals or otherwise, you know, don't look North Korean or Korean at all.
And then, like, you know, still, even setting up, you know, physical hardware, like, setting up a laptop that the company shipped them and then, like, following instructions to give access to North Korean hackers or other hackers.
So, like, there's absolutely precedent for using intermediaries.
I think what this shows is that, you know, this can get to the sophistication level of, like, representing an incredibly, a credible company that understands like deep things in crypto.
They can, you know, say and do all the right things to build up confidence so that, like, at some point when they send you something.
And you know there's a slight risk of, oh, if I clone this and run this on my computer, maybe there's a compromise.
But like, I know Joe, I've seen him at multiple conferences.
He's bought me drinks.
He knows our product.
He's supporting us.
It's probably fine.
And the absent of very strict endpoint protection procedures on many company laptops today in the crypto space is one of the reasons that, you know, this is a vector that often works because there's no, you know, like formal enforcement of like, okay, you can't do this with your laptop.
Maybe there's a policy someone wrote, but usually not any sort of endpoint protection systems that actually lock down computers to the point where they can't, you know, download random software onto them.
It's entirely up to the developers or the operators themselves to follow best practices.
And if they've even been educated on those best practices.
And I think this is what we're learning is like, you know, that's a big responsibility for anyone that has an admin key.
And ideally, there are like endpoint protection software running that can enforce these requirements.
And that there's even an enforcement of keeping, you know, your common laptop that you might use to clone a random repo or playing around with new ideas or, you know, new software is entirely separate from the device that you're using to actually,
operationally signed highly sensitive actions, having completely separate devices,
as well as having very sophisticated key management,
in signing policies that gate a lot of this.
Like, this is a lot of the work that I've done at Turnkey in other places is,
helping teams design, like, very sophisticated, like, or maybe not that sophisticated,
just basic these privileged concepts of, like, don't give any privileged access to a developer
that doesn't have multiple checks and balances involved.
And unfortunately, a lot of multisigs on blockchains today are kind of, like,
like just set up as like, yes, there's a signing threshold,
but if that signing threshold is breached,
there are no additional safeguards, no time walks or other things.
There can be in some cases,
but a lot of teams will often find that there's a barrier to operational efficiency there.
There are ways to split out that power more.
I could get into that.
But in general, what we're learning is that like there needs to be a very sophisticated thought process
through how can a developer be compromised,
how can we protect the developer,
and how can we protect the permissions that developer has access to
so that even if they're compromised, it's not a point of failure.
Yeah.
And just to follow, oh, go ahead.
No, go ahead.
I was just going to say, I guess the prosecutor in me also wants to just tag on, like,
the most basic thing about instructions for employees on just being aware of risk, right?
Because how many of us have gone to a conference and then somebody afterwards, yes, maybe we go out for drinks,
but systematically keeps in touch over six months.
Like, there are patterns of human behavior that you can make your employees a little more alert to.
to say, like, you might be the most charming person in the world.
But there is just also the reality of looking at and being a little bit more suspicious
of people who systematically seek you out, keep in touch with you, right?
Like, you just want people to be a little bit more alert and cognizant of their interactions
with people as a risk factor.
And I think even that very basic training doesn't get done at far too many crypto companies.
Yeah, I mean, like, to me, the only reason that doesn't work in this situation is because
since it's defy, they're literally trying to onboard people into the ecosystem.
So it's a little bit different than like if you're, you know, just working at a company.
Like, does that make sense?
Like you're trying to grow your community.
So when you have people that are interested in what you're doing, you're going to, you know,
want to respond to their interest in you.
The overlap between like very effective and aggressive business development and someone
trying to infiltrate your organizations for malicious purposes is very tight.
So it's sometimes difficult to tell the difference.
Yeah, and also like I love when people say it's defy and Michael and I were joking with us.
It's like, but is anything in crypto actually decentralized anymore?
Like, no offense, but if there's a group of people at your booth at a conference,
it's not that decentralized is it if I can identify who's representing you at a conference
because you're paying somebody to represent you, right?
Like this is this is kind of like the existential joke of saying defy and then having a booth
at a conference with humans that are identifiable to your project.
Because whatever part is, quote, decentralized, those humans weren't.
Whether they were, like, whatever role they played, like, that's why, that's where I'm getting
at that you need to think about every single, every single piece that you hold out to the world
that says, this is the part that represents us, or this is a person that might have access or
control.
They become a risk vector.
Because to your point, if it's all decentralized,
and nobody knows who it was, and then there's an identity that's attached to it,
those people become a risk vector, just by the nature of it's suddenly a lot more centralized
than it was before.
And I'll separate and say, like, there's a big difference between, like, a team representing
a project on, like, a BD or, like, development level.
And then, like, people that have operational control of, like, a project in Defi.
Like, you can have both.
They can be somewhat separate.
