A (4:18)

Yeah, I think like what really struck me was they met these people in person multiple times at different crypto conferences. And they were technically, or I'm quoting the Drift blog post about it, but it said they were technically fluent, had verifiable professional backgrounds and were familiar with how Drift operated. They also deposited $1 million of their own capital. They onboarded a vault onto Drift which required them filling out a forum with their strategy. I mean this was so detailed. And the fact that the LinkedIn profile or whatever it was that the professional backgrounds, you know, like they just, Drift described it as that they were fully Constructed identities including employment histories, public facing credentials and professional networks. So I was just like, oh my God. It's like they created this little Potemkin village that, you know, like we're saying that the Drift month hack was six months in the making, but for that back history to all those people, it could have been what, a year, year and a half? I don't know. I mean even years, like multiple years. Amanda, what about you? What details struck stuck out at you?

B (5:30)

I don't know. I remember reading this and thinking I feel like not enough people watched Homeland. And like, and I, and I say that half jokingly only because about a year or two ago, me and Alex o' Neill wrote an article sounding the alarm on digitally enabled sanctions evasion. And the point that we were trying to make is that this is, to Michael's point, very rapidly becoming nation state sponsored level activity. And I think people don't realize the ramifications of that. I remember when I was at Chainalysis in 2020, I did this like risk training, trying to tell everyone at the company, all of you in this industry have like a risk surface that's not because of something you necessarily do, that's because of who wants to talk to you, who wants to get access to you, and who wants to get access to that this company has. And I would defer to Michael on this because he probably knows better, but I worry about the number of companies in the crypto sector that don't think at that level, that don't train at that level, that they don't think of this necessarily as financial services. People moving millions, sometimes billions of dollars, are still kind of a little lax about the security of what they're doing. And that's a terrifying thing. And it's not to say that I expect Everybody to check IDs at conferences or we don't want to get like insane about it. And there were some things here that probably were going to take a lot more investigation. But I think overall anybody who's looking at security in this industry wishes that a lot more companies, even some of the major ones, would take this a lot more seriously, given how much money they are moving on a daily basis. And I just don't think they realize who's out there trying to get it right. I think they tend to think about pig butchering. Maybe sometimes they're thinking about organized crime, maybe sometimes they're thinking about really organized crime. But they're rarely ever thinking about the operations of a country's military like North Korea or Russia, and they're not thinking about the resources, the time, the energy, the planning that nation state actors put into this. And that is, I think, a massive security problem.

A (7:27)

And I'm sorry. So I've always just thought it was pretty much North Korea. But what are the other nation state actors that are trying to do this type of attack?

B (7:35)

I don't know if anyone's as sophisticated as North Korea here. I'll defer to Michael. I think Russia, like, does. I don't think they're.

A (7:42)

That.

B (7:42)

I don't want to insult them, but I don't know that they're at the hacking level. That DPRK is a. I think they all have kind of. They are all developing their own methods and tools. Right. So like Russia has Grantex. They've had other things, like in terms of how they want to take money, launder and see their way in the space. Michael, I'll defer to you. I don't, I don't. I think North Korea is kind of like a pretty good, well respected hacker in the nation state space. I don't know if anyone's done like a ranking of them, but I think it's a little naive to think that nation states that are adverse aren't actively doing this on some level.

C (8:17)

Yeah, I think North Korea definitely stands out as a particularly prolific actor in the crypto space. Like, just based on what a lot of security professionals out there have been able to trace back to them. I mean, yes, there are other, like, hackers that operate in like, Chinese and Russian and other jurisdictions, and the level of involvement or direct relationship between those countries, actual intelligence operations and cyber warfare divisions in terms of how connected they are versus them being loosely affiliated. It varies a lot. There are definitely just criminal organizations that operate out of Russia that aren't being prosecuted and are kind of being, let's say, tolerated in that jurisdiction as long as they're targeting Western operators. But I think with dprk, it does seem to be like, this is literally a source of revenue for that country. Like a significant portion of the revenue funding the North Korean state. And especially like things like the nuclear program do appear to be coming from stolen funds from growth, cryptocurrency and other, like, sophisticated operations that they're running.

A (9:14)

Okay, so, you know, one other thing about, like, just the fact that this, you know, clearly is something where these people were meeting others, you know, not only drift, but other crypto teams at these conferences. You know, somebody tweeted at me, you know, why didn't they name these people? And I wonder what you thought of that choice because presumably they did meet other teams. So it might be helpful for the other teams to know their identities, possibly.

C (9:46)

I'm not familiar with exactly what the Drift team is like, sharing maybe privately with security professionals. I do think that, like, oh, I can't speculate necessarily in their decision there. But, you know, I do hope that, like, and this has definitely happened in past incidents where Seal911, who's been very involved in working with Drift on this incident, has been, like, privately sharing, like, profiles of, like, known bad actors. This is something they've been doing ever since DPRK started to more actively try to infiltrate crypto teams through hiring and other things. So I leave to them on, like, you know, what is being done behind the scenes. I hope something is. But I could speculate at least to say that if they haven't revealed the details of those names, it's because it's better not to post it publicly until they've decided and talked to maybe on a private level what is going on, as well as knowing. We don't necessarily know how involved the individuals they're meeting at the conference and the proxies were. Were they aware, were they not? We don't know. I think what we were just working off of what we have in the Drift report so far. So definitely, I think it's just because this is an ongoing investigation that we still need to get to the bottom of in terms of, like, who exactly was involved and where exactly these exploits occurred. But we're getting more of the picture as time goes on.

A (10:54)

And so going back to this thing about how they had professional identities that appeared to have been, you know, I don't even know what to make of it. Is it that these are working crypto professionals who agreed to be hired by dprk, or is it that they're actors and that these were, you know, fake identities that were crafted over time? Like, who do you think these people were, you know, in relation to DPRK and to the crypto industry?

C (11:25)

I think we have to entertain the possibility that all of these, like, factors are possible in terms of attack vectors. It could be a team that was, like, unaware of, like, the DPRK links. Maybe they thought they were part of something criminal, but very different. Maybe they were fully aware. Maybe they had very little awareness and they were operating at the direction of someone that they didn't realize had ill intent. I think maybe the takeaway here is, like, we don't know. In the case of Drift, we'll hopefully learn more, but I do think that for a lot of teams that are out there, they should consider the fact that all of these things are possible. Which kind of comes down to the security lesson here, which is, regardless of who you're interacting with, whether they're trusted individual or not, trusted individuals can be compromised in the sense of their machines, the things that they send people, their communication channels. So when it comes to your own security, like, it has to be a very tight, like, possibly even air gap system that you're using for highly sensitive signing operations on admin multisigs, like the Drift protocols multisig, that was compromised here because there's just so many potential ways that someone could get in and fully compromise it, and it could be a friend that doesn't even know they've been compromised.

