A

Everyone, I'm Kane Warwick and welcome to Uneasy Money. Because what happens on Chain never stays on chain. Before we start, nothing you hear on Uneasy Money is financial advice. We're just three builders talking about what's happening on chain and we want you to always do your own research before aping in. You can find all our disclosures@unchained crypto.com uneasy money. And before we begin, here is a word from the sponsors that make the show possible.

B

The Energy Network is an intelligent to balance supply and demand. Energy dollar is the native token of the network from one of Europe's fastest growing energy startups. Follow Use energy on X to find out more. Multichain Advisors is an emerging technology growth firm that has helped create 50+ billion dollars in enterprise value for 80+ clients over the past four years. They're the partner to help navigate markets, build real traction today@multichainadv.com

A

all right, I'm here with my co host Taylor Monahan, security expert and Luca Netz dog enjoyer. We are. Yeah, we've got some wild stuff to talk about today. I think the first thing that we need to jump straight into basically is drift protocol pack. It's sitting at 250 million plus right now. Is that right Tay?

C

Yeah. Yep. It's a lot of money.

A

It's a lot of money. So. So Tay and I were talking about this before we started and I was like it's not really a postmortem yet. It's like a active mortem or like a something. So. So we don't know that much I guess about exactly what has, has happened here. So just probably leading with like there's a lot of speculation, a lot of uncertainty because this is like a couple hours old. So we will do our best unpack it. But yeah, again this is all like somewhat, somewhat in flight hacks usually this big.

D

The guys just usually just take a 10 white hat fee. I mean like I don't know how you move $250 million into a.

A

Well, unfortunately we, we think that this is probably. I think it's dprk, right? Okay. Is that where we're at?

C

Ah, it's two hours old. I'm not, I can't attribute publicly like this. I will say, I'll say this. I. The second I saw the second stuff I made a lot of calls to get the full set of indicators for recent DPRK stuff to see if we could get more insight. I think especially relevant and like the, the thing that's top of mind is obviously the Axio attack happened yesterday. That was dprk and that was specifically dprk, who is very crypto motivated. That entire supply chain attack was the goal is to steal crypto. So the timing feels sus. It feels like that would be very. Like that makes sense. But a lot of times with these things, it's, it's a bit more complex. And just because, like you find one easy narrative doesn't mean that that is like, the answer.

A

What's going on? So, sorry, just, just to clarify for, for people at home, so that, so that we're clear about this, the reason why the, the fact that the Axios hack yesterday, so there was a supply chain attack yesterday, which was some DPRK guys who usually are like zoom focused guys, and they have leveled up a little bit into other stuff, which, like these guys are not the most sophisticated people. For what it's worth, like, as someone who is, has, you know, has a pen pal in one of these groups, they. Yeah. Like, they're not the brightest bulbs in the bulb factory, put it that way. And, and there's something weird about them being like, ah, we now are supply chain attackers. So they were able to compromise this like, huge dependency in, in like a bunch of stuff. Right. And we don't yet know how that happened exactly. Yet.

C

We, it's, it's. We've talked about it on the show. It's the Zoom calls. Well, now. Now. Yeah, now more often it's. It's a teams, it's a Microsoft Teams call, but it's exactly the same. So it's the exact same flow that we usually see in crypto.

A

So the scary thing about that's the

C

question is like, how the hell.

A

How would they get the Axios people?

C

Maintainer. Yeah.

A

So I mean, the, the. I think there's two things that are petrifying about that, right? You have to imagine as like an open source maintainer, that you are so much more susceptible. I mean, we've seen this, you know, we saw this with like Steve Yegi and some of the guys who were building these open source things. When crypto people, like even just like normal people, not, not DPRK hackers, when crypto people turned their attention onto them, they were woefully unprepared for that completely. They're just not used to the kind of adversarial world where like, people are like bashing your door down to try and steal your. And like steal your domain names and, and handles and all of that stuff. Right? So, you know, and these are these are smart dudes who, who were like completely sideswiped by this. Right? So you have to imagine someone who has been like meticulously maintaining this like core dependency for years is just not used to, you know, people trying to break into them. I mean, like, of course, on some level, of course, on some level, you know, these are, these are people that understand the, the kind of, I would say immediate security concerns of you are a major dependency of all of this downstream software. So I'm sure they have very good security practices when it comes to deployments and review like all of the like common core things you would have to do. My guess is maybe I'm wrong, but my guess is they're probably not as prepared for someone hitting them up on wherever they communicate with each other and pretending to be a VC or something. And you know, they've compromised someone's telegram account or they've compromised someone's email or whatever and they're like, hey, let's have a chat. I love what you're doing. And they're like, oh, cool. Yeah, like zoom calls are fine.

C

It is, it's very similar to crypto in the sense that you have individual people who are actually very smart, very talented, very capable, very computer knowledgeable. They are operating as like sort of loose organizations, these maintainers, like they often maybe work for a company, but they also do like, you know, open source software. It's, it's, there's a lot of overlaps with crypto and then obviously there's, there's, there's gaps that are created when you and all your friends and every individual is like very knowledgeable and secure and like tracks the security incident. It mostly happens because they all assume, and this happens in crypto too. But this is even more true in an environment where you're not totally like getting phished all the time. You assume like you put in all these, these guardrails and all these processes and all these procedures to ensure that like this has to go here and then this is checked here and you know, on and on and on. Every time something gets deployed, there's like a whole process. There's a root assumption though that the person like the core maintainers, right, which is usually, honestly usually it's one guy. You know, in this case, there were a few different people that probably had those like the admin rights or had the ability and knowledge to do this. They all assume that their computers, their keys, their everything are safe. Just like crypto wallet keys, right? You have keys that exist on your device that give you Permission or access or authorization to push to GitHub, to run certain automations and like build pipelines and then to deploy. Sometimes these keys are literal keys, like SSH keys, like a private key. More often they're what we call like a session token or a short lived token. It's like you auth in for two weeks or two days or two hours or whatever. Either way, even if you have like 2fa, like hardware 2fa protecting your authorization into your GitHub account or into your npm account or whatever it is, when you authorize a token and save to your computer, that token is basically what you use to access these things for however long it is the next two hours, two days, two weeks. If your computer is completely compromised in the way that DPRK compromises computers, that token, they take that token and they reuse it. And so now it doesn't matter that you have mfa, it doesn't matter at all. They can just use that to basically literally be you. You won't see attempted logins, you won't see anything weird happening. Like they'll just go and they'll, they'll

A

do whatever they want. So correct me if I'm wrong, right? But like, you know, in crypto we have learned over them that after the fact something weird happens right after the fact. Like we've learned enough to know, oh, like we should probably lock this stuff down. Is it, is it, is it possible? Have you heard stories of like DPRK guys, the Zoom call guys, Microsoft Teams guys pulling something like this off, where like they have the whole thing and then the compromised person doesn't realize that they got owned? Or is it like so obvious that like weird shit starts happening or.

