Unchained Podcast Summary
Episode: How ‘Booth Babes’ Can Result in Huge Hacks Like Drift’s
Host: Laura Shin
Guests: Amanda Wick (Verify VASP), Michael Llewellyn (Turnkey)
Date: April 6, 2026
Episode Overview
This episode of Unchained unpacks the shocking inside story behind the Drift protocol hack—a sophisticated cyberattack likely carried out by nation-state actors using real-world social engineering tactics at crypto conferences. The discussion also delves into the subsequent backlash against Circle for its handling (or lack thereof) of freezing stolen USDC and covers the broader implications for crypto security culture, regulatory gaps and operational best practices.
Key Discussion Points & Insights
1. Anatomy of the Drift Hack: A New Breed of Threat (01:12 – 12:31)
- Long-Term Social Engineering: The Drift team revealed their attack was the result of a six-month+ intelligence operation. Attackers met Drift contributors in person at multiple crypto conferences, built rapport, and demonstrated deep technical fluency and legitimate-appearing professional backgrounds ([03:55]).
- High-Quality Fakes: These “professionals” had constructed backstories with LinkedIn and verifiable credentials. They even deposited $1M of personal capital to gain trust ([04:18]).
- Attack Execution: Attackers got engineers to clone malicious repos, exploited vulnerabilities (notably in VS Code), and obtained advance signatures on wallet multisigs. The attack was staged using Solana’s durable nonces, with rehearsals detected via onchain analytics.
“This was a long term, at least six month intelligence operation. [...] Involved in person crypto professionals interacting with the Drift team. [...] This is serious and, you know, one month to the day from the Bybit hack, it feels like the intensity of attacks on crypto is, is increasing, not decreasing.”
(Michael, 03:21) - Existential Threat: Both guests stress that this attack shows glaring industry-wide vulnerabilities. Drift is unlikely to be the only target, and the sophistication here—akin to nation-state operations—raises the risk profile for all crypto projects ([04:18], [05:30], [12:31]).
2. Nation-State Actors and Their Motives (07:27 – 12:31)
- Predominance of North Korea (DPRK): Most sophisticated crypto hacks trace back to North Korea. Russia and China also host hacking groups, but DPRK stands out for the state-directed, revenue-generating nature of its attacks (08:17).
“With DPRK, it does seem to be like, this is literally a source of revenue for that country. Like a significant portion funding the North Korean state, especially the nuclear program.”
(Michael, 08:17) - Use of Intermediaries: Attackers are not direct North Korean nationals; they often use proxies—either unwitting, criminally-complicit, or fully aware intermediaries from other countries ([19:14], [20:58]).
- Booth Babes as a Vector: The “booth babe” phenomenon—companies hiring attractive women to lure attendees at conferences—was highlighted as a security risk, creating new social engineering vectors ([12:31]).
“Booth babes are a terrifyingly frequent thing. [...] Who are you allowing to be in your booth representing your space? What information are they allowed to collect?”
(Amanda, 12:31)
3. Security, Trust, and ‘Decentralization’ Myths (13:56 – 18:00)
- Decentralization Is Not a Defense: Human factors—conference booths, contributors, or semi-centralized admin keys—all constitute potential single points of failure ([14:40], [27:34]).
- Operational Security Weakness: Attackers target people, operational habits and endpoint security, not just smart contracts. Ongoing vigilance and strict controls are emphasized ([15:47], [26:11]).
4. Attribution & Caution on Blaming North Korea (18:00 – 20:46)
- Evidence Confidence: Most in the security community assign 80–90%+ likelihood to DPRK being behind the attack (Michael, [18:33]). Yet, final confirmation awaits industry-standard forensics; over-attribution without certainty is cautioned ([18:55]).
- Sophistication of Subgroups: The hack was attributed to UNC4736 (Apple Juice/Citrine Sleet), one of several semi-competitive, “franchise” state-sponsored hacker groups under the North Korean umbrella ([31:56]).
5. The Circle Controversy: Should They Have Frozen the Funds? (32:43 – 58:34)
- Circle’s Policy Criticized: Despite having onchain freezing powers, Circle did not act quickly to freeze $232M USDC as the hacker was bridging funds, leading to widespread outrage ([34:22]).
“Why do you think Circle, and I'm not going to mince my words here, chose to let North Korea get away with stealing money to fund its nuclear weapons program? I find that crazy. Personally.” (Laura, 34:22)
- Circle’s Restraint Explained:
- Circle’s corporate/legal policy is to only freeze after court or law enforcement authorization, prioritizing a “minimal compliance” approach ([37:14], [39:03]).