B (12:31)

I also hope that some companies will take this as a lesson to, like, really think about who they let into their spaces and access to their potential customers. I don't know if you've heard of the booth babes phenomenon, but I remember, like, my first Bitcoin Miami conference talking with somebody for about five or six minutes in a booth before realizing that they had been hired for the day. And that booth babes are actually a terrifyingly frequent thing. And these are just companies that will literally hire attractive women for the day to man their booth, to, like, bring a predominantly male audience into the booth booth. And to Michael's point, you really need to ask yourself, who are you allowing access to prospective customers at a conference? Who are you allowing to be in your booth representing your space? What information are they allowed to collect? Like, I just think some companies are a little lax with their security protocols, and they don't necessarily think about every single one of these places being an attack vector. And it's like, you know, who does think about that is dprk, right? And so you may think having an attractive woman lure men into your booth seems like a really great idea, but what conversations are they collecting? What PII are they collecting? What are your protocols for assessing that? Or do you just care about dragging people in and you're not thinking about that? But those are the kind of practices that, God willing, folks like Michael and the security industry will start getting an industry to rethink because every single attack vector surface really needs to be reconsidered.

A (13:56)

Okay, so basically, like, in their little postmortem, when they describe the people that, you know, these, like, hackers basically met with, they were all these always described as Drift contributors. And I remember thinking that phrasing is interesting. Like, I Didn't know why it was phrased that way other than simply the fact that like, sometimes in a more decentralized space, you know, you don't really have a title for somebody. So. But you are saying that potentially it could even be somebody who didn't work on Drift, but only was hired for just the purposes of that conference.

B (14:40)

Yeah, I'm, I think, Michael, I don't want to put words in your mouth, but I feel like all of this is coming in. We don't know. You get facts like, like this is why in law enforcement investigations were very, very careful. Everything's a possibility. You have to investigate everything. You have to kind of like rule things out based on the evidence that comes in. And, and like so much in crypto comes in so fast. Sometimes it's real, sometimes it's not, and you really have to filter through. I would not make any assumptions that these people were necessarily, quote, dprk. Right. You could create an identity, give it to somebody. Right. It's kind of like the victims in Pig Butchering that go on both sides. Right. You have human traffic victims who are then creating victims in the scams. And a lot of people didn't know that for a long time. And so they just assumed that, that the person on the other line was a scammer. They didn't necessarily know that that person was also being basically sometimes physically beaten to commit that. So you just, you just don't know what situation these people were in. Were they willing, were they lied to, to say certain things, were they told they would be actors? Like, I, I don't believe anyone knows that yet. And that's what the investigation will likely have to detect.

C (15:47)

And I could speak to like, maybe the broader, like, issue of like, these kind of like contributors that can come into projects. And you know, these are, many crypto projects operate kind of with an open source framework, can come in and they can contribute. And what has been noticed over the last year or two is that like, this is one, certainly a vector for DPRK to get more involved in a way to build trust with teams. And two, what I think is like, particularly concerning is that these are actually very good developers. They're very good at actually laying in wait, being disciplined, not like doing something silly like trying to introduce a backdoor on day one or even like shortly in like, they're usually more interested in gathering intelligence on operational security. They're not necessarily going to try to insert some sort of a backdoor, a vulnerability into the code base itself, because that can be easily Noticed, and it's a very quick way to be effectively burned. But instead for these teams to be gathering intel on the people they work with, on the operational security of the system, and the people operating sensitive functions like admin keys and reporting that back to a team that they can leverage that information to create a more sophisticated attack. And I think that's what people need to be really considering is like, when it comes to your operational security, like, what details could someone, through open source intelligence gathering or even from close association with a team, learn your vulnerabilities, even if you're not publishing details about, you know, your operational security? Like, assume that people are going to be able to learn it over time and that you need to prepare for them to target your weakest links and for you to harden that as quickly as possible. Especially if you, like, start out as a small project, you have a small amount of money, but then you grow, you become a very, you know, a large attack vector. Once you get past 50, 100 million, you're absolutely on the DPRK chopping block. They're, they're going to be noticed eventually. You need to be prepared to have, like, an operational security practice that's going to scale at that. And I don't think we necessarily have an explicit, you know, we don't have a practice in the industry. Like, some teams absolutely do this well or do it as well as could be done. And some teams, I think, do struggle to graduate to that as their team grows because they don't have someone like, very much in their face that's either a dedicated security professional on their team or even a community that is necessarily aware of this and demanding the transparency around security practices to advocate for. Okay, this is the time when we have to uplevel security. It unfortunately sometimes happens reactively as opposed to proactively.

A (18:00)

Okay. And then I just want to ask about one other thing, which is, you know, it felt like starting from Friday after TRM and Elliptic published some, some blog posts saying that they felt that the digital fingerprints of this hack indicated that it was dprk. But, and so everybody's been talking about that, but both of you have been kind of hedging. So, like, what probability would you give to that? And like, like, basically, I wrote my whole script presuming that is dprk. And then now that you're saying this, I'm like, wait, so what, what percentage, you know, confidence do you have that

C (18:33)

it is, I would say, 80% and 90%. Like, I would say I'm, I'm, I'M holding back on that. Just to say, like, we haven't confirmed it. Mandy gets ongoing, but, like, this is, like, almost certainly dprk. Even if it's.

A (18:46)

When you say we haven't confirmed it, like, would it be that you would need to hear from them that they take ownership of it? Like, what would you consider confirmation?

C (18:55)

Specifically Mandia, Just because I think they're, like, a trusted security source in the industry. They're. They've known to link to tprk. So, like, at this time, we haven't gotten confirmation from them. But, like, a lot of other security professionals have given, like, very high confidence, if not outright confirmation, that, in their view, this was dprk. So I think it's a safe assumption to make, but, you know, investigation ongoing.

A (19:14)

Okay, okay. And just for the live stream viewers, we did have to record this, like, just a few hours before we're going to live stream it. So who knows what will happen in the. In the gap between that? But anyway, okay, so then, so let's talk about, you know, what TRM and Elliptic said, because in light of the fact that they believe it was North Korea, this just blew my mind. Drift wrote in their postmortem, it is important to note that the individuals who appeared in person were not North Korean nationals. So, you know, for me, you know, I've said it multiple times on the show. I literally have ancestors from North Korea. Like, you know, the whole shebang in terms of what you could imagine about how we ended up here. Um, so. So, like, you know, most, like, the vast majority of people in North Korea are literally not allowed to leave the country. They are not allowed to consume any information from outside of the country. So how would North Korea hire non North Koreans if they are indeed hiring non North Koreans? Like, what nationalities do they tend to hire? And the people who agree to be hired by North Korea, do they know that they are being hired by North Korea and that the reason, like, the purpose of their mission is to steal people's money so that the North Korean dictatorship can buy nuclear weapons? I need to understand this backstory.