Like, I myself have served on multi-security councils that have very selective powers
for the purpose of like stepping in for security incident or other things like that.
And the biggest consideration is like how distributed is it?
Is it all one team on this multi-sig?
Is it multiple teams?
And then of course, like, you know, is there strong operational security for each one of those members?
Is there a very high-siding threshold for the most sensitive things?
Like those are the most important.
And yeah, like, you know, if you're a big company, definitely, you know, making sure that you're careful.
If you have sensitive operations and personnel tied to those operations, like you're,
you're thinking about that from a travel policy perspective, from a geopolitical perspective,
from like all these things depending on how many funds are at risk and what the controls are.
All right. So in a moment, we're going to talk a little bit more about the group that is potentially behind this hack.
But first we're going to take a quick word from the sponsors who make this show possible.
Bitcoin changed how money works. Satrea changes how Bitcoin scales.
Satrea uses Bitcoin as both the settlement and data availability layer.
As Bitcoin's application layer, Citraea enables the first trust-minimized BTC on a fully programmable platform
and a native stable coin for Bitcoin, CTUSD.
Citraea offers Bitcoin capital markets with lending, privacy, payments, Bitcoin yield, trading,
and predictions.
Citraea expands Bitcoin's utility without sacrificing its security.
Satrea Mainnet is live. Get started at sitrea.xyz slash unchained.
Etherfi is giving unchained listeners 15% cash back on ride shares, groceries, and restaurants right now,
which honestly is kind of wild for a card like this.
On top of that, I'm getting 3% cash back on every single transaction using my actual crypto.
No conversion fees, no nonsense.
My bank never once did that.
And it goes beyond just spending.
You can borrow against your holdings at 4% or not.
less, which is super useful if you don't want to sell your assets. You can also earn on all major
assets, up to 8% APY, just by holding. And moving money is just easy. No hidden transfer fees,
no friction. It just works globally. If you want to check it out, go to ether.fi slash unchanged
to claim your offer. That's ether.fi slash unchained. Back to my conversation with Amanda and Michael.
So I know we were kind of debating whether or not it really is North Korea, but I did see that they did name a specific North Korean state affiliated group called UNC-4736. That's quite the name. It's also called Apple Juice or Citrin Sleet. So who is this group and how does this group? And how does this group?
group differ from the other state-affiliated North Korean hacking groups?
Honestly, not, and I'm not an expert on that particular group, but I am very aware of
the fact that, like, North Korea doesn't operate just Lazarus, which is kind of what people
like associate with DPRK, like they operate multiple groups.
It's kind of like a franchise operation.
Like they're all operating generally under like the North Korean stand umbrella, much tighter
than probably like other like China and Russia operate hacking groups.
But generally speaking, like, yeah, these are small, like, usually independent teams that are still, like, fairly centrally operated, but are, you know, given leeway and in some sense compete against one another to bring in the most revenue and to be the most effective.
Like, it's from what we can tell.
These are usually very competitive groups with one another in terms of, like, who can essentially bring home the most bacon for the Supreme Leader.
Wow.
Okay.
Wow.
that's um i'm just i'm just not got a comment on what i think of living a life like that but okay
anyway so all right let's now talk about the other big issue that came up which is crypto people
were super mad at circle so you know i i do want to get into what it is that drift could have done
differently i mean we touched on a little bit like in terms of the separate devices and stuff
um but let's just talk about the circle situation because circle sad
on its hands while, you know, $232 million was being bridged across the cross-chain transfer
protocol, CCTV, and like two Solana and Ethereum, where, of course, because those are way
more decentralized than Circle, you know, at that point, it's sort of like game over for, you know,
reining those funds in, right? So it's so interesting. Like, it's sort of feel, you know, it's like
one thing for Zach XPT to publish a blog post and put Circle on Blast. But even, even, you
Even I noticed, TRM and his blog post wrote, quote,
the confidence of the hackers was staggering.
Each bridging transaction moved hundreds of thousands or more,
often millions in USDC,
far outstripping the speed and aggressiveness of even the by-bit laundering of 2025.
So, you know, I am curious, why do you think Circle?
And I'm not going to mince my words here.
Chose to let North Korea get away with stealing money to fund its nuclear
weapons program. I find that crazy personally.
Michael and I have strong thoughts. If you want to go first, Michael, Michael, I will happily
collect myself. I'll speak to the fact that this is not necessarily news to anyone who's
been dealing with hacked incidents in the past. Like, you know, still known on one, again,
very involved in drift, has been involved with five bit and other hacks. And, you know,
they, along with other groups, they work with like Zero Shadow, these are, these are
all experts in forensic analysis.
They can identify usually these hacks within minutes, if not ours, like just saying,
oh, yeah, we definitely know that these are the funds that have been stolen.
We know that they need to be frozen.
But, like, actually getting stable coin issuers to freeze rapidly has always been a known
issue.