C

No. So when the, when you get off, or like you get on the call with them, when you get off the call with them, you sort of just write it off as like the call didn't work and like you experience difficulties and like you're busy and you have another call to go to and you sort of forget about it. Then they'll sit there for like two weeks, three weeks, two months, they'll come back like six months later if you let them. You know what I mean? But people are, you don't immediately see anything happening. It's not like they're trying to log into your Google and you know, like you're not. There's nothing that happens until you literally wake up one morning in the future and like, things are just wrecked. And even then the notifications are other people telling you that you've Been compromised. You don't have notifications yourself, like, any indication that you've been compromised.

D

Can you run malwarebytes or something to this? Like, tay, like, let's say I'm just paranoid and I'm like, shit, that I fucking Microsoft. How do I diagnose, like, my devices with this?

C

So, yeah, after the fact with Axios, so basically what they did, they compromise the developer. They push a malicious version of the code to the Axios package, which is a dependency, in like a bazillion other packages, like all of them. And so then anyone who installed any of these packages or updated any of these packages or ran like updated or were working on any projects that had these packages in them, all those people were compromised. And so one way to think about it is the normal mechanism that they use to compromise people is they get one person on a Zoom call and they make that person run a command and that command then does all this malicious stuff and gives them like full access to the computer with the supply chain attack. When they push that malicious code up, then I think it's like 100 million computers a week download this package, right? All of those people basically do the same thing, but it's automatic, it's silent and it's in the background. But it's literally the same code that they have you run for the Zoom. It's just now like all over the place. So in response to this, like, if you're worried about this, if you're coding, if you have, you know, if you're doing like NPM run stuff ever, you can like, Google it, You can look at. There's like a bazillion blogs on it. There's like a bunch of things that you can check. There's a bunch of different, like, little indicators. However, to more important, in my opinion, like, to prevent this is if you're maintaining software. The first thing is like you want to. It's called pinning your dependencies. Don't auto update immediately, right? In the same way that you don't want to update, you want to let your phone do one version, get all the bugs out. It's similar to that. You don't want to necessarily pull a dependency and update it. The second it's updated, give it a die. The second thing is actually you can

A

go even further and say in our repo, and this is annoying sometimes because you want to push something and you get blocked. It's like if something's less than seven days old, you can't actually have it in there at all.

C

Yeah, exactly.

A

You can literally like say like there's a minimum age that you need for this step for you to even be able to push it in there. And like, you see every once in a while like one of my guys is like on Slack. Yeah, I need, like, I just, I need this. Come on, this is really important. Give it to me.

C

Yeah, yeah, exactly. And then. Yeah. So with DPRK malware, it's pretty sophisticated. They evolve it pretty quickly. As someone who looks at a lot of computers with this malware on it, the EVS is not going to detect it. You can run malwarebytes. It's not, it's very rare. That's going to pull it. It's terrifying. We've had a few victims who have Sentinel 1, which is like an EDR. So it's like a more advanced AVS and in the past couple months that hasn't even been detected. So they're in most cases with most malware, AVS is like, great, you should run your AVs. If you're on Windows, like Microsoft Defender is great. Mac, it's a bit tougher. But if you have significant amounts of crypto, if you have a company, the answer is CrowdStrike. It's EDR. It's, it's going to protect you. And they stay on top of things the way that they. There's two ways to think about protection on devices on endpoints. The first is let's check a big list of hashes to see if it matches any known malware. But if they change their malware at all, it's not going to show up in the hash library. And then they're not going to detect it. And they're going to be like, your computer's clean even though it's not. EDR is say like much more fine tuned. And so they don't really, they don't sit there and like look at hashes and like, stuff like that. They're looking for patterns and activity and behavior that your device is doing that is not normal and should not be done. So things like persistence, like some new like persistence showing up randomly open.

A

Yeah, right, yeah.

C

And like with dprk they almost always have what we call a heartbeat ping. It's your device pings out every 60 seconds and asks if there's anything. You literally go, yo dprk, is there anything you want me to do? And then if they don't get a response, it just chills for a minute and then a minute later it wakes back up and it's like, yo, dprk, Is there anything you want me to do?

A

It's like open claw forever.

C

Forever. Literally forever. And then turns out, like, occasionally DPRK will be like, yeah, here's a new malicious wallet. I'm gonna take all your money now. Bye. That's like, literally how it works. So CrowdStrike and other EDR will protect you here if you are not in that game. My advice for open source developers and for crypto people is always the same. Have a separate device 100%.

A

Like, honestly, like, if you. If you're in crypto and you have raised significant money and you do not have a pile of MacBooks sitting around that you are rotating through, like, literally

D

that I have that this is.

C

This is how you operate. Guys, each one of these is for a different thing that I might need to do at some point.

A

Literally that.

D

I have a question. I have a question because I'm. I'm a smooth brain. I'm a layman here. So, like, a lot of this stuff is like, I need to go talk

A

to some technology guys.

D

But nonetheless, is there a difference between Mac and Windows? Is one easy to compromise versus the other? Like, for years it's like, Mac is

A

better, but is that just a farce? Is that just like marketing? No, it is absolutely not a farce. Like, I'll let Tay speak to this, but like, look, at the end of the day, if you're on a Zoom call with dprk, it doesn't matter what machine you could be on a Linux box. Like, they'll figure out how to own you. So, you know, there's some stuff that is, like, helpful there, but. But if you get owned, you're gonna get owned. Like, they'll. Once they're talking to you on Zoom and you're clicking buttons, that they're popping up like, it's over for you, but just in like, general sense. No. Like Windows.

C

Yeah. So historically, the reason why, like, malware was limited to Windows was one. There was like a huge, just huge attack surfaces. Apple's much more opinionated and sandbox. And it's like architected in a completely different way. And so if you were a developer, you were not on a MacBook. You're not on a Mac period. Right. The Macs were those colorful things that the artsy fartsy people used, not what malware developer people are using. Right. However, that has like completely shifted. Most developers these days are running Linux and if they're cool like I am, they run Mac because it's like a good intersection. Like, I like my UX But I also like to. It's just, it's Macs are so much better. Like Unix is so much better. And so because of that, the people that are developing the malware and also the people that they are targeting with malware are usually on Macs or more often on Macs. And therefore there's a lot more Mac malware out there. DPRK is probably one of the most sophisticated in what I would call Mac native malware. They write their malware just for Macs because all the crypto founders use Macs and.

D

And I want to ask you another question. I'm sorry because I'm actually, I've actually never. I have a full time security expert

A

on my team but for some reason

D

I just feel like really excited to

A

talk to you guys about this.