B (20:46)

I mean, I'm. I'm already surprised that somebody. And maybe this is just my own naivete, that somebody thinks they can tell the difference between a North Korean and a South Korean on site. Like, I didn't. I didn't know that was actually.

A (20:55)

I think that's like. Like, we looked at them.

B (20:58)

They didn't look North Korean. I'm like, I don't know that that's a thing. But even if you just Assume the Korean part. It's a wildly naive view, Right. Like I could tell you as a former federal prosecutor that if I was going to hire somebody, it would be white Brad, Tad or Chad, crypto bro, to run around these conferences not looking like anything, right? Like you want to hire the people that you, that make people feel the most comfortable, that look the most innocuous, like maybe attractive women. Like you see this all the time on LinkedIn, right? Like a lot of the like photoshopped profiles that aren't legitimate people, they get, I mean, let's be honest, they're able to get connection requests accepted because of like what the photo looks like. People don't even look at the job title. Like if you're a malign actor, whether you're a nation state or whether you're a criminal, you just play to human weaknesses, right. And biases and preconceived notions. So what these folks probably look like when they release their picture is probably whatever worked at that conference, right. Maybe it's, maybe it's a local, maybe it's white visitors from the west, who knows? But the bigger point is the building the backstory and then putting somebody in who's comfortably able to kind of talk the talk and play that role. And I just think that people need to understand that's, that's just how criminals work. Whether you're a nation state actor or organized crime, the, the idea that there's like a criminal look or that you're going to be able to visually identify somebody who's, who's got bad intentions. That's a wildly naive viewpoint that is, is capitalized on by every criminal. Terrorists, money launderers, organized crime, nation state actors. Do not think you're going to spot a malign actor who's to going, coming at you. I think that's why to Michael's point earlier, you need to have all these other tools to be able to look at all the other signs, to be able to do the due diligence, to be able to do the things to go past beyond like does the person look legit? Or speak legitimately about the industry.

C (22:59)

Yeah. And speaking more to like how intermediaries have been used like this does, I don't think we've heard of something this sophisticated before in terms of like this level of engagement with a protocol at conferences. Multiple touch points. But like there's absolutely precedent for this. I mean there are many like what are called laptop mules or you know, people that will stand in for, for North Korean hackers that are Interviewing at companies that, you know, are, are US Nationals or otherwise, you know, don't look North Korean or Korean at all. And then like, you know, still even setting up, you know, physical hardware, like setting up a laptop that the company shipped them, and then like following instructions to give access to North Korean hackers or other hackers. So, like, there's absolute precedent for using intermediaries. I think what this shows is that, you know, this can get to the sophistication level of like, representing an incredibly, a credible company that understands, like deep things in crypto that can, you know, say and do all the right things to build up confidence so that like, at some point when they send you something and you know, there's a slight risk of, oh, if I clone this and run this on my computer, maybe there's a compromise. But like, I know Joe, I've seen him at multiple conferences, he's bought me drinks, he knows our product, he's supporting us is probably fine. And the absence of very strict endpoint protection procedures on many company laptops today in the crypto space is one of the reasons that, you know, this is a vector that often works because there's no, you know, like, formal enforcement of like, okay, you can't do this with your laptop. Maybe there's a policy someone wrote, but usually not any sort of endpoint protection systems that actually lock down computers to the point where they can't, you know, download random software onto them. It's entirely up to the developers or the operators themselves to follow best practices and, you know, if they've even been educated on those best practices. And I think this is what we're learning is like, you know, that's a big responsibility for anyone that has an admin key. And ideally there are like, endpoint protection software running that can enforce these requirements and that there's even an enforcement of keeping, you know, your common laptop that you might use to clone a random repo or playing around with new ideas or, you know, know, new software is entirely separate from the device that you're using to actually operationally sign highly sensitive actions. Having completely separate devices as well as having very sophisticated key management and signing policies that gate a lot of this, like, this is a lot of the work that I've done at Turnkey and other places is like helping teams design like, very sophisticated like, or maybe not that sophisticated. Just basic, least privileged concepts of like, don't give any privileged access to a developer that doesn't have multiple checks and balances involved. And unfortunately a lot of multisigs on blockchains today are kind of like just set up as, like, yes, there's a signing threshold, but if that signing threshold is breached, there are no additional safeguards, no time locks or other things. There can be in some cases, but a lot of teams will often find that there's a barrier to operational efficiency there. There are ways to split out that power more. I could get into that. But in general, what we're learning is that, like, there needs to be a very sophisticated thought process through how can a developer be compromised, how can we protect the developer, and how can we protect the permissions that developer has access to so that even if they're compromised, it's not a point of failure?

B (26:08)

And just to follow. Oh, go ahead.

A (26:10)

No, go ahead.

B (26:11)

I was just gonna say. I guess the prosecutor in me also wants to just tag on, like, the most basic thing about instructions for employees on just being aware of risk. Right. Because how many of us have gone to a conference and then somebody afterwards, yes, maybe we go out for drinks. But systematically keeps in touch over six months. Like, there are patterns of human behavior that you can make your employees a little more alert to. To say, like, you might be the most charming person in the world, but there is just also the reality of looking at and being a little bit more suspicious of people who systematically seek you out, keep in touch with you. Right. Like, you just want people to be a little bit more alert and cognizant of their interactions with people as a. As a risk factor. And I think even that very basic training doesn't get done at far too many crypto companies.

A (26:58)

Yeah. I mean, I like, to me, the only reason that doesn't work in this situation is because since it's defi, they're literally trying to onboard people into the ecosystem. So it's a little bit different than, like, if you're, you know, just working at a company. Like, does that make sense? Like, you're trying to grow your community, so when you have people that are interested in what you're doing, you're going to, you know, want to respond to their interest in you.

C (27:23)

The overlap, overlap between, like, very effective and aggressive business development and someone trying to infiltrate your organizations for malicious purposes is very tight. So sometimes it's difficult to tell the difference.

B (27:34)

Yeah. And also, like, I love when people say, it's defi, and Michael and I were joking with those. It's like, but is anything in crypto actually decentralized anymore? Like, no offense, but if there's a group of people at your booth at a Conference. It's not that decentralized, is it? If I can identify who's representing you at a conference because you're paying somebody to represent you. Right? Like, this is. This is kind of like the existential joke of saying defi and then having a booth at a conference with humans that are identifiable to your project. Because whatever part is, quote, decentralized, those humans weren't. Whether they were like, whatever role they played, like, that's why. That's where I'm getting at that you need to think about every single, Every single piece that you hold out to the world that says this is the part that represents us, or this is a person that might have access or control, they become a risk vector. Because to your point, if it's all decentralized and nobody knows who it was and then there's an identity that's attached to it, those people become a risk factor just by. By the nature of. It's suddenly a lot more centralized than it was before.