But specifically, Circle has always taken a long time.
Their general approach has been, we'll wait for a court order or, like, very official
law enforcement involvement before they ever move.
And unfortunately, because these hacks are very rapid, we see that the hackers are aware
that freezing could happen. But if they know that there's a large window for that, and in
circle, this has basically been established by their policies and their actions that they will take
a long time to freeze, you have like a pretty wide window to operate in. And the best part about
operating on USC as an attacker is, you know, you know, they're going to take a while, but they also
have one high liquidity. They're one of the, you know, most traded table coins along with tether.
But they also have this data bridge, which means that you can move USC through, you know,
two different chains where you know you have more liquidity or different ways to wash the money.
So, I mean, honestly, as an attacker, it's a great tool.
I mean, we actually saw in this case that some security professionals based on the on-chain
forensics saw that the attackers went out of their way to avoid using USDT.
They specifically stuck to USDC. They said that this is going to be,
you know, something that they feel is available for a large window of time to move the money.
And yeah, and then it's hard to say that from an operational perspective,
there isn't anything Circle could have done. They have the freezing powers on chain.
they've always had it. They have control of the bridge architecture.
You know, this is just like simply a policy of saying like this is not something they want to go out and do.
And, you know, that hesitancy is probably both from a, you know, what do they have to do versus what should they do.
But also the fact that, you know, they don't want to be seen as someone freezing maybe, you know, too much.
They don't want to be seen as someone that has to take on the liability of freezing funds.
There's an incident a few weeks ago that we could maybe speak to on that.
But yeah, I think unfortunately this is an establishment.
behavior and it has created a lot of frustration with security professionals in the space that
can identify the attackers quickly. They do report them directly to issues like stable coin or like
USC. And the movement is just very slow. There's just like a stated policy. We're not going to
move quickly on this until we have law enforcement or a court order to give like maybe some legal cover
over why they would make that freeze action happen as opposed to speculating on what is very
actionable intel, but maybe not like has like, let's say legal cover for for initiating action.
I mean, to my mind, it's literally like they built a, like a Tesla and they're like, oh, we're going to use the laws from back when we did horse and buggy and we're going to apply that in this situation.
Like, like, am I wrong?
Like that sort of feels like what they're doing.
Well, I think in fairness, because I want to try to be fair, even though I think Michael makes some really good points.
But in fairness, there is a gap here in the law in the sense that like how financial services companies.
are required or regulated to act isn't necessarily always like a black and white rule, right?
And whereas traditional financial services has a safe harbor for like filing suspicious activity
reports, crypto arguably doesn't have the same thing. Like there is a gap. Having said that,
though, they are a registered money service business that are supposed to have a AML CFT program here in the
United States. And I would actually go a step further than what Michael said, because Michael said
security professionals have been frustrated, but I will tell you from speaking to a lot of law
enforcement, particularly global law enforcement, they are actually just as if not more frustrated
with Circle because law enforcement will go to Circle with an action, with evidence, and say,
here, and sometimes they will even come with a seizure warrant. And if it's foreign law
enforcement, Circle will say, well, give us an MLAT, a mutual legal assistant treaty, which could
take years. And so what you see with Circle, to your point, is, and I think Michael said this,
it's more a living, breathing embodiment of what it feels like only doing what we're absolutely
legally required to do and not doing anything more to prevent victimization on our platform,
right? And just to give you an example, like I, when I was seizing assets from banks,
we once had a guy who while his house was being searched was in the bank trying to get his funds out.
I called the bank, asked them to freeze the funds.
I said, look, I'm just telling you there's exigent circumstances.
I could get you an order in a couple of days.
But the guy's literally in there trying to get his money out as we're executing a search warrant
that had a finding of probable cause of criminal activity on his home.
And the bank was willing to freeze it.
And I think the thing that people are, even legal professionals, I think, are very,
very upset with Circle because they are basically taking a path of minimal, what's the least that we
legally could do. Because once they saw this, their AML CFT professionals could have said, hey, we have
a active laundering or we have an active transmission of illicit funds. It's like saying that if your
bank was being robbed and you were watching people move the money out and they were unarmed and there
was very little risk of doing anything that you would say, well, we just decided to let the funds walk
out and then we had to call law enforcement file a report to do anything about it, you would think
that's ridiculous, especially if you had a hired security guard in the lobby. And I think that's the
frustration that people have with Circle is that, you know, you have the ability to freeze this.