D

If I got an email and I just clicked a link, I didn't do anything. I clicked it, obviously it was a malicious fish. Like how much do I need to engage with a phishing link for me to get fish is it just. I clicked it, I'm fucked, right? I got the super max set up the, you know, whistles like what do I have to do to fuck myself? You know, if I'm on a. Yeah, my language.

C

So usually it's more than clicking. So usually there's you down. It's not necessarily like an exe or something that you download and install though, but usually like you click on something, something else happens and then you do something else. Maybe that's something that like downloads. A super common one is what we call click fix. So it's like your shit's broken. Copy paste this into terminal. So you like copy. You copy this command and you put it in a terminal to fix. Doesn't fix it. It's just malware. There, there's a lot of like, you know, there are still sort of like installation ones. Like if you install a malicious application, it can totally wreck you. Typically we see these like they're impersonating applications typically. So like it's. If you click like the top Google Ad and download that and install that, it's probably malware. If you just click a phishing link general, like almost always, you're going to be fine. The problem with clicking a phishing link is you kind of go into autopilot. And so if you don't detect like once you're sort of in that mode, it's much harder for you to detect the subsequent stops. If that makes sense. Like if you don't. People who don't detect the email is sauce they're probably going to go all the way through and get malwared because each sort of subsequent step makes sense and is sort of less sus the initial.

A

Once they're on the hook, they're getting real, right?

C

Exactly. It's really hard to like, you have to have a deep level of self control and deep skepticism to be like mid fish and then be like, whoa, this is not okay. Like it's just, it doesn't happen. And so that's why like we, everyone always recommends like, don't click fishing links. Don't, you know, you try to prevent, at that first step just because it's, it is really hard to like back out of it.

A

I think I'm, I, I don't think I've mentioned this here, but, you know, in 2022, like late 22 into early 2023, I had like four months where I didn't do a single crypto transaction, right? I was like, completely offline. I come back and I'm like, let me check my portfolio. Like, like, how is it doing? Right? And so I'm like, zerion D Bank. I was like, I'll go to D Bank. So I, I, I'm like, D Bank, like, what's the URL like? And so anyway, so I Google D Bank and the top link is a phishing link. And like, my, my like, skeptical brain has been switched off from like four months of like not living inside of like the hellish crypto world that we live in. And so I click the incorrect link, open it up, it looks like D Bank, I start going through, I click the, the Connect wallet button, right? And then it pops up with a signature request. And I was like, and this is why like the interesting thing here, this is why the like, sign into Ethereum thing is so, and I hate it so much because I was like, oh, they've added sign into Ethereum. And I'm like, I was so close to pressing it. And then I was like, oh, wait a second. No, no, no, no, no, this is wrong. And then I looked at what the actual signature was and it was official. It was like a drainer. It was like 100% a drainer. And like, it's so easy to just like. And it all it took was me like not doing stuff for like a couple months to completely forget how to protect myself and almost get.

D

You want to hear, want to hear a crazy one? In 2023, when we first raised our

A

round,

D

there was, we were accepting investment checks in crypto and One of the VCs actually got hit with a man in the middle attack. So they sent us $2 million. But what they actually did is they sent a dude in Nigeria $2 million in USDC. And this is like, while the whole world's imploding and me, who's never raised money in my life, I was so stoked that I was starting to get checks through the door when the $2 million got stole. Basically, somewhere within the email chain, the guy adjusted because the person's name had, like an I in it. They did the whole li.

A

Right.

D

So they change. Changed it. And they were kind of messaging our lawyers direct and then. And then kind of change the receiving address they sent the 2 million bucks. I was like, so am I still getting the 2 million dollar? I. I hate to ask. 2 million dollars would go a long way right about now. You know, can the money still come through? They're like, yeah, we have insurance for it, whatever. But poor VCs.

C

Yeah, 2 million.

D

And this guy had like $200 million. Was this African guy in Nigeria. He had his face associated to his wallet. He was like. It was the most insane thing.

C

Wait, have they got this guy?

D

No, Nigeria. He's like 100 armed guards around it. Like, they did a whole. I've been following up like every four months about this.

C

Oh, my God.

A

Wow.

C

All right.

B

Yeah.

C

So it's called. This is luca. This is like one of the most prevalent scams. I think pig butchering wins now. But it's called. What's. It's called business email compromise. It's a stupid name. It's bec.

A

You need a cooler name. We need to get a cooler name.

C

Because you're like, what does that mean? Yeah, it's. They have all these mechanisms where they get exactly. Like Lucas said, they get in the middle, right. And then they. They sort of like change the parameters. Right? And so sometimes. And they do it in all certain ways, they'll compromise accounts, which is why it's called, like, business email compromise. They compromise the business account. Sometimes, though, they just. Yeah, they'll, like. They'll get on the thread, they compromise someone else, and they'll put someone else on the thread. And then. Yeah, they have all these different ways, but ultimately what happens is that when push comes to shove and you're exchanging information so that the payment. You can send the payment that the. The number, the address, the routing number, whatever it is, switches. And they do it with, like, traditional banks all the time, too. They'll switch out the wire instructions. And. Yeah, it was like, it's super prevalent, very Nigerian.

D

Just on the topic of drift and just like since we're going down this rabbit hole, I appreciate a school here but like for example, I have a lot of money in Jup in Jupe Lend, you know, Jupe Salon and Defy obviously had money in drift. Actually I just hated the UX that the interface was so annoying and so I moved it out. So thankfully I'm like not directly compromised. But in the spirit of contagion, obviously I saw some JLP. $50 million of JLP. Does that affect me as somebody who's on Jup lend? Like am I going to log into my account and see less monies in that account? How does contagion work here and is there contagion?

A

But I mean the risk, the risk with these sorts of things typically is that they're going to try to get whatever funds they can into something that they can launder, right? So you know the, the, the risk would be that they've got a token, you know, a large amount of a token that they're going to dump and then the token drops in price, right. Probably less likely that they have a token that's like being used as collateral for a bunch of things. They dump that the collateral. Like this is possible, right? Like the, the nightmare scenario is like they compromise one thing. They get a bunch of tokens, they dump it. That causes you know, a bunch of positions that were otherwise solvent to become insolvent. So like there's you know, composability is a brutal thing. But it doesn't look like on the face of it that, that like Jupe. Jupe jlp Juplen. Like I think from like a liquidity perspective, I think they'll be fine. They've got a lot of liquidity there.

C

So yeah, that's my. I think it's. And I. Everyone's working really hard to contain it further. And I will say that for as bad as like Solana is generally a key management type stuff, they actually do have a lot of policies and controls on the like liquidity mechanisms. Don't know why this is like. But okay, I'll take it. So they. I don't. I. I was reading some stuff earlier today on or like an hour ago on the different things that they were doing. Like it does seem like there's some like liquidity stuff and they're taking action so hopefully they can contain it.