C (28:43)

Well, and I'll separate and say, like, there's a big difference between like a team representing a project on like a BD or like, development level, and then like people that have operational control of like a project in defi. Like, you can have both. They can be somewhat separate. Like, I myself have served on multi, multi sig. Security councils that have very selective powers for the purpose of, like, stepping in for a security incident or other things like that. And the biggest consideration is, like, how distributed is it, Is it all one team on this multisig, Is it multiple teams? And then of course, like, you know, is there strong operational security for each one of those members? Is there a very high signing threshold for the most sensitive things? Like, those are the most important. And yeah, like, you know, if you're, if you're a big company, definitely, you know, making sure that you're, you're careful. If you have sensitive operations and personnel tied to those operations, like, you're, you're thinking about that from a travel policy perspective, from a geopolitical perspective, from, like, all these things, depending on how many funds are at risk and what the controls are.

A (29:39)

All right, so in a moment, we're going to talk a little bit more about the group that is potentially behind this hack. But first we're going to take a quick word from the sponsors who make the show possible. Bitcoin changed how money works. Citraya changes how Bitcoin scales. Citraya uses Bitcoin as both the settlement and data availability layer. As Bitcoin's application layer. Citraya enables the first trust minimized Bitcoin BTC on a fully programmable platform and a native stablecoin for Bitcoin. Satraya offers Bitcoin capital markets with lending privacy payments, Bitcoin yield trading and predictions. Citraya expands Bitcoin's utility without sacrificing its security. Citraya Mainnet is live get started at Citra XYZ slash Unchained. Etherfy is giving Unchained listeners 15% cash back on rideshares, groceries and restaurants right now, which honestly is kind of wild for a card like this. On top of that, I'm getting 3% cash back on every single transaction using my actual crypto. No conversion fees, no nonsense. My bank never once did that. And it goes beyond just spending. You can borrow against your holdings at 4% or less, which is super useful if you don't want to sell your assets. You can also earn on all major assets up to 8% APY just by holding and moving money is just easy. No hidden transfer fees, no friction. It just works globally. If you want to check it out, go to Ether Fi Unchained to claim your offer. That's Ether Fi Unchained. Back to my conversation with Amanda and Michael. So I know we were kind of debating whether or not it really is North Korea, but I did see that they did name a specific North Korean state affiliated group called UNC 4736. Quite. That's quite the name. It's also called Apple Juice or Citrine Sleet. So who is this group and how does this group differ from the other state affiliated group, North Korean hacking groups?

C (31:56)

Honestly not. I, I would. And I'm, I'm not an expert on that particular group. But like, I am very aware of like the fact that like North Korea doesn't operate just Lazarus, which is kind of what people like associate with dprk. Like they operate multiple groups. It's kind of like a franchise operation. Like they're all operating generally under like the North Korean state umbrella. Much tighter than probably like other like China and, and Russia operate hacking groups. But generally speaking, like, yeah, these are small, like usually independent teams that are still like fairly centrally operated but are given leeway and in some sense compete against one another to bring in the most revenue and to be the most effective is from what we can tell, these are usually very competitive groups with one another in terms of who can essentially bring home the most bacon for the Supreme Leader.

A (32:43)

Wow. Okay. Wow. That's. I'm just, I'm just not going to comment on what I think of living a life like that. But okay. Anyway, so, all right, let's now talk about the other big issue that came up, which is crypto. People were super mad at Circle. So, you know, I, I do want to get into what it is that Drift could have done differently. I mean, we touched on a little bit like in terms of the separate devices and stuff. But let's just talk about the Circle situation. Because Circle sat on its hands while $232 million was being bridged across the cross chain transfer protocol, CCTP to Solana and Ethereum, where of course, because those are way more decentralized than Circle, at that point, it's game over for reining those funds in. Right. So it's so interesting, like it sort of feel, you know, it's like one thing for Zach XPT to publish a blog post and put Circle on blast. But even I noticed TRM in his blog post wrote, quote, the confidence of the hackers was staggering. Each bridging transaction moved hundreds of thousands or more often millions in usdc, far outstripping the speed and aggressiveness of even the bybit laundering of 2025. So, you know, I am curious, why do you think Circle, and I'm not going to mince my words here, chose to let North Korea get away with stealing money to fund its nuclear weapons program? I find that crazy. Personally,

B (34:22)

Michael and I have strong thoughts. If you want to go first, Michael, I will happily collect myself.

C (34:31)

I'll speak to like, the fact that this is not necessarily news to anyone who's been like, dealing with hacked incidents in the past, like, you know, still 911, again, very involved in Drift, has been involved with Bybit and other hacks. And you know, they, along with other groups they work with, like Zero Shadow, these are all experts in forensic analysis. They can identify usually these hacks within minutes, if not hours. Like just saying, oh yeah, we definitely know that these are the funds that have been stolen. We know that they need to be frozen. But like, actually getting stablecoin issuers to freeze rapidly has always been a known issue. But specifically Circle has always taken a long time. Their general approach has been we'll wait for a court order or like very official law enforcement involvement before they ever move. And unfortunately, because these hacks are very rapid, we see that the hackers are aware that freezing could happen, but if they know that there's a large window for that. And in Circle, this has basically been established by their policies and their actions that they will take a long Time to free freeze. You have like a pretty wide window to operate in. And the best part about operating on USDC as an attacker is, you know, you know, they're going to take a while. But they also have one high liquidity. They're one of the, you know, most traded stable coins along with tether. But they also have this native bridge which means that you can move USDC through, you know, two different chains where you know, you have more liquidity or different ways to wash the money. So I mean honestly, as an attacker, it's a great tool. I mean we, we actually saw in this case that some security professionals based on the on chain forensics saw that the attackers went out of their way to avoid using usdt. They specifically stuck to usdc. They said that this is going to be, you know, something that they feel is available for a large window of time to move the money. And yeah, and then it's hard to say that from an operational perspective there isn't anything circle could have done. They have the freezing powers on chain. They've always had it. They have control of the bridge architecture. You know, this is just like simply a policy of saying like this is not something they want to go out and do do. And you know, that hesitancy is probably both from a, you know, what do they have to do versus what should they do, but also the fact that, you know, they don't want to be seen as someone freezing maybe, you know, too much. They don't want to be seen as someone that has to take on the liability of freezing funds. There's a incident a few weeks ago that we could maybe speak to on that. But yeah, I, I think unfortunately this is an established behavior and it has created a lot of frustration with security professionals in the space that can identify the attackers quickly. They, they do report them directly to issuers like stablecoin or like usdc. And, and the movement is just very slow. There's just like a stated policy if we're not going to move quickly on this until we have law enforcement or a court order to give like maybe some legal cover over why they would make that freeze action happen as opposed to speculating on what is very actionable intel. But maybe not like has like let's say a legal cover for, for initiating action.