You have the, to at least pause, right? And they have terms and conditions. There are all kinds
of things that Circle has, right? If you're stopping this flow of illicit funds, you really think
your regulator is going to be upset with over freezing when it's a very, you know,
really provable, everybody giving you the evidence, you've determined this. You think your criminal
customer is going to civilly sue you. You think DPRK is going to come into court and say, hey, you
artificially froze my money. Like, there's just some arguments that sometimes issuers and exchanges
make that is like a BS justification for not freezing. And that is particularly dissatisfying in cases
where maybe in the 12 minutes, and Michael, correct me from wrong, I think the initial activity was
12 minutes, but in the six hours during business hours of bridging when the world is exploding
and telling you the robbers are in your lobby and showing you and you do nothing,
at that point, you become performative compliance and window dressing compliance.
And people really start to question your willingness to work with law enforcement.
If when you can, you choose not to.
And that's, I think, what people were truly upset about.
Yeah, I mean, for me, like, you know, you mentioned it. Their own terms give them the right to blacklist addresses, to freeze USDC. And it's just like, like honestly, because also I was reading some of the commentary about this and CoinDesk ran this article. And this is not to criticize the person. So I won't name this person who was quoted seeing this. But they said in the quote, I think people are framing this too statistically as circles should have frozen. This wasn't a clean hack. It was more of a market slash Oracle explanation.
which puts it in a gray zone.
And I just was like, I don't even, I don't, this person may not be a lawyer.
But like to you, you know, and this is not to criticize lawyers, Amanda, but, but I'm sure you
know the type where it's like this kind of lawyerly thing where you get so like fixed on, you know,
just these stupid, stupid details that just completely miss the ball in like the purpose of the law.
And like, to my mind, the law should reflect like what the common sense thinking is about what a just outcome should be.
And like clearly circle missed it by a mile.
And like everybody who's all up in their heads about, oh, well, maybe it should be, you know, like, no, no.
It's like it's just clearly every day random people had $285 million of their money stolen.
And it was stolen by a dictatorship that is using it to buy nuclear weapons.
Like I imagine if you ask 99.999% of people on the planet, like who should get those funds?
they would not say that DPRK should get those funds.
So it's super inexplicable for Circle, which, you know, I respect the company.
They're clearly lots of smart people.
They're like people that I'm friends with, I would say.
And they're choosing something that I just find asinine, actually.
Oh, yeah.
Go ahead, Michael.
Sorry, yeah, I've got to say on that because.
Somebody feels.
I mean, one, like, as a comparison point, like, you know, I think there's lots of improvements
to be done on like how.
stable coins and other issuers for freeze funds.
But like we have seen like Tether and others be at least a little bit more proactive,
a little bit more willing to work with attack like, you know,
security professionals pointing out attacks, freezing them faster.
I think this can still be expedited massively across the industry and we could get a lot
better at it.
But it's like it's clear that like according to like the bar set by other issuers, like
Circle is is one of the slowest, which is kind of wild when they're also considered to be like
the most compliant or at least they're marketed as the most compliant.
Like that's a big contract.
contradiction. And then in addition to that, like, like speaking of someone who's worked on
Defi protocols, like I've done a lot of work on compound as well as others when I was at
Open Zupplin. And like the view in Defi is like, you know, there's a lot of trust placed on
USDC. Like, you know, defy itself might be somewhat decentralized, but when USC itself is on
your platform, you put a lot of trust in Circle to not upgrade their contracts or blacklist your
protocol specifically. Like any Defy protocol today, if Circle like fat fingered the wrong button or
or maybe misread or, you know, a civil court order told them to do they could just blacklistole protocol.
There's a lot of trust put in circle to not, to not disrupt operations of DFI protocols with this freezing function.
And it kind of feels like the reciprocal, the appropriate like way to reciprocate that trust is to go out of your way to protect user funds when these hacks occur.
And when DFI protocols are clearly broken, security professionals that are highly trusted are clearly telling you the money should be frozen.
And to react to that. And if, you know, the issue today is a lack of resources, a lack of, like,
them having to do their own, like, you know, personal due diligence before trusting an external source, then invest in that.
Like, build a security operation center that is, that's only job is to leverage us power effectively and turn it into an asset, turn it into like you use USC.
Because if you know you're going to get hacked, you're going to actually have a team that might be able to look out for you and recover those funds in the appropriate circumstances.
But right now it's the opposite.
It's, you know, I actually, you know, have very little confidence that any USDC could be recovered in a hack in any case.
I don't at this point it is just you know the same as ether or bitcoin or others except for the fact freezing could occur it just doesn't when I need it yeah well I think oh go ahead sorry I was just going to say Laura you ask a really good question which is or at least the way I interpreted your question was like how how does this stand well people allow it to there's there's no ramifications to circle there right like after these things happen people don't say okay well then we're not going to let's we're not going to let's
let our customers use USDC because if we get hacked, we're not going to be able to get it back,
right? You don't see a market correlation to this bad activity translating to a decreased financial
impact on circles. So like if I'm sitting at Circle and I'm watching this, I'm like, I don't
care because if my regulator isn't complaining about it and my customers aren't leaving and I don't
have a financial disincentive, nobody, what's the downside to Circle of behaving this way over the last
years. I mean, they've had less market share than Tether, but they've been banking on kind of like
a regulatory capture strategy lobbying to kind of like rectify that by saying they're the compliant
ones in the United States. And to Michael's point, like, right? And then ironically turning around
and helping law enforcement less than Tether, right, which that's a very strange dynamic.