D

I'm not supposed to be super fast move here. I mean in a world where you have a. That can freeze. I feel like Jeremy and Crew just need like 20 guys lost.

A

Yeah, the pro. The problem is that, like, USCC is just not it. Like, they just don't.

C

They're not going to.

A

They just don't. They. Like, I. And I haven't really heard a good explanation for why they're so hesitant to freeze things. I mean, it's.

C

They just. They've just delegated it. They. They are. They say instead of having internal policies and making up our own mind and controlling our protocol, we're gonna just. You have to make the US Government force us to do that. And personally, I think that's a stupid. The stupidest position that you can take. You're begging the government to enter your stuff. You've deliberately given up the sanctity of your protocol to the US Government. But most importantly, just because a judge signs a warrant doesn't mean that it's true. Because this is crypto tracing. Okay? You can convince a judge to sign this stuff because it's crypto tracing. There's very few experts in this. When we're talking about, like, complex stuff like this and emergency orders, it doesn't go together. So you have two approaches. One is you do it like tether does, and you actually have a team of people who, like, they have very. Like, the thresholds that they require to freeze are high. It's not like they just run around freezing stuff. But they decide their policy circle. Their policy is, if a judge tells us to freeze it, we'll freeze it. So in instances like this, it's a low, most minuscule risk, right? Big hack known, very, very public. Hasn't moved yet. It's in the address. It's in the direct theft address. It's all over Twitter. It's everywhere. If you can act quickly enough and freeze it, there is almost no risk because there. There's just like, so few places where it could, like, somehow get into a legitimate person's hand. And you know what? If somehow this, like, wasn't a hack or something, you can remediate it pretty quickly.

A

You can unfreeze things. Like, we're not saying, like, nuke, nuke it from space and like, burn the money that's in the vault. Like, it's. It's kind of crazy. The. The whole position of circle here reminds me a little bit of like, early defi. Like, code is law, bro. Like there. Except they're like, law is law. Like, we only respond to the law. Like, we have no ability to respond to anything other than the law. It's like the absolute, like, antithesis of Crypto that's like, we don't believe in the law. We only have code. And so there's nothing we can do. But, like, both of them are just not defensible positions.

C

They're not.

A

They're not practical or pragmatic positions that you can really hold. They're like, insensible. And at least the defi people have been like, okay, we kind of realized we were retarded. Circle's still like, nope, nope. Law is law. That's it.

D

Yeah.

A

All right, let's quickly dive in because we have some details here now of what's happened. Let's dive into the actual mechanics of this thing. So it seems like there was an admin key that was compromised that then locked drift out of the admin functions so they couldn't freeze the contract. That in and of itself feels a bit strange because my. My assumption here is it's not a single sig situation. Unless. Unless. And you know, this is. This is something that actually hasn't come up for a long time. But like. And we used to have these, like, single sig freezing contracts. Like. Like one person, like back in the. Back in the olden days, right? Like, one person had the ability to pause the contracts for a period of time or freeze the contracts for a period of time. This was like a. You know, like, if you can't raise everyone on the multi sig quickly enough, you can pause the contracts and then you can unpause them. We ended up walking that back because it was like, too risky for. For reasons. But, like, there was a long period of time where, like on the synthetics multi sig, any one of the multi sig holders could freeze the contract for like three hours or something. And then if they did, if they're compromised, three more people could come in and unfreeze it. Could like override it. So maybe there's something like that going on where, like, they have some like, emergency freezing function here. So the. The admin state in the core program got updated. They created a new market for cbt. They increased the withdrawals, began draining all the pools. Obviously, once they. They presumably pump that token and then they bridged out. So the. The admin signer was compromised or. Or someone intentionally did that. That feels like just a, like, vanilla key compromise.

C

Realistically, I mean, I know it was a. There was. It's definitely a multi sig for what it's worth. I don't know what the thresholds are for sure, but like, it's definitely a multisig. It's interesting that. So they compromised the. They compromised the admin and then they had to do these things. But it wasn't as simple as just taking the money out or sending the money. Like a Buybit situation. They. Yeah. So you have this new market and then remember when I was talking about Salon has all these policies. That's what I'm talking about. Right. So they had to update. They. They have a threshold. They have like a, A limit on how much money can move at any given time. However, that limit can be changed by the multi sig. And so the attackers had to compromise the keys, figure out what they were going to do and then change. Create this new market and then like which. Create the new market, Update the thresholds, update the parameters.

A

Yeah, yeah.

C

Otherwise they were going to be limited by what they could get out and then I guess actually execute it.

D

Right.

C

Actually get. Pull the money out. I mean, I'll say this, as far as key compromise hacks go, they had to do more work than normal. So yeah,

A

it feels unusual. It's not like there's not like a one shot. Like, yeah, this is. Yeah.

C

So that's, that's my optimistic take is like this is. This feels like progress, guys. Like we're progress, like we're evolving. We just need, you know, we need to iterate a bit more. And especially I'm gonna just say it again, like the number one risk, no matter who you are, the number one risk is your device getting malware on it. Because once it's on it, like they can do anything. And I don't know if this is malware 100, but like it is certainly looking like that's going to be what, you know, sort of at the root of this again.

A

So. So this is, this is the second time that Drift has been hacked as well. I think there were. There was like a 2022 vault draining, like similar vault draining issue where collateral was inflated and. And money was taken out. So, yeah, it's not. Not amazing. Not amazing. I think the interesting thing, this definitely doesn't feel like a vibe coding. Like, this is not like a hack. There's a key compromise. Right. Like they didn't find some exploit in the programs that allowed them to like they've just changed parameters and made it a thing and, and you know, had. Had admin control.

C

Yeah.

D

The typical process though would be like, logically, the, the hacker, if it was me and I did this right. Like I wouldn't, you know, most of the time, guys take the 10 and like, are stoked.

A

Right. Usually how that Goes, yeah, okay, I'm sure they'll try to offer a bounty, but, you know.

C

Yeah, and they should. And they should. I mean, they should secure everything first. That's how these things work. Secure first, secure, prevent loss, limit. Right? Then sort of collect your wits about you. Then, you know, figure out what you're willing to offer and what, you know, if.

D

If it's even zero's approach here, just offer 20 million bucks if you have the money. If it exists. Like, if the whole, you know, if there's a compromise that can ruin your entire business and draw it down to0, take 80 balance sheet and throw it off as a bounty, bro. Yeah, yeah, Better.