A (37:14)

I mean to my mind it's literally like they built like a Tesla and they're like, oh, we're going to use the laws from back when we did horse and buggy and we're going to apply that in this situ like like, am I wrong? Like, that sort of feels like what they're doing.

B (37:29)

Well, I think in fairness, because I want to try to be fair, even though I think Michael makes some really good points, but in fairness, there, there is a gap here in the law in the sense that, like, how financial services companies are required or regulated to act isn't necessarily always like a black and white rule. Right. And whereas traditional financial services has a safe harbor for like filing suspicious, suspicious activity reports, crypto arguably doesn't have the same thing. Like, there is a gap. Having said that, though, they are a registered money service business that are supposed to have a AMLC CFT program here in the United States. And I would actually go a step further than what Michael said, because Michael said security professionals have been frustrated. But I will tell you, from speaking to a lot of law enforcement, particularly global law enforcement, they are actually just as, if not more frustrated with circle because law enforcement will go to CIRCLE with an action, with evidence and say here, and sometimes they will even come with a seizure warrant. And if it's foreign law enforcement, CIRCLE will say, well, give us an mlat, a mutual Legal assistance treaty, which could take years. And so what you see with CIRCLE to your point is, and I think Michael said this, it's more a living, breathing embodiment of what it feels like only doing what we're absolutely legally required to do and not doing anything more to prevent victimization on our platform.

A (39:03)

Right.

B (39:03)

And just to give you an example, like I, when I was seizing assets from banks, we once had a guy who, while his house was being searched, was in the bank trying to get his funds out. I called the bank, asked them to freeze the funds. I said, look, I'm just telling you there's exigent circumstances. I could get you an order in a couple of days. But the guy's literally in there trying to get his money out as we're executing a search warrant that had a finding of probable cause of criminal activity on his home and the bank was willing to freeze it. And I think the thing that people are, even legal professionals, I think are very upset with CIRCLE because they are basically taking a path of minimal. What's the least that we legally could do? Because once they saw this, their AML CFT professionals could have said, hey, we have a active laundering or we have an active transmission of illicit funds. It's like saying that if your bank was being robbed and you were watching people move the money out and, and they were unarmed and there was very little risk of doing anything that you would say, well, we just decided to let the funds walk out, and then we had to call law enforcement, file a report to do anything about it. You would think that's ridiculous, especially if you had a hired security guard in the lobby. And I think that's the frustration that people have with Circle is that, you know, you have the ability to freeze this. You have the. To at least pause. Right. And they have terms and conditions. There are all kinds of things that CIRCLE has. Right. If you're stopping this flow of illicit funds, you really think your regulator is going to be upset with over freezing when it's a really provable everybody giving you the evidence and you've determined this, you think your criminal customer is going to civilly sue you? You think DPRK is going to come into court and say, hey, you artificially froze my money? Like, there's just some arguments that sometimes issuers and exchanges make that is like a BS justification for not freezing. And that is particularly dissatisfying in cases where maybe in the 12 minutes, and Michael, correct me if I'm wrong, I think the initial activity was 12 minutes, but in the six hours during business hours of bridging, when the world is exploding and telling you the robbers are in your lobby and showing you and you do nothing, at that point you become performative compliance and window dressing compliance and. And people really start to question your willingness to work with law enforcement if, when you can, you choose not to. And that's, I think, what people were truly upset about.

A (41:33)

Yeah, I mean, for me, like, you know, you mentioned it, their own terms give them the right to blacklist addresses, to freeze usdc. And it's just like, like, honestly. Because also I was reading some of the commentary about this and CoinDesk ran this article, and this is not to criticize the per. So I won't name this person who was quoted saying this, but they. They said in the qu. I think people are framing this too simplistically as Circle should have frozen. This wasn't a clean hack. It was more of a market slash oracle exploit, which puts it in a gray zone. And I just was like, I don't even. I don't. This person may not be a lawyer, but like, do you, you know, and this is not to criticize lawyers, Amanda. But. But I'm sure you know the type where it's like this kind of lawyerly thing where you get so, like, fixed on, you know, just these stupid, stupid details that just completely miss the ball and like, the purpose of the law and like, to my mind should reflect, like, what the common sense thinking is about what a just outcome should be. And like, clearly Circle missed it by a mile. And like everybody who's all up in their heads about, oh, well, maybe it should be, you know, like. No, no, it's like, it's just clearly everyday random people had $285 million of their money stolen and it was stolen by a dictatorship that is using it to buy nuclear weapons. Like, I imagine if you ask 99.9999% of people on the planet, like, who should get those funds, they would not say that DPRK should get those funds. So it's super inexplicable for Circle, which, you know, I respect the company. There are clearly lots of smart people there, like people that I'm friends with, I would say. And they're choosing something that I just find asinine, actually.

B (43:16)

Oh, yeah, go ahead, Michael.

C (43:19)

Sorry. Yeah, I've got so much to say on that because somebody feels, I mean one, like, as a comparison point, I think there's lots of improvements to be done on how stablecoins and other issuers freeze funds. But we have seen Tether and others be at least a little bit more proactive, a little bit more willing to work with attack security professionals pointing out attacks, freezing them faster. I think this can still be expedited massively across the industry and we could get a lot better at it. But it's clear that according to the bar set by other issuers, Circle is one of the slowest, which is kind of wild when they're also considered to be like the most compliant or at least they're marketed as the most compliant. Like, that's a big contradiction. And then in addition to that, like, like, speaking as someone who's worked on DEFI protocols, like, I've done a lot of work on Compound as well as others when I was at OpenZeppelin. And like the view in DEFI is like, you know, there's a lot of trust placed on usdc. Like, you know, DEFI itself might be somewhat decentralized, but when USDC itself is on your platform, you put a lot of trust in CIRCLE to not upgrade their contracts or blacklist your protocol specifically. Like any defi protocol today, if Circle like fat fingered the wrong button or maybe misread or, you know, a civil court order told them to, they could just blacklist all protocol. There's a lot of trust put in Circle to not, to not disrupt operations at DEFI protocols with this freezing function. And it kind of feels like the reciprocal, the appropriate, like way to sort of reciprocate that trust is to go out of your way to protect user funds. When these hacks occur and when defi protocols are clearly broken, security professionals that are highly trusted are clearly telling you the money should be frozen and to react to that. And if the issue today is a lack of resources, a lack of them having to do their own personal due diligence before trusting an external source, then invest in that, Build a security operations center. That's only job is to leverage this power effectively and turn it into an asset. Turn it into like you use usdc. Because if you know you're going to get hacked, you're going to actually have a team that might be able to look out for you and recover those funds in the appropriate circumstances. But right now it's the opposite. It's, it's, you know, I actually, you know, have very little confidence that any USDC could be recovered in a hack. In any case, I don't at this point it is just, you know, the same as Ether or Bitcoin or others, except for the fact freezing could occur. It just doesn't when I need it.