But to answer your question, until there's a financial incentive for them to not act this way,
or until they are legally told to act otherwise, why wouldn't they?
they operate in the way that makes them the most profit. They're an American company. That's the
American way. Yeah. So one of the things that I just really need to bring into the fold in this
discussion is just this makes it even more confounding. So Zach XPT pointed out that just a few
days before, he said, so he wrote, quote, days after, and he was saying that they're inaction on
the USC from the drift hack. He said that that was, quote, days.
after Circle froze 16 plus business hot wallets incompetently. And like, it's just weird that they froze
ones that they shouldn't have frozen. And then the one that they definitely definitely should have
frozen, they didn't. So like, what do you make of that dichotomy? So let me jump in there only because,
and this is no disrespect to Zach XPT at all. But there's a lack of understanding, I think,
of how court orders work, particularly court orders under seal, right?
Like, if I serve a seizure warrant under seal to a financial institution, and let's just use a bank, right?
They're effectively an intermediary between me and the criminal whose funds I'm trying to seize.
They really, like, the opportunity to challenge that is much, much smaller, particularly under seal.
It's unclear that Circle might have even had the affidavit that was the basis for the facts, right?
Like, they just basically get a seizure warrant that says freeze these addresses.
So there was, there's a lot of assumptions made about the when you get a seizure warrant, how much
leeway do you have? And the answer is mostly none. Like the ability to challenge that or it was,
it's even unclear that they had the factual basis with which to know, right? They could have done an
analysis on those addresses and said, oh, this is going to go badly because some of these are
clearly a mistake. And then that becomes a problem for them as a company. How do they deal
with that with their customers, is it worth like the legal challenge, right? Like it, it becomes a bigger
mess than you can possibly imagine. So like, I want to be fair to them that when, when presented with a
seizure order from a court, if it's a bad affidavit, it's bad tracing and it's a judge who doesn't
know enough to have the ability to like read the tracing affidavit and know whether it was done well,
like any intermediary, even a bank, right? There were banks that had to answer seizure warrants that
later the tracing is bad and they're like, oh my gosh, but we don't really have.
the ability to say no to a court order. So like you have to be fair that in that instance,
their leeway is actually, believe it or not, less than their individual ability to do an investigation
internally and say, hey, we need to freeze this. So I'm more sympathetic to them screwing up
in response to a legally required court order that has probably bad tracing and that then
requires them to freeze. And then a number of those got unfrozen as facts came out and as the
entities that were frozen challenged them. But on this, where it's like you have the ability,
you're seeing the bridging, you're seeing it in real time. It's six hours and you are supposed
to have an AML CFT program and you have all these controls put into place with T's it.
That's where they have the ability to actually prevent it before it goes out. And that's ironically
where they had the ability to do damage minimization as opposed to once there's a, a
court order, in some ways, that's even riskier. So to Michael's point earlier about the need for
public-private partnerships, this is where issuers working with security professionals could
prevent a lot of the funds from going out in the first place or prevent the damage from happening
before you get all the way to the point where you're praying that a law enforcement officer gets
the affidavit right and some judge barely understands how bank transters work and is being asked to
understand crypto tech is suddenly the one deciding whether these funds should be transferred. And don't
can be wrong. I, of course, respect the rule of law, and as a prosecutor, relied on it for nearly a
decade. But crypto is different. And the systems are not adapting fast enough to tech that is moving
faster. And I think we would all love to see the industry just be a little bit more proactive at
being better at what they have the capability of being better at. Okay. So let's just contrast this
with what Tether does when these types of incidents happen. So, you know, as far as I understand,
they are widely praised by the industry for their handling of these types of situations.
So what do they do?
And like, why do you think circles not just following their lead there?
Yeah.
I mean, the one thing that I'm most familiar with regarding, like, Tether is I think, like,
at least having formal partnerships with some of the groups that are trying to, like, freeze stolen money.
So they work very closely with Zero Shadow and others and kind of like a formal coalition for fun freezing and recovery.
They, they kind of curate the relationships with the professionals that are usually raising these even before the Tether themselves might, like, know about it.
And like, just build those relationships, build those relationships with law enforcement and generally just move faster.
I mean, I still want to emphasize, like, I think across the industry, even with Tether, there are ways this can still be done better.
And I think having, like, a little bit more legal cover cover as well as, like, even legal requirements around you need to do this in certain circumstances would help with that.
but they've definitely been more proactive.