C

We try to. So I think one thing that. That people, I guess, don't quite understand is, like, there's two type of. Of hackers in the world. Like, those who are gonna negotiate and, like, that it's even possible, and those who just cannot. If. If the hacker is someone who is, like, willing to negotiate, then everything's on the table. In most cases, like, they're just not. And so, like, in the case of dprk, it's not because DPRK is, like, special. Like, no, they're humans, too. Like, you can totally try to negotiate with them. The difference is that DPRK operates as, like, an organizational unit with hierarchy. And so the people that you need to approve the returning of the funds are not necessarily the people that you're speaking to and are not necessarily even, like, looking. Whereas with, like, a defi. Hacker, it's all one in the same. So if you can convince your hacker, right, then you can maybe get the money back. So it'll be interesting. It'll be interesting to see what comes here

D

with these hackers, though.

A

I'm sorry.

D

Sorry for keeping this like a. Choose your champion, like Kane. Do you have a hacker that's just better than anyone else? So if this guy came and. And he. And he hit you, you know, let's say, just theoretically, let's say, let's say infinite.

A

Stop.

D

God, right? Do you have a guy that you can call and be like, look, man, millions on the table. Find this.

A

So, so. So I've got a few. I've got a few people that I would probably call in that situation. And again, you know, I don't have any paratroopers that are going to be willing to, like, airdrop themselves to North Korea, unfortunately. So if it's dprk, then, like, I might be going behind enemy lines, depending on how big it is. Which, like, you know, if it was Big enough, I probably would. You probably find me, like, sneaking across North Korean lines and trying to get. Get these guys. I. My friend who's over there, I think I could probably compromise him, and he. He wants to become a life coach. I'm like, that's my angle, right? Is. Is compromise that guy and. And. And say, I'll. I'll smuggle you out, but you got to get me in first, so I will.

C

By the way, I would. I would love to see, like, the cane. The cane. DPRK guys, life coach business arc play out. Like, that would be, like.

A

It would be amazing, right?

C

The highlight of my life, bro.

A

Yeah.

D

Yeah.

A

So. So, yeah, that's my. That's my angle. I would. I would definitely reach out to him and be like, all right, let's. Let's figure out, like, I'll get you out of there. We can do this. So. But, yeah, I think that, you know, they're. They're definitely people who help in these sorts of situations, for sure.

C

Yeah. Yeah, that's. That's what I do, guys. That's why I'm in a freaking hoodie right now. Look like a mess, literally. So if you come to see all. I'll just show it CL 911. It's literally. It's like, 50 people who are just, like, super experienced in all different things. I'm one of them. I'm not on every incident, and I'm not capable of being on every incident, but some incidents, I'm so on, because I'm good at that. But then if it's, like, smart contract stuff, like, we have, like. Like, Sam CZ son is. He just, like, knows smart contracts so good. We have a whole bunch of them. Like, all the guys that.

D

Hey, are you a part of the infamous SEAL Team 911 or.

C

Yes.

D

No, we're on the. Yeah, we're on. We have a podcast with a name.

A

With a seal. Yeah, yeah, yeah. No, of course she's. Of course she's in there.

C

This is. Yeah, I spend way too much of my time in there.

D

Okay, so, girl, I'm calling.

C

Something happens. But also, like, we have, like, if you could just get, like, fish, you get drained. Something sus. Is happening. Like, dude, there. We have so many different people in there. It's not just, like, the smart contract guys or the malware guys. It's like, we have tracing people. We have the phishing people, the people that are, like, deep on the drainers. There's so many different people. And so if you ever literally, anyone listening to this if you ever, like, need help with anything that's like slightly security plus crypto, like, you need guidance on where to go or something bad happened and you don't know what to do. CL911 is literally. It's like just a group of people that respond.

A

Like, the odds that you have anyone better than Seal 911 is zero. You just don't. Like, even if you think you. You're like, I've got a guy who really knows security. You don't have that guy.

D

Or how does that work?

C

We're donation based, so you have to donate to us. Otherwise we have to get real jobs.

D

Do you guys have donations or is

C

this like a. Yeah, yeah, I have. I'll link it. There's. There's like, there's a donation address. You can just like send money. The address or we. There's like a page. I'll find it. There's a page somewhere that you can donate to, like in, you know, whatever ways you prefer.

D

Donation. Send me the. Send me the link.

C

All right, deal. Let's go. Yeah, and then I'll save. I'll save your butt, Luca. When. When something bad happens, I'll be here

D

for you, God willing. It doesn't ever happens, but I will say to this point, K, I'll give you guys your flowers. I mean, to, to Kane's point, you guys are spoken about through the dev circles extremely highly. So kudos to you guys for saving the space.

A

Yeah, I mean, we are so lucky that this is like such an interesting coordination problem, right? Like, there was a period of time where, you know, I would end up in war rooms, right? And like, I was not the guy that you wanted in a war room. Like, what the fuck am I going to do, right? But people would be panicking. Like when BZX got hacked for like the seventh time or whatever, I was in there. Like, I've been in so many of these. And like, you know, what would happen is you would be lucky if there was like one person who had some idea what was going on. Like, you know, when. When Sam CZ son sort of stepped up and started to like, you know, save the world, basically. Like, you'd be lucky if. If he landed in there. And then the goal was like, know someone who knew him to be able to pull him in quickly enough to kind of try and help you. Like, that was like the early approach to this. And then I remember Medi from Sigma prime was like, hey, we're like getting a posse together. And I was like, oh, that's A good. That seems like a good idea. And. And yeah, it's pretty crazy that. That this even exists, like, as a coordination problem. Like, it was really hard to know who to talk to when you're panicking and the world is on fire. And now it's like, at least there's like a very obvious thing, like, go and hit these guys up and they will. They will almost definitely be able to help you.

D

And there's a business out of this. You guys need to create like, a security engine. I feel like, as these cases.

C

Oh, okay.

A

Build like a.

D

No, I'm serious. This is like full SaaS business for

A

you guys that I feel like it's

D

super proprietary to, like, the skill set and then just be like, the security

A

and they're all too rich. Luca, that's the thing.

C

Yeah, I am. I am. I. I. There are. There are people in Z911 though, that, like, I'm like, you should like, I'm not going to say this because, like, they should be there because, like, they. They help. Like, we need them.

A

Yeah, yeah.

C

They are not like, OG Crypto. Like, I. Yeah, definitely. The donations are definitely appreciated. And it helps. It mostly helps because you have to find the balance, right? You have to find the balance. Like, this is. It's 100 volunteer. Even those people who have, like, jobs that they're working, they're dedicating, like, they're pulling themselves out of that job to, like, do like, three hour shifts or four hour shifts every day or every night or whatever, or to just be on call for emergencies. And that's in addition to their work. And so they're, you know, it's.

B

It's.

A

It's.

