How State-Sponsored Hackers Like DPRK Drain DeFi Protocols: Uneasy Money

Key Takeaways

• •

  DPRK hackers use social engineering to facilitate supply chain attacks - Attackers often pose as VCs on Zoom or Teams to trick developers into running malicious commands that compromise core software dependencies like Axios.

  “The second I saw the stuff, I made a lot of calls to get the full set of indicators for recent DPRK stuff to see if we could get more insight. I think especially relevant and like the thing that's top of mind is obviously the Axios hack happened yesterday.”

• •

  Session token theft renders hardware MFA ineffective - Once a developer's device is compromised, hackers steal active session tokens to impersonate them, bypassing 2FA and leaving no trail of 'unauthorized' logins.

  “If your computer is completely compromised in the way that DPRK compromises computers, that token, they take that token and they reuse it. Now it doesn't matter that you have MFA. It doesn't matter at all.”

• •

  Pinning dependencies is the best defense against malicious updates - To avoid silently pulling compromised code into a project, developers should avoid auto-updating packages and wait for new versions to be vetted by the community.

  “The normal mechanism that they use to compromise people is they get one person on a Zoom call and they make that person run a command and that command then does all this malicious stuff and gives them like full access to the computer.”

Episode Description

The Drift Protocol is down $285 million and Circle has the power to freeze the funds — but won’t. Kain, Taylor, and Luca explain why. Thank you to our sponsors! ⁠⁠⁠⁠⁠⁠⁠Fuse: The Energy Network ⁠⁠⁠⁠⁠⁠ – Shift your energy use and earn rewards. ⁠⁠⁠⁠⁠⁠⁠MultiChain Advisors -⁠⁠⁠⁠⁠⁠⁠ The Growth & Capital Markets Partner You Need The Drift Protocol hack was still unfolding when Kain, Taylor, and Luca went live. Within hours of a suspected admin key compromise, over $285 million had been drained across Solana, with Circle sitting on the ability to freeze the stolen USDC — and choosing not to.  Taylor Monahan, who was already in an active incident response room, walked through exactly how DPRK malware operates silently on devices for months before striking, why standard antivirus software won’t catch it, and what the Axios supply chain attack revealed about the vulnerability of open source infrastructure.  Then the conversation shifted to the Claude Code source leak — what it actually reveals about how the most sophisticated agentic coding harness in the world was built, and why Kain thinks a new Anthropic model may be days away. Hosts: ⁠⁠⁠⁠⁠⁠⁠Kain Warwick⁠⁠⁠⁠⁠⁠⁠, Founder of Infinex and Synthetix ⁠⁠⁠⁠⁠⁠⁠Taylor Monahan⁠⁠⁠⁠⁠⁠⁠, Security Expert ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Luca Netz⁠⁠⁠⁠, CEO of Pudgy Penguins Links Unchained: Drift Protocol Coverage — Search unchainedcrypto.com for current coverage Related: SEAL 911 — Volunteer crypto incident response group Drift Protocol Axios npm package — Supply chain attack vector discussed CrowdStrike EDR — Recommended endpoint detection tool Claude Code — Subject of source leak discussion Learn more about your ad choices. Visit megaphone.fm/adchoices