Unchained Podcast: Uneasy Money
Episode Title: How State-Sponsored Hackers Like DPRK Drain DeFi Protocols: Uneasy Money
Date: April 6, 2026
Host: Laura Shin (not present in episode), featuring:
- Kane Warwick (A)
- Taylor Monahan (C)
- Luca Netz (D)
Episode Overview
This episode dives deep into the high-stakes world of DeFi protocol attacks, focusing on the recent $250M+ Drift Protocol