They've generally been willing to at least have the conversation,
be willing to, like, set up some infrastructure ahead of time
so that they're ready to move faster when, like,
groups like Zero Shadow would still 911 reach out.
And I think generally speaking, like, continuing to, like,
just lean in better.
Like, I think just even being willing to have the conversation,
as opposed to, like, I would say being fairly, like, you know,
sticking to the letter of the law in terms of what they have to do.
Like, Tether at least has been proactive and willing to go further.
could they go even further than what they've done today? Probably.
I would honestly leave it to others that work more close to with them to say what that could look like.
But definitely just compared to, again, I think their competition with UCDC miles better.
Yeah, I saw Taylor Monaghan tweeted something about how if you freeze, you can always unfreeze.
But if you don't freeze and then the money makes its way over to Ethereum and Solana, like game over.
like you missed your window you know and now you let a dictatorship get how it's $285 million worth of
nuclear weapons like it's fucking retarded frankly um so one other question though i just was crazy
about this i actually don't know this um so what legal jurisdiction is tether under
so that's actually also the answer to your previous question in the sense that i believe
tether global is located in el salvador or says that it's
Basically, I don't know if it's incorporated.
Basically, they acknowledge that their legal jurisdiction is El Salvador.
And so it's really unclear whether they're regulated or supervised in any way in El Salvador,
whether there is a regulator who examines them or monitors them.
They've created obviously Tether U.S., but that would be solely for, I believe, Tether U.S.,
customers or where there's a U.S. jurisdiction.
But for their global transactions, they are presumed to be based out of El Salvador.
And so historically, Circle's argument was always, well, hey, we're,
a U.S.-based company that submits and were regulated in the U.S.
We're registered money services business, I believe in 50 states.
And we follow, right, like the Bank Secrecy Act and the AMLCFT obligations that come with it.
Tether, like they've always made a big deal of saying Tether is not regulated.
It's outside the U.S. jurisdiction.
To Michael's point, and this is just obviously like my personal view and more like a vibe.
But I think Tether operates more closely, Laura, to what you said earlier in the sense of like it's
own kind of like moral code and what should be done. And when someone comes to us and proves it and says
it's dirty, then I think that now I have heard Michael Graft me if I'm wrong, but I have heard that
they say like at least 50% of the funds in an address have to be dirty for them to do a freeze.
So like they've set this number that like essentially like if it's too small, they won't freeze it.
So if more than 50% is dirty. And that could be multiple victims. But I believe like they have to
basically say, hey, more than 50% of the funds are dirty. So they have their own standards for
kind of what they do. And I think that's because they're operating kind of on a, what do we have to do.
And also what should we do? And if somebody comes to us and gives us a legitimate explanation and says,
hey, this money is stolen and it belongs to a victim or 100 victims or 1,000 victims,
they're relatively good about that. It's an interesting dynamic to see where they are on like
facilitating sanctions evasion because that's a deal.
different thing, right? Like, law enforcement isn't necessarily coming to them and saying
Russia was able to buy this using USDT. Like, it's a murk your grounds. Like, when you look at
where they're good versus where they're less good, like, I don't think it's like an easy one-to-one,
like tether's more compliant and circle isn't. There are certain things that tether does better because
it's making a risk-based analysis of like what's the risk of not doing this well? And then what's the
risk of doing this well. Do you know what I mean between between these like different categories?
But at least the vibe that I've gotten, especially from law enforcement is that when you go to
tether and you say, here's our proof, here's our tracing, this is a listen. And it's more than 50%.
They are much, much faster and willing to work with folks to freeze because I don't think they want
the funds to disappear. Yeah. Like to my mind, what you're saying is basically they use common sense.
they're not like doing this bookish like let me look up this law that was written back in 1853 like
you know what I mean they're like literally just using their brains to figure out what to do like that's
what it sounds like to me I say this as a recovering lawyer you're not wrong sometimes lawyers are
the problem a lot of times lawyers are the problem and that's because we're bound by professional
obligations and laws and regs and in crypto especially areas where they have not caught up right like so
many regulators globally are so behind on this on saying what you should do. But like we as humans,
like the social contract, like the moral compasses that we've developed are faster along saying,
but you should be doing this. Like you have the ability with great power comes great responsibility.
Like good word, just follow the law of Uncle Ben and you'd be fine. And we know that. But the problem is
is like the social contract that we humans have been like conditioned to believe the rule of laws in place
in crypto lags behind because so many regulators and lawmakers have not put into place the things
that the system needs. And that's why we get so frustrated because it's like you're sitting in
circle and maybe a lawyer is saying, well, we don't have to freeze this. But if I was the CEO
Circle and I had to sleep at night, I'd be making a different decision about whether to let those
funds go just because what do I have to live with as a human? And if there was a way that I could
get it justified and take the risk, I don't think DPRK is going to sue me. I think our regulations,
is going to be okay with airing on the side of freezing as opposed to letting it go.