A (45:38)

Yeah, but I think. Oh, go ahead. Sorry.

B (45:41)

I was just gonna say, Laura, you ask a really good question, which is, or at least the way I interpreted your question was like, how, how does this stand? Well, people allow it to. There's, there's no ramifications to Circle there. Right. Like, after these things happen, people don't say, okay, well then we're not gonna let our customers use USDC because if we get hacked, we're not gonna be able to get it back. Right. You don't see a market correlation to this bad activity translating to a decreased financial impact on Circles. So like, if I'm sitting at Circle and I'm watching this, I'm like, I don't care. Because if my regulator isn't complaining about it and my customers aren't leaving and I don't have a financial disincentive, nobody. What's the downside to Circle of behaving this way over the last few years? I mean, they've had less market share than Tether, but they've been banking on kind of like a regulatory capture strategy, lobbying to kind of like rectify that by saying they're the compliant ones in the United States. And to Michael's point, like, right. And then ironically turning around and helping law enforcement less than tether. Right. Which, that's a very strange dynamic. But to answer your question, until There's a financial incentive for them to not act this way or until they are legally told to act otherwise. Why wouldn't they operate in the way that makes them the most profit? They're an American company. That's the American way.

A (47:04)

Yeah. So one other thing that I just really need to bring into the fold in this discussion is just this makes it even more confounding. So Zach XPT pointed out that just a few days before he said so, he wrote, quote, days after, Sorry, he was saying that their inaction on the USDC from the Drift hack, he said that that was, quote, days after circle froze 16 plus business hot wallets incompetently. And like, it's just weird that they froze ones that they shouldn't have frozen. And then the one that they definitely, definitely should have frozen, they didn't. So, like, what do you make of that dichotomy?

B (47:44)

So let me jump in there only because, and this is no disrespect to Zach XBT at all, but there's a lack of understanding, I think, of how court orders work, particularly court orders under seal, right? Like if I serve a seizure warrant under seal to a financial institution and let's just use a bank, right. They're effectively an intermediary between me and the criminal whose funds I'm trying to seize. They really like the, the opportunity to challenge that is much, much smaller, particularly under under seal. It's unclear that Circle might have even had the affidavit that was this for the facts, right? Like they just basically get a seizure warrant that says freeze these addresses. So there was, there's a lot of assumptions made about the. When you get a seizure warrant, how much leeway do you have? And the answer is mostly none. Like the ability to challenge that. Or it was. It's even unclear that they had the factual basis with which to know. Right. They could have done an analysis on those addresses and said, oh, this is going to go badly because some of these are code, clearly a mistake. And then that becomes a problem for them as a company. How do they deal with that with their customers? Is it worth like the legal challenge? Right? Like, it, it becomes a bigger mess than you could possibly imagine. So like, I want to be fair to them that when when presented with a seizure order from a court, if it's a bad affidavit, it's bad tracing and it's a judge who doesn't know enough to have the ability to like read the, the tracing affidavit and know whether it was done well. Like any intermediary, even a bank, right? There were banks that had to answer seizure warrants that later the tracing is bad. And they're like, oh my gosh. But we don't really have the ability to say no to a court order. So, like, you have to be fair that in that instance their leeway is actually, believe it or not, less than their individual ability to do an investigation internally and say, hey, we need to freeze this. So I'm more sympathetic to them screwing up in response to a legally required court order that has probably bad tracing and that then requires them to freeze. And then a number of those got unfrozen as facts came out and as the entities that were frozen challenged them. But on this, where it's like you have the ability, you're seeing the bridging, you're seeing it in real time, it's six hours and you are supposed to have an AML CFT program and you are have all these controls put into place with tease it. That's where they have the ability to actually prevent it before it goes out. And that's ironically where they had the ability to do damage minimization as opposed to once there's a court order. In some ways, that's even riskier. So to Michael's point earlier about the need for like, public private partnerships, this is where issuers working with security professionals could prevent a lot of the funds from going out in the first place or prevent the damage from happening before you get all the way to the point where you're praying that a law enforcement officer gets the affidavit right. And some judge who barely understands how bank transfers work and is being asked to understand crypto tech is suddenly the one deciding whether these funds should be transferred. And don't get me wrong, I of course respect the rule of law and as a prosecutor, relied on it for nearly a decade. But crypto is different and the systems are not adapting fast enough to tech that is moving faster. And I think we would all love to see the industry just be a little bit more proactive at being better at what they have the capability of being better at.

A (51:13)

Okay, so let's just contrast this with what Tether does when these types of incidents happen. So, you know, as far as I understand, they are widely praised by the industry for their handling of these types of situations. So what do they do? And like, why do you think circles not just following their lead there?

C (51:33)

Yeah, I mean, the one thing that I'm most familiar with regarding like tether is I think, like, at Least having formal partnerships with some of the groups that are trying to like, freeze stolen money. So they work very closely with Zero Shadow and others in kind of like a co, like, you know, a formal coalition for fund freezing and recovery. They. They kind of curate the relationships with the professionals that are usually raising these even before it's Tether themselves might know about it and just build those relationships, build those relationships with law enforcement and generally just move faster. I mean, I still want to emphasize, I think across the industry, even with Tether their ways, this can still be done better. And I think having a little bit more legal cover as well as even legal requirements around you need to do this in certain circumstances would help with that. But they've definitely been more proactive. They've generally been willing to at least have the conversation, be willing to like set up some infrastructure ahead of time so that they're ready to move faster when groups like zero shadow and seal 911 reach out. And I think generally speaking, continuing to just lean in better, I think just even being willing to have the conversation as opposed to, I would say, being fairly sticking to the letter of the law in terms of what they have to do. Tether at least has been proactive and willing to go further. Could they go even further than what they've done today? Probably. I would honestly leave it to others that work more closely with them to say what that could look like. But definitely just compared to, again, I think their competition with UCC miles better.

A (53:02)

Yeah, I saw Taylor Monahan tweeted something about how if you freeze, you can always unfreeze, but if you don't freeze and then the money makes its way over to Ethereum and Solana, like, game over. Like you missed your window, you know, and now you let a dictatorship get $285 million worth of nuclear weapons. Like it's fucking retarded, frankly. So one other question though, I just was curious about this. I actually don't know this. So what legal jurisdiction is Tether under?

