How 'Booth Babes' at Crypto Conferences Could Lead to Big Hacks Like Drift's

**Laura Shin** (0:00)
Hey everyone, welcome to Unchained, your no-hype resource for all things crypto. I'm your host, Laura Shin. Thanks for joining this live stream. Before we get started, a quick reminder, nothing you hear on Unchained is investment advice. This show is for informational and entertainment purposes only, and my guest tonight may hold assets discussed in the show. For more disclosures, visit unchainedcrypto.com. Bitcoin changed how money works. Citraya changes how Bitcoin scales. With a trust-minimized BTC and a native stablecoin, CTUSD, Citraya enables Bitcoin capital markets with lending, privacy, Bitcoin yield and more. Get started at citraya.xyz slash unchained. EtherFi is giving unchained listeners 15% cash back on food and ride apps, and that's on top of the 3% you get on everything else. Your bank is charging you to use your own money.
I switched. Go to ether.fi slash unchained to claim your discount. Today's topic is the Hollywood thriller backstory to the Drift Hack and the backlash against Circle. Here to discuss are Amanda Wick, head of Americas at VerifyVASP, and Michael Lewellen, head of solutions engineering at Turnkey. Welcome Amanda and Michael.

**Michael Lewellen** (1:10)
Good to be here.

**Amanda Wick** (1:10)
Hi, thanks for having us.

**Laura Shin** (1:12)
When we originally booked this podcast, we thought we were going to focus on how Circle handled the Drift hack, but over the weekend, when Drift gave its postmortem on how the attack was actually six months in the making, we realized we needed to cover that huge story as well. So let's start with that. For listeners who weren't on crypto Twitter this Easter weekend, Michael, do you want to catch people up to speed on what exactly Drift said about how they got compromised?

**Michael Lewellen** (1:43)
Yeah, I'd love to. It definitely took up a lot of my Sunday and the Sunday of many other security professionals in the space that have been commenting on it. I mean, the short version, like we knew this was pro-likely a sophisticated attacker when the hack happened. That was actually having dinner with some security professionals at ECC in Con France when this all went down. So I've been hearing the play by play since. But then Sunday, I think what we learned was, you know, lots of speculation that this was going to be a sophisticated attacker, possibly DPRK link. We haven't confirmed that, but it feels very likely. And what it looks like, based on what the Drift team reported, is that this was a long-term, at least six-month intelligence operation. And what's really wild about this is it involved in-person professionals or crypto professionals, ostensibly, interacting with the Drift team, building their confidence, interact with them, showing competence and understanding of their protocol as a legitimate actor that might be wanting to do an integration with their protocol. And through that, it seems like they were able to convince certain engineers to install or clone certain repositories on their systems, take advantage of known vulnerabilities in VS code and other things. And then it was very likely they were then able to get signatures on these admin wallets, including this 2 out of 5 multisig that specifically was the vector for the attack. But they were able to essentially get those signatures weeks in advance of the actual attack.
And that was using durable nonces, something of slana. But basically just a signed transaction ready to go at a moment's notice when the attack was ready to be launched. And it does seem like they were rehearsing this based on some on-chain analytics as well. So overall, what we've learned is that we knew this was likely sophisticated, but it was sophisticated to the degree of a nation-state actor using proxies, using in-person communications from people that didn't appear to be North Korean, even though this seems likely that that was the attacker. So in short, it means that, okay, we have nation-state level attackers and very sophisticated in-person intelligence operations targeting crypto companies like Drift. And the feedback that we're getting from the community of other security professionals is basically, okay, this seems like something that other teams are likely being targeted with at this moment. It's very likely that Drift is not the only one. And we have to consider who else might be maybe not compromised, but at least being targeted and needs to increase the level of protections they have. So I think that's like the big takeaway is realizing like this is serious. And, you know, one month to the day from the Bybit hack, it feels like the intensity of attacks on crypto is increasing, not decreasing.

**Laura Shin** (4:18)
Yeah, I think like what really struck me was they met these people in person multiple times at different crypto conferences. And they were technically or I'm quoting the Drift blog post about it, but it said they were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. They also deposited $1 million of their own capital. They, you know, onboarded a vault onto Drift, which required them filling out a forum with their strategy. I mean, this was so detailed. And the fact that the LinkedIn profile, or whatever it was that the professional backgrounds, you know, like, they did, just, Drift described it as, that they were fully constructed identities, including employment histories, public facing credentials and professional networks. So I was just like, oh my God, it's like they created this little Potemkin village that, you know, like we're saying that the Drift month hack was six months in the making, but for that back history to all those people, it could have been, what, a year, a year and a half. I don't know. I mean, even years, like multiple years. Amanda, what about you? What details struck, stuck out at you?