C

It's a huge amount of effort and stress. Like, there's only certain types of people that. That do it. And I'm. One reason I'm so grateful CL911 exists, though, is that it used to be that if I got put in a war room, I did not have a choice. Like, I. It was like, okay, drop everything, right? Drop everything and help these people. Because, like, who else is in this room? I don't trust anyone in here. I don't know anyone in here. They're a mess. They need help now when they come to see online, if I'm like. If I'm, like, literally driving or like, with my daughter, I don't have to respond because there's so many other people who will. But then in return, when I, you know, like, I was sitting outside enjoying the sun and then the drift thing happened. I. I'm gonna join that room. Right? And so that's how. That's sort of how the, like, scheduling works, is like, you all. You'll do it when you can, but you don't have to do it when you can't.

D

Is there like a. Yeah. I mean, like, do I have to pass a test to become a seal?

C

You have to be certifiably insane. Luca,

D

like, the negotiator on behalf of the seals. If you needed somebody to go in.

A

Yeah.

C

All right. Next time. Next time we need a negotiator, let me all try to pull you in.

D

This penguin guy, a little disarming the Penguin guy.

C

Yeah.

A

100. Yeah. Like, get Luke in here.

D

They'd probably be.

A

They'd probably be flattered. If it's not tprk, they'd be like, oh, I get to speak to Luca. That's. Yeah, that's a good deal.

D

Luca comes in, I might do a deal here.

C

I got you, but you gotta give the 200 million back.

A

Yeah, we'll get you some. We'll get you some pudgy merch if we can close this deal. Let's, let's, let's, let's do a deal here, guys. Let's. Let's close this out. I love it.

D

Convince someone to take 20 instead of 200.

A

I'm very confident.

C

All right. I'm serious. Next time there's an opportunity, plug me in.

D

You have my phone number. Like, I would love to do it.

C

All right.

A

Okay. Let's go to ads, and then when we come back, we're going to talk about Claude Code source leak.

C

Yes.

B

World infrastructure shifts of the century. New technologies are using more energy than ever before. But our legacy grids can't supply the demand. And we are barreling towards a global bottleneck. So Fuse is rebuilding it. The energy network is an intelligent, decentralized grid that coordinates smart devices to balance supply and demand demand. The network harmonizes existing infrastructure, increases grid capacity, and unlocks low cost clean energy. Energy dollar is the native token of the network. The more electricity the world needs, the higher the demand for the energy network. The value of energy dollars may fluctuate from one of Europe's fastest growing energy startups. Follow at Fuse Energy on X to find out more. Multichain Advisors is an emerging technology growth firm that has helped create over $50 billion in enterprise value for more than 80 clients like Pith, Moonpay, Commerce and Wormhole. They've worked with some of the largest and most impactful companies in the space. They're the partner you want when you're navigating markets and trying to break out from the noise, they help navigate TGEs go to market, BD and partnerships, capital markets, advisory, PR, media placements, KOL activations and more. Driving execution from launch to scale. Their results are measurable. To learn more and start building real traction today, visit multichain adv. Com

A

all right, and we are back. So Claude code sourcely this happened yesterday. Speaking of like I was at my kids running event, their cross country event and I was like, what is happening? Like this is crazy. So the, the source code in Claude code was leaked. I saw something but I this didn't. I didn't have a chance to confirm it. But it seems like maybe the code was sitting there for like three months, checked in and no one noticed, which is like a level of like security through obscurity. That is kind of wild. So, so that there seems like there were a couple of things that happened here. There were like a couple of bugs. But also maybe someone was using Sonnet that should have been using Opus and Sonnet was like, oh, this seems like a good thing to do. And just checked in the code. So. So yeah, there's already people that have like taken this and like rebuilt it, like built their own forks. Like it's been ported to Rust. Someone had a, there was someone who had a pretty interesting comment calling it a code laundering factory. And they were like, it's funny that the code laundering factory is being code laundered right now. Which I thought was, was kind of hilarious. So I think there's, there's a couple of like threads here that we can, that we can pull on. One is agents are dangerous. Like so dangerous. Like this is crazy. The people who should be like the absolute best at wielding agents and, and this is like there's a tension here, right? Because on one hand they are the best clearly at wielding agents and they're just YOLO moving so fast. And you can see it in the code. Like when you look at this code I was saying before we, before we went live, it is exactly what you would expect. It's like just like shit thrown in a bucket in a crazy wild. But the best code. This is some of the most valuable code in the world that has been written by agents at an insane pace and is so cobbled together and slop filled and yet it works. It's like, it's like this is the new reality of like the world that we live in. And you know, bars Cherney had a was on the Y Combinator podcast this week. And he was like, there is not a single line of code in Claude code that is more than six months old. And. And it's now, like, 14 months. So just, like, let that sink in for a second. So on one level, I'm like, this guy's a mad genius. I love it. And then the other part of me is, like, that is the most petrifying thing I've ever heard of. Like, it is so unstable as a code base that there's nothing left. Like, how could anyone possibly reason about this? And the answer is, clearly, they. They kind of can't, right? And, you know, yeah, like, I just. I don't know. It's. It's. It's pretty. It's pretty crazy. The. The second thing I think is that this is not even, like, that big of a deal. Like, the, like, the fact that the code is so ephemeral, like, in three months time, it'll be a totally different code. Like, it's actually, like, back in the old days, right, the value of code was so high because it was so expensive to do it, that if you built the best code base in the world, which at the moment, arguably, Claude code is got to be top 10, right? The effort of building that and the effort of, like, you know, maintaining that would be so high that, like, it's just incredibly valuable. And yet here we are. It doesn't even matter. It's, like, not even that big of a deal.

C

Okay, what is what got revealed in the code, though? Or buy this league? Like, what was, like, the juiciest thing that you saw? Because I have not gone through it, Kane. I am. I've been busy and I'm sad, but, like, I've been reading it a bit, and it seems like it's so exciting. But nobody has said, like, this is the thing that. Whatever.

A

I think it's one of those things where genuinely there's too much. There's too much that, like, is in there. There's weird little nuggets of, like. And also, it's. It's hard to reason about. Like, no one has yet really, like, the fun. The fact that it's been ported to Rust before anyone knows what it does is, like, such a sign of the times that I just don't even know what to say, right? But there's been a bunch of little things that have been really interesting. Like, little. The way that. The way that tool use works in there, the way that they have these loops, the way that the token caching works. They've got all these token caching efficiency things. Yeah, it's, it's, it's pretty crazy. Like I think it will take a little while for, for this to get kind of fully deconstructed. There's been a couple of of postmortems of people that have been like, here's everything that's in there. But, but yeah, it's, it's again, it's like, it's what, like imagine if the source. Imagine if in like 2004 the source code of like Microsoft Word got leaked. Like it would be. And I'm sure that like something like this has happened in the past. Right? But like code used to be so much more valuable. Like the fact that we're all just like, like, like what's, what's interesting in there, not like what is the business impact is, is a bit crazy to me. But again, like if they can't figure out how to keep their agents under control and not check in their entire code base and have it be sitting there for three months, what hope does the mere mortal team have?