And even if they didn't know it was North Korea at the time that it was jumping,
Michael, it was certainly illicit enough that it was pretty clear somebody was, yeah.
I mean, it was like, it was pretty clear it was stolen and hacked.
It was clear that it was stolen and hacked.
And come on.
Yeah.
And I'll add one thing I haven't said yet, which is like there, there's a specific crime unit,
the T3 financial crime unit, that like,
Tether coordinates with Tron and TRIM Labs and others on that like in the bybed hack a year ago, you know, did freeze nine million and stolen funds. So they did actually, they were able to recover some funds and like a relatively comparable hack to this one in terms of the actor and the sophistication involved. And the lesson that was learned from that for attackers is use USDC instead of USDT because Tether might freeze it through these programs that they've set up proactively to at least have a higher chance of recovery for for users of Tether. And like there's a there's just an obvious.
contrast of Circle can be doing better.
But yeah, to Amanda's point, do they have to do better to satisfy regulators or their legal
obligations?
Okay.
So last two questions.
The first one is for Amanda specifically.
Amanda, if you were to craft a new law that would make sense for blockchain speed,
how would you structure it?
So obviously I'm biased in favor of preventing victimization.
And this might be going a little too far.
but I would try to create something equivalent to the BSA safe harbor for protocols and exchanges
to basically say if you have a reasonable good faith basis based on kind of like established
industry norms, right? And you tie it to these things that are basically provable points,
right? So is it a reasonable good faith basis? Is it based on, you know, a reasonable security
norms? So somebody like a Michael has to come in and say, did they do, what's the industry
standard at the time. Did they use best practices? Did they use analytics? Did they have, right? Like,
did they, do they just freeze when somebody says, trust me, it's dirty? That would be terrible, right?
But somebody presents a tracing point. They do the proofs to make sure that it's like a verifiable
security professional. Maybe there's a credentialing process. Like, you can imagine what we put into place.
But something needs to be put into place that basically says, because unfortunately right now,
too many exchanges, too many exchanges and issuers are going to do exactly this.
I've seen it 100, I've seen it so many times where basically in exchange says we had no choice
but to release the funds because X.
And I'm like, your terms of service say you could freeze funds indefinitely.
Why are you so willing to do that when it makes you money, but you're so unwilling to
recognize it when it's to protect a victim or victims or thousands of victims.
So we have to basically create something that takes away sometimes the excuse that issuers
and exchanges use to not freeze funds.
But in fairness, they can only freeze those funds for so long.
And there are some legal impediments on the seizure side that we need to fix, particularly
in other countries that don't have the systems that the UK and the U.S. do.
So it's kind of a double-edged sword.
We need to make it slightly easier for them to freeze when they get information, possibly
even from private actors and not law enforcement, which is a very big.
very, very touchy subject once you get into it. But we also really need to build up the asset recovery
seizure practices that other governments don't have that the U.S. and the U.K. do. So there's a lot that
goes into it. But if I was one of the people drafting clarity and market structure right now, I would
consider slipping in something that makes it easier for issuers and exchanges to freeze these funds
and protect victims of crime, whether it's from nation-state actors or compounds in Southeast Asia
or relatives that get access, whoever it is, we should just be a little bit better at protecting
financial crime victims because right now the global financial crime war is very real. Like a lot of us
remember the war on terror. We really need a war on financial crime at the same level because it is
only going to get worse by nation state actors. All right. So Michael, the last question is for you,
and we alluded to this earlier. Obviously, there were a number of things, you know, and obviously like,
you know, no shade to the drift team, but clearly they could have done things differently.
So, you know, based on how the attack occurred, if you could give your sort of like best
tips for defy teams or whether or not they're defy, whatever you want to call them,
crypto teams, you know, what would you say? And it's a two part question. And the second part
is just because of this fact that, you know, these were individuals who approached the drift team
at conferences, there's probably a lot of teams already right now who are reviewing all kinds
of interactions they've had. So if you want to just also add tips for them, you know, for like what
they should look for and and all that. Yeah. I mean, I think the first thing is to acknowledge,
like, this is a very sophisticated hack. And yeah, there were a lot of things that Drift could have
done better. But I think it's also important to call it. There's lots of crypto teams that I think
are in a very similar position as Drift right now. And definitely a good time for all of them to reflect.
I mean, the first thing off is like endpoint security.
Like anyone who is part of your team that is using a device for signing,
like that thing needs to be locked down.
It needs to be either a separate,
either have very strict endpoint protection or effectively just use a completely separate device for signing almost entirely.
Obviously, start to think very seriously about BS code, extensions and other things that you're running on your computer.
Anything basically where you might bring in,
you're doing something as simple as opening an external email to downloading new code.
All of these things are attack factors.
And I think if you're doing sensitive signing on an admin key, like one, you need to just be in a better device.