B (53:36)

So that's actually also the answer to your previous question in the sense that I believe Tether Global is located in El Salvador or says that it's basically, I don't know if it's incorporated. Basically they acknowledge that their legal jurisdiction is El Salvador. And so it's really unclear whether they're regulated or supervised in any way in El Salvador, whether there is a regulator who examines them or monitors them. They've created obviously Tether Us, but that would be solely for, I believe, Tether Us like US customers or where There's a US Jurisdiction, but for their global transactions, they are presumed to be based out of El Salvador. And so historically Circle's argument was always, well, hey, we're a UAE, US based company that submits and we're regulated in the US we're registered money services business, I believe in 50 states. And we, and we follow, right, like the bank secrecy act and the AMLCFT obligations that come with it. Tether, like they've always made a big deal of saying Tether is not regulated, it's outside the US Jurisdiction, to Michael's point. And, and this is just obviously like my personal view and more like a vibe, but I think Tether operates more closely, Laura, to what you said earlier in the sense of like its own kind of like moral code and what should be done. And when someone comes to us and proves it and says it's dirty, then I think that. Now I have heard, Michael, correct me if I'm wrong, but I have heard that they say like, at least 50% of the funds in an address have to be dirty for them to do a freeze. So like they've set this number that like, essentially, like, if it's too small, they won't freeze it. So if more than 50% is dirty, and that could be multiple victims, but I believe, like, they have to basically say, hey, more than 50% of the funds are dirty. So they, they have their own standards for kind of what they do. And I think that's because they're operating kind of on a what do we have to do? And also what should we do? And if somebody comes to us and gives us a legitimate explanation and says, hey, this money is stolen and it belongs to a victim or 100 victims or a thousand victims, they're relatively good about that. It's an interesting dynamic to see where they are on like facilitating sanctions evasion, because that's a different thing, right? Like law enforcement isn't necessarily coming to them and saying Russia was able to buy this using usdt, like it's a, it's a murkier grounds. Like when you look at where they're good versus where they're less good. Like, I don't think it's like an easy one to one, like tether's more compliant and Circle isn't. There are certain things that Tether does better because it's making a risk based analysis of like, what's the risk of not doing this well? And then what's the risk of doing this well? Do you know what I mean? Between, between these, like different categories. But at least the vibe that I've gotten, especially from law enforcement, is that when you go to tether and you say, here's our proof. Here's our tracing, this is elicit, and it's more than 50%. They are much, much faster and willing to work with folks to freeze because I don't think they want the funds to disappear.

A (56:37)

Yeah, like, to my mind, what you're saying is basically, they use common sense. They're not, like, doing this bookish. Like, let me look up this law that was written back in 1853. Like, they're. You know what I mean? They're, like, literally just using their brains to figure out what to do. Like, that's what it sounds like to me.

B (56:54)

I say this as a recovering lawyer. You're not wrong. Sometimes lawyers are the problem. A lot of times, lawyers are the problem. And that's because we're bound by professional obligations and laws and regs. And in crypto, especially, areas where they have not caught up. Right. Like, so many regulators globally are so behind on this, on saying what you should do. But, like, we as humans, like the social contract, like, the moral compasses that we've developed are faster along, saying, but you should be doing this. Like, you. You have the ability. With great power comes great responsibility. Like, good Lord, just follow the law of Uncle Ben, and you'd be fine. And we know that. But the problem is, is, like, the social contract that we humans have been, like, conditioned to believe the rule of law is in place in crypto lags behind because so many regulators and lawmakers have not put into place the things that the system needs. And that's why we get so frustrated, because it's like you're sitting in Circle and maybe a lawyer is saying, well, we don't have to freeze this. But if I was the CEO of Circle and I had to sleep at night, I'd be making a different decision about whether to let those funds go. Just because what do I have to live with as a human? And if there was a way that I could get it justified and take the risk, I don't think DPRK is going to sue me. I think our regulator is going to be okay with erring on the side of freezing as opposed to letting it go. And even if they didn't know it was North Korea at the time that it was jumping Michael, it was certainly illicit enough that it was pretty clear somebody was. Yeah. I mean, yeah, it was like, it

A (58:28)

was pretty clear it was stolen.

B (58:30)

It was clear that it was Stolen and hacked and. Come on.

C (58:34)

Yeah. And I'll add one thing I haven't said yet, which is like, there's a specific crime unit, the T3 financial crime unit, that like Tether coordinates with Tron and TRM Labs and others on that, like in the Bybit hack a year ago, you know, did freeze 9 million in stolen funds. So they did actually. They were able to recover some funds and like a relatively comparable hack to this one in terms of the actor and the sophistication involved. And the lesson that was learned from that for attackers is use USDC instead of usdt, because Tether might freeze it through these programs that they've set up proactively to at least have a higher chance of recovery for users of Tether. And like, there's a. There's just an obvious contrast of Circle can be doing better. But yeah, to Amanda's point, do they have to do better to satisfy regulators or their legal obligations?

A (59:17)

Okay, so last two questions. The first one is for Amanda, specifically Amanda, if he were to craft a new law that would make sense for blockchain speed, how would you. How would you structure it?

B (59:31)

So obviously I'm biased in, in favor of preventing victimization, and this might be going a little too far, but I would try to create something equivalent to the BSA safe harbor for protocols and exchanges to basically say, if you have a reasonable good faith basis based on kind of like established industry norms, Right. And you tie it to these things that are basically provable points. Right? So is it a reasonable good faith basis? Is it based on, you know, reasonable security norms? So somebody like a Michael has to come in and say, did they do what? What's the industry standard at the time? Did they use best practices? Did they use analytics? Did they have. Right. Like, did they. Do they just freeze? When somebody says, trust me, it's dirty, that would be terrible. Right. But somebody presents a tracing point, they do the proofs to make sure that it's like a verifiable security professional. Maybe there's a credentialing process like you can imagine what we put into place. But something needs to be put into place that basically says. Because unfortunately right now too many exchanges, too many exchanges and issuers are going to do exactly this. I've seen it a hundred, I've seen it so many times where basically an exchange says, we had no choice but to release the funds because X. And I'm like, your terms of service say you could freeze funds indefinitely. Why are you so willing to do that when it makes you money, but you're so unwilling to recognize it when it's to protect a victim or victims or thousands of victims. So we have to basically create something that takes away sometimes the excuse that issuers and exchanges use to not freeze funds. But in fairness, they can only freeze those funds for so long. And there are some legal impediments on the seizure side that we need to fix, particularly in other countries that don't have the systems that the UK and the US do. So it's kind of a double edged sword. We need to make it slightly easier for them to freeze when they get information, possibly even from private actors and not law enforcement, which is a very, very touchy subject once you get into it. But we also really need to build up the asset recovery seizure practices that other governments don't have that the US and the UK do. So there's a lot that goes into it. But I, if I was one of the people drafting clarity and market structure right now, I would consider slipping in something that makes it easier for issuers and exchan exchanges to freeze these funds and protect victims of crime, whether it's from nation state actors or compounds in Southeast Asia or relatives that get access, whoever it is, we should just be a little bit better at protecting financial crime victims because right now the global financial crime war is very real. Like a lot of us remember the war on terror, we really need a war on financial crime at the same level because it is only going to get worse by nation state act factors.