- This mirrors legacy finance, but is outpaced by blockchain’s speed. Law enforcement is often more frustrated than impressed with Circle’s compliance ([39:03]).
- Moral and Market Gaps: There is no financial or regulatory downside for Circle to act slowly; customers and regulators haven’t penalized them ([45:41]). Amanda summarizes:
“If my regulator isn’t complaining and my customers aren’t leaving, what’s the downside?”
(Amanda, 45:41) - Contrast With Tether: Tether is lauded for working closely (and quickly) with security firms and law enforcement to freeze illicit funds. They operate under El Salvador jurisdiction and act on a risk-based, moral/common sense model rather than strict legalism ([51:33], [53:36], [56:37]).
“If you freeze, you can always unfreeze, but if you don’t freeze and then the money makes its way over to Ethereum and Solana, game over.”
(citing Taylor Monahan, 53:02)
6. Legal, Regulatory & Industry Suggestions (59:17 – 67:52)
- Need for Safe Harbor Laws: Amanda proposes a ‘BSA-like safe harbor’ enabling crypto companies to freeze suspected stolen assets on a good faith, evidentiary basis, rather than waiting for law enforcement ([59:31]).
- Best Security Practices for Teams:
- Endpoint security: isolated devices for admin signing ([63:11]).
- Least privilege: don’t give developers sweeping access ([63:11]).
- Regular external risk audits—not just code, but all operational practices ([64:42], [65:51]).
- Proactive credential rotation and reviewing past interactions for signs of compromise ([65:51]).
- Use dedicated help, like Seal 911, for suspected compromise ([65:51]).
- Operational Reality: There’s a call for ongoing, adversarial “red teaming” and not relying on audits as panaceas ([65:21]).
- Industry Must Graduate: Security maturity should scale with funds at risk. Don’t wait for catastrophe—be proactive.
Notable Quotes & Timestamps
- “You may think having an attractive woman lure men into your booth seems like a really great idea, but what conversations are they collecting? What PII are they collecting?”
(Amanda, 12:31) - “This seems like something that other teams are likely being targeted with like at this moment... we have to consider who else might be compromised.”
(Michael, 03:21) - “With dprk... this is literally a source of revenue for that country. Like a significant portion funding the North Korean state, especially the nuclear program.”
(Michael, 08:17) - “If you freeze, you can always unfreeze, but if you don’t freeze and then the money makes its way over to Ethereum and Solana, like, game over...”
(Taylor Monahan via Laura, 53:02) - “If my regulator isn’t complaining and my customers aren’t leaving... what’s the downside?”
(Amanda, 45:41) - “Crypto is different and the systems are not adapting fast enough to tech that is moving faster.”
(Amanda, 47:44) - “Hopefully this is one that really ingrains itself into people that need to be more paranoid and have better operational security.”
(Michael, 67:32)
Segment Timestamps
- [01:12] – Drift hack postmortem & incident timeline
- [03:21] – Nature of the social engineering attack
- [07:27] – Nation-state actors in crypto hacks
- [12:31] – Booth babes and social risks at conferences
- [18:00] – Attributing hacks and DPRK’s methods
- [32:43] – Circle’s freezing policy and community backlash
- [51:33] – Industry contrast: Tether’s practices vs. Circle’s
- [59:31] – Proposals for legal reform
- [63:11] – Security best practices for teams
- [65:51] – Limits of audits and ongoing vigilance
Key Lessons & Action Items
- No Vector is Too Small: Any physical or social touchpoint, especially at conferences, is a potential threat vector. Be wary of who represents your brand and what info is collected.
- Proactive Security: Treat all contributor or vendor interactions as potential risks; harden operational procedures, rotate credentials, conduct regular audits (internal and external).
- Advocate for Regulatory Evolution: Industry should push for clear legal frameworks for freezing and asset recovery matching blockchain’s pace.
- Demand Accountability: Users, teams and regulators need to demand timelier, more accountable responses from centralized issuers to prevent future large-scale losses.
For more resources on DeFi security, hacks, or to get help:
- Follow Michael Llewellyn (Twitter: @luellenmichael)
- Connect with Amanda Wick (LinkedIn: Amanda Wick)
- Review and contribute to Seal 911 best-practices
- If compromised, contact Seal 911 for crisis assistance