C

So yeah, you don't. But I mean, right, like the, the story here is it's the source code, not, not the way all access to all of anthropic as an organization. The weights are not there. Like secrets, I guess are not there.

A

No, it's just, it's like. So the interesting thing is this is their harness, right? Like Claude code is just a harness. The model, like the Claude model, Claude Opus, Claude sonnet, like that. If, if the weights were leaked, that would be a different story, right? China, China was paying however many tens or hundreds of millions of dollars to try and these large scale distillation attacks where they go and interact with the model a bunch and try and work out what it's doing. So there's a bunch of industrial espionage things that have been going on for people to try and get the weights of the model. The value of the value of anthropic is based on the models, not on this harness.

D

But

A

arguably there is like a symbiotic relationship where like everyone's using Claude code because it is the best harness for coding at the moment. You know, OpenAI is way behind. Interestingly, OpenAI from a model perspective, Codex 5.4 is a better model. In Opus 4.6 it just is. It's better. They've tweaked it, it's faster. It doesn't do the nonsense that like earlier versions of codecs were doing. It's much, much better. But the codecs harness is like definitively worse than the code harness. The interesting thing is now you can have a situation where you can use Codex inside of the Claude code harness because people have already hacked it. So you can just plug any model in, including local models. So, you know, the, the, the agentic coding stack, right, is made up of a bunch of things. At the very bottom of the stack is this ball of math. The math ball is like the thing, you know, the weights, the training, the training data. That's the thing that like costs like billions of dollars. And like giant, you know, data centers to produce is like the math ball, right? So as long as the math ball is secure, you're kind of okay. Then above that you've got like the system prompts and the fine tuning and all of the like layers on top of it that the, the Frontier Labs add to make it do things. Right? Now one of the interesting things is you also have a system prompt inside of the harness, right? And so people have been reading the system prompt and it's quite hilarious. Like, we should, we should try and pull out some of the, the things here because, like, some of it, like there was someone who was like, it literally just like repeats over and over, like, don't do illegal things. It's like say it like 10 times and it's, and it's actually hilarious because like the state of the art of stopping a model from doing bad stuff is say it as many times as you possibly can. And like, clearly this brute force approach of like just everywhere, just keep reminding it, don't do illegal stuff is like the state of the art of like getting them to not do illegal stuff. So, so probably one interesting thing is once you know what the system prompt is, it's much easier to circumvent it. And so, you know, this, this will. Now we've, we've seen earlier Claude code system prompts like, this is like the thing that sits right above the ball of math, right? Get leaked. There was one that got leaked like a year ago. It was like 300 pages of like, you know, it's like a spell, it's like invocations of like, hey, math ball, don't do this stuff, do this stuff, whatever, right? So, so you have that and then you can take a model and it's. And all of the like reinforcement learning, fine tuning, all the stuff that's happened. You can take that model and its system prompt and you can use it raw without anything. You can literally just talk to that thing and ask it to do things and it will not be able to do much because it doesn't have access to tools. It doesn't. It could from first principles work this stuff out, but you have to put a layer on top of the model itself that gives it all of the things that it can use to actually do stuff like writing scripts and doing git commands. It needs to know all of that stuff. It needs to know how to do it, why to do it, when to do it. All of that is basically what's in Claude code. It's what makes it really good. Arguably you take the lessons from this thing and you know, one, one interest. One interesting thing about this is that each model is quite idiosyncratic. Like they're, they're quite idiosyncratic in terms of like what prompts work on them because the mo. The math bowl at the bottom is like completely inscrutable. No one has any idea how that works. Like it's like no one in the world who understands what the fuck these things are doing in the bowl of math, right? It's like literally just like from iterative testing and poking it that you work out how it works. The system prompts and all of these harnesses and all of the tool use and all of that stuff is quite different for different models. Different models have different needs and personalities and stuff. You can take different models and plug them into a different harness and they work quite differently. It's not like very like, you know, deterministic thing, unfortunately they're quite, quite stochastic. So what will be interesting I think is everyone taking all of the tricks and their tricks, right? Because they're hard earned empirical data that people have been able to kind of extract from interacting with these models. You can take those tricks and you can apply them to an open source model. Now like all of the tool use, the harnesses, the loops and all of the things that Claude code has done. And so arguably this would be very good for open source models because they will get much better as people figure out how to apply all of the hard won learnings. But the kind of, I guess, frustrating thing in dealing building harnesses is one of the most frustrating things because every three months everything you've done gets invalidated the new model. And my guess is that Anthropic will release a new model very soon, like in the next week. That's my hot take because that model will probably invalidate all of the random shit that was inside Claude code because it'll just do things in a very different way and react to things in a different way and they probably have A different version of Claude code that's already been kind of fine tuned for this new model. And interestingly, we saw the leak of that, right there was the Mythos leak where they accidentally put up the website of like, here's this new model coming. So. So yeah, my guess is that we will see. We will see some stuff happening over the next couple weeks and then as soon as Anthropic does a new model, then OpenAI is forced to respond and then, et cetera, et cetera. So, yeah, well, it should be. It should be a fun couple of weeks from here, I would say, based on the fallout of this situation.

C

Okay, that was amazing. This is amazing. And yeah, I think you're probably right that if you can just change like the model, make all this, like, slightly irrelevant. However, I think there's going to be a net. There's like a net benefit for the world here, right? Because all these different people who are trying to build things and like build really awesome tools. Being able to just have this insight even if you can't copy paste it, right? The insight is like remarkable.

A

We don't call it copy pasting. It's code laundering now.

C

That's the new.

A

That's the new term. But like, okay, so. So like genuinely though, right, you can point an agent at this code and especially an agent with like a million context window, right? Because there's only 500,000 lines of code, it's actually not even that crazily large of a code base. You can point an agent at this and be like, do this, do this thing. And it will, from first principles, just rebuild that thing in a different language or whatever. And this is like probably one of the most weird things that my experience over the last three months has been that you're using software and it's open source software. And. One of the best open source tools that's come out in the last six months is this thing called qmd. The guy from Spotify, Toby, built it. And it's basically like a search engine for documents that you can run on your local machine. But like everything, it's like slopped together in like 20 minutes, right? And so there's a bunch of things that, like, if this were an actual piece of software, you would never build it the way that it's been built. But there's like huge gaps, right? So the other day I was using it and I was like, why can't I? You can have different collections of data, right? So you've got like a collection of like all of your coding files. You have a collection of like all of your crypto related stuff, right? But when you go to do the re embeddings, which is like basically create this vector database that the agents can search with, it forces you to re embed the entire thing. There's like no fine grained controls right now in the olden days you would just have to deal with that and it would be an annoying thing now. I literally just said to my agent, I'm like, can you just make a flag that like allows me to pick a collection? It's like, yeah, sure. And it just does it. And you just like change the software. This like, like I have no idea how any of that stuff works. And you can just tell it to change this open source library and like fix it and it does it. It's crazy.