A (62:21)

All right, so Michael, the last question's for you. And we alluded to this earlier. Obviously there were a number of things, you know, and obviously like, you know, no shade to the Drift team, but clearly they could have done things differently. So you know, based on how the attack occurred, if you could give your sort of like best tips for defi teams or whether or not they're defi. Whatever you want to call them, crypto teams, you know, what would you say? And it's a two part question. And the second part is just because of this fact that, you know, these were individuals who approached the Drift team at conferences. There's probably a lot of teams already right now who are reviewing all kinds of interactions they've had. So if you want to just also add tips for them, you know, for like what they should look for and, and all that.

C (63:11)

Yeah, I mean, I think the first thing is to acknowledge, like this is a very sophisticated hack. And yeah, there were a lot of things that Drift could have done better, but I think it's Also important to call it. There's lots of crypto teams that I think are in a very similar position as Drift right now. And definitely a good time for all of them to reflect. I mean the first thing off is like endpoint security. Like anyone who is part of your team that is using device for signing, like that thing needs to be locked down. It needs to be either a separate, either have very strict endpoint protection or effectively just use a completely separate device for signing almost entirely. Obviously start to think very seriously about VS code extensions and other things that you're running on your computer, computer anything basically where you might bring in you're doing something as simple as opening an external email to downloading new code. All of these things are attack vectors. And I think if you're doing sensitive signing on an admin key, like one, you need to just be on a better device. Two, you need to use better key management. Like definitely not a key on the device itself. Ideally hardware wallet, you know, turnkey also offers something through an API that we support for fine grained policies. But generally speaking like you just need to be like, have a very clear defense in depth where there's multiple areas of failure that need to occur, ideally as many as like layers as possible while still having like enough operational flexibility to do your job. And that's always a balancing act. But like the more value you have at risk, the higher that threshold of, you know, effort needs to be. And you need to be willing to bite the bullet to say like, hey, we're going to make the team jump through the hoops because there's just way more value at risk as we grow. Just generally having that philosophy.

B (64:42)

Can I add one thing, Michael? Bless your heart, Independent risk audits. Everything you're saying, I love you so much and he's too nice to say this, but so many internal security people will say they're doing fine and the executive team will not get an outsider to verify that. And that is the death knell of so many places. This is not an attack on SISOs, but like you have to have an outside objective view come in like, because otherwise of course everything's okay internally by the people responsible for maintaining it. And that we see in financial services all the time.

C (65:18)

Operational security audits too, like contract code.

A (65:21)

But like yeah, the only thing that I've heard though is like sometimes the teams will, you know, say like well the audit should just cover this. And then the thing that it doesn't cover is the way they get hacked. So it's like the audit maybe Gives people a false sense of security. I'm not saying not to get audited. I'm just saying that I wouldn't assume that because the place has been audited that you can definitely trust that every piece of it was audited or even that the audit itself was quality.

C (65:51)

I think this is the biggest distinction I've worked in. A smart contract auditor opens up in four years and that's an absolutely crucial part. But we're not seeing, seeing these big attacks coming from smart contract exploits. We're seeing them come from operational security failures. And that's where like we Definitely, I mean, Sock 2 is like the baseline that I think teams should be getting at some point. But even going beyond that, like doing rolling audits, doing, you know, having persistent security professionals come in and target your team and act as the same attackers and figure out ways to find weaknesses in your system. Like at some point this is where resources have to be placed. And then, yeah, beyond that, just thinking through, okay, like if you are like, you know, looking at your system and thinking, how could we be potentially targeted the same way Drift is like, yeah, you need to be coming through your history. Who's been talking to you? What has your team downloaded? Anything that might be potentially compromised. Do a full wipe and reset. Rotate your credentials. If you can't rotate your credentials or your wallet keys, get a wallet set up that can rotate credentials easily and make that a recurring thing. And yeah, if you are like at risk, like reach out to security professionals to help harden yourself. There's lots of folks out there that do this work really well. If you're like really worried that you might be currently compromised like steel 911 has a hotline on Telegram you can reach out to and get immediate assistance from. They've been great. They've obviously helped adrift in a time of need. They helped others in the past. Donate to steal911 if you feel bad about taking up all that free time. But yeah, I think like the fact that that resource has been the lifesaver for a lot of teams that haven't yet invested in their own internal security, I think is a wake up call. Like Cylinder 1's great, but like people shouldn't have to rely on that for the security of a protocol that has hundreds of billions of dollars. There can definitely be some resources put into better endpoint security and just better security procedures in general. So hopefully this is a good lesson. And it's a year to the date, year and a month to the date. From Bybit where we've Once again been reminded the stakes. So hopefully this is one that really ingrains itself into people that need to be more paranoid and have better operational security.

A (67:52)

All right, you guys, this has been such a great conversation. Thank you both so much. Just especially well for both of you. Yeah, can you share where people can learn more about you and your work? Because hopefully nobody listening to this will ever need your help. But just in case, well, you can

C (68:10)

follow me on Luelle and Michael on Twitter. Just my first and last name in reverse. And sometimes I speak a lot on this for turnkey or in some or Seal, who does a lot of security initiatives and frameworks. So like, they also have a best practice guide that's also good to follow and I contribute to among many others in the space.

B (68:29)

I'm AmandaWick on LinkedIn. I think I'm. I used to be the only Amanda Wick, but fingers crossed. It's like crypto compliance expert. And I talk a lot about crypto compliance in this space. I also talk about other people you should follow in the space. So definitely find me on LinkedIn. I am on Twitter, but I'm terrible at it. So maybe I'll. I'll get to Michael's level someday. But thanks so much for having us. This was a really great conversation.

A (68:54)

All right, well, thanks everyone for tuning into the live stream. Next up, we have bits and bips where Ram Alawalia, Chris Perkins, and Austin Campbell will talk about the war in Iran and the various intersections it has with crypto and more about the Drift hack, which I think you will want to hear from Austin, who used to manage a stablecoin, and from Chris, who was in the military. So stick around after this short break.