Two, you need to use better key management.
I'd like definitely not a key on the device itself.
Ideally, hardware wallet, you know, turnkey also offers something through an API that we support for fine-grained policies.
But generally speaking, like, you just need to be, like, have a very clear defense in depth.
So there's multiple areas of failure that need to occur.
Ideally, as many as like layers as possible while still having like enough operational flexibility to do,
your job. And that's always a balancing act, but like the more value you have at risk,
the higher that threshold of, you know, effort needs to be and you need to be willing to bite
the bullet to say like, hey, we're going to make the team jump through me hoops because
there's just way more value at risk as we grow. Just generally having that philosophy.
Can I add one thing, Michael, bless your heart, independent risk audits.
Oh, yeah. Everything, everything you're saying, I love you so much and he's too nice to say this,
But so many internal security people will say they're doing fine.
And the executive team will not get an outsider to verify that.
And that is the death knell of so many places.
This is not an attack on SISOs, but like you have to have an outside objective view come in.
Like, because otherwise, of course everything's okay internally by the people responsible for made dating it.
And that we see in financial services all the time.
Operational security audits too.
Like that's contract code.
Yeah, the only thing that I've heard, though, is like sometimes the teams will, you know, say like, well, the audit should just cover this. And then the thing that it doesn't cover is the way they get hacked. So it's like the audit maybe gives people a false sense of security. I'm not saying not to get audit. And I'm just saying that I wouldn't, I wouldn't assume that because the place has been audited, that you can definitely trust that, you know, every piece of it was audited or even that the audit itself was, you know, quality.
Yeah, and I think this is the biggest distinction.
Like, you know, I've worked in a smart contract auditor opens up for four years.
And that's an absolutely crucial part.
But like, we're not seeing these biggest attacks coming from smart contract exploits.
We're seeing them come from operational security failures.
And that's where like we definitely.
I mean, SOC 2 is like the baseline that I think team should be getting at some point,
but even going beyond that, like doing rolling audits, doing, you know,
having persistent security professionals come in and target your team and act as these same attackers
and figure out ways to find weaknesses in your system.
Like at some point, this is where resources have to be.
be placed. And then, yeah, beyond that, just thinking through, okay, like, if you are, like,
you know, looking at your system and thinking, how could we be potentially targeted the same way
drift is? Like, yeah, you need to be coming through your history. He's been talking to you.
What is your team downloaded? Anything that might be potentially compromised, do a full wipe
and reset. Rotate your credentials. If you can't rotate your credentials or your wallet keys,
get a wallet set up that can rotate credentials easily and make that a recurring thing. And yeah,
if you are at risk, like, reach out to security professionals to help harden yourself.
There's lots of folks out there that do this work really well.
If you're, like, really worried that you might be currently compromised,
like Still 911 has a hotline on Telegram you can reach out to and get immediate assistance from.
They've been great.
They've obviously helped a drift in a time of need.
They helped others in the past.
Donate to Steel 911 if you feel bad about taking up all that free time.
But, yeah, I think, like, the fact that that resource has been the lifesaver for a lot of teams
that haven't yet invested in their own internal security, I think is a wake-up call.
Like, still known once great, but like, people shouldn't have to rely on that for the security of a protocol that has hundreds of billions of dollars.
There can definitely be some resources put into better endpoint security and just better security procedures in general.
So hopefully this is a good lesson.
And, you know, it's a year to the day, year and a month to the date from Bybit, where we once again reminded the stakes.
So hopefully this is one that really ingrains itself into people that need to be more paranoid.
and have better operational security.
All right, you guys, this has been such a great conversation.
Thank you both so much.
Just especially, well, for both of you, yeah, can you share where people can learn more about you and your work?
Because hopefully nobody listening to this will ever need your help, but just in case.
Well, you can follow me on Luella and Michael on Twitter, just my first and last name in reverse.
And sometimes I speak a lot on this for Turnkey or,
and some or seal who does a lot of security initiatives and framework.
So like they also have a best practice guide that's also good to follow.
And I contribute to among many others in the space.
I'm at Amanda Wick on LinkedIn.
I think I'm, I used to be the only Amanda Wick, but fingers crossed.
It's like crypto compliance expert.
And I talk a lot about crypto compliance in this space.
I also talk about other people you should follow in this space.
So definitely find me on LinkedIn.
I am on Twitter, but I'm terrible at it.
So maybe I'll get to Michael's level.
someday. But thanks so much for having us. This is a really great conversation.
All right. Well, thanks everyone for tuning into the live stream. Next up, we have Bits and Bips,
where Ram Al-Awealia, Chris Perkins, and Austin Campbell will talk about the war in Iran and the various
intersections it has with crypto and more about the drift hack, which I think you will want to hear
from Austin, who used to manage a stable coin and from Chris, who was in the military. So stick
around after this short break.
Thank you.