C

Amazing.

A

So. So yeah, I think, I think like the, the odds that we see kind of massive improvement and proliferation in like a bunch of other harnesses based off this because there's so many little like tricks in here that will be useful for almost any harness. I think we're gonna see a bunch of people adopt some of these tricks and, and yeah, we'll get better.

D

So.

C

Awesome. Anything? Any hot takes?

D

No hot takes. Not on this.

A

We gotta get you vibe coding, Luca. We're gonna get you, we gotta get you in there.

D

I'm, you know, I'm vibe speaking is what I'm doing. Click double command. I just speak into it.

A

Nice.

D

And it's starting to. And I've got terminal set up. Look, I'm, I'm. I just, I need to do what I'm good at, right? And like I'm not going to go into an arena that I'm not necessarily. But I have all of my guys around me becoming super experts. So as long as I can project and articulate the idea, my guys, like I have like a little setup in my house with a couple guys who just come here every day and I can delegate accordingly because I tried to do it and then I read and then I read a book that like really aligned me in something that like I didn't really like be. I wasn't really honest with myself, which is like, just do what you're really good at. I've something with numbers and, and words on screen. It's like a form of dyslexia. I don't really think it's dyslexia, but I start to get confused after a certain point and I've never been able to like train my brain around it. So I, I Have terminal. I have actually deployed an app. So I've gone as far as doing that.

A

Nice, right?

D

An Icebreaker's app, actually a Pudgy Penguins app do a couple things, but I'm going to leave it to guys who are a lot brighter than me. And as long as I keep the mind sharp and articulate what I want, I think that's going to be. That's my superpower.

A

Yeah, I think so. So one thing that has been really interesting in the way that we've, we work internally now is this idea. My, my head of engineering kind of coined this term of like shifting left, right? And what, what he meant by that or what he means by that. And I kind of interpret it however I feel like, because that's like, that's

D

not what I meant.

A

I'm like, no, no, it is like, it's what, it's what it is now. So, so basically the idea is that you used to have to have an ability to like understand the code itself, right? Like there had to be a shared kind of mental model amongst the engineering team of like, what does the code do, right? What does the code do? Why does it do it? What are the patterns? And if you didn't have that shared mental model, you wouldn't be able to work as a team effectively. And so like one of the goals of like a head of engineering was making sure that he kept that mental model of like how the code worked, why it worked, like stable, as stable as possible possible. And so now because humans aren't writing the code, you have to shift away from this idea of a mental model about the actual code itself and more about the planning around the code, the intent behind the code. And so this idea of shifting to planning. Now the interesting thing about that is that actually makes your life much better, you as a non technical person, because you know, planning, you know what you want to happen, right? And so the question is, how do you now instead of defining what the product does in code, you define it in a plan. You define it in like a set of like requirements and like user stories or whatever. And it's like as a user, I want this thing to do this. You can hand an agent that user story and it will cook on that easily, right? So you can actually kind of collapse the, you know, it used to be, you walk in a room and be like, guys, let's go do this thing, right? And then someone would have to translate your, this thing into like a spec. And then someone would have to translate that into code and then the code would have to be deployed now. Like it's all been collapsed into like just a magical box and you can say, hey, I want my users to be able to do this thing. And it's like, sure thing, it's done. And you're like, okay, cool, what's next?

D

Kane, do you know your archetype?

A

No. No. You should study this.

D

It actually is a huge game changer. Mine is an intj, so I'm an architect. So it's no better time to be an architect. Filling in the gaps of the architecture of the plan is easy. But Cain, to this point actually my last piece of alpha that I'll, that I'll give this conversation on this specific day, but understanding each of one of your employees archetypes because you'd be surprised how addressing problems in different ways can get to the end conclusion a lot easier. So for example, I'll throw Peter under the bus. But Peter is a very ego driven archetype. I won't share his archetype but basically you can't tell him something sucks. So I'm super pragmatic. I'm like, that fucking sucks. But it's down, right? So understanding his archetype, you've got to kind of like lead him to the problem, right? Versus like other archetypes you can like. It's fucking sucks. And they'll be like, okay, it fucking sucks, I'm sorry. But they, they, you know, they'll adjust to the problem. And I found that in the scope of 16 archetypes you'd actually be surprised. Like our whole organization and our leadership and how we actually address problems internally completely changed. We hired some girl from McKinsey to teach us how to be executives. And that was one of her exercises

A

and it was one of the best

D

exercises we ever did internally. So something to share for all the entrepreneurs listening. Know your employees archetypes and address problems around their archetypes or address things whether the problems or solutions or plans based around their archetype because different people process different. Like for example, I have this like high throughput, you know, motivational, like passionate way that I speak. Devs hate that they listen to me. They're like, this guy is the fucking worst. I come off like a charlatan to these guys. So now I just like, I actually came to the conclusion that I just can't speak to devs. Lorenzo speaks to devs, right? The organization. But it's interesting because you just, you find that these little structures on how people's brains are built are actually like a root of so much on how your organization functions. It was actually one of the most fascinating things I found at my time at pudgy.

C

No, it's. Yeah, because it. It reminds you that, like, your brain is different than other people's brains, which is so easy to forget. And, like, then you just, like, really

A

easy for you to forget that if you're autistic.

C

Yeah, but, yeah, my dad used to describe it as, like. It's not so, like, you have, like, doctors, like, neurosurgeons, right? Like, really high. Like, like, their brains are next level. The nurses are. Are not just there to, like, do the grunt work. Like, a lot of people think, like, that's like, this much of their job. The majority of their job is, like, translating the huge gap between, like, the patient and the doctor. And doing that, it actually unlocks the doctor to, like, basically allow them to be, like, super smart and, like, operate on brains or whatever. And then it also, like, allows the patient to, like, be a patient and not have to, like, be worried because the doctor doesn't know how to communicate.

A

You're going to die, but not today.

C

And so, like, the. Like, that was, like, a really helpful analogy for me because it's like. I don't know. A lot of times people think it's, like, for someone else or for some. No, every. There are so many situations where everyone benefits by allowing people to, like, do the things that they are best at and not making them waste their time at things that they're not best at.

A

Awesome. All right, I think we can wrap it up here. We're coming up on time, so.

C

Oh, yes. I gotta go.

A

You gotta go back to the war room.

C

Yeah.

A

All right, I have. Oh, there we go. That's it for this episode of Uneasy Money. If you enjoyed the conversation, follow the show on the Unchained feed on X and subscribe. Wherever you listen to podcasts and if you're watching on YouTube, hit subscribe and drop a comment. It really helps the show reach new people. It's been fun, guys.

C

Awesome. Bye.

A

Sa.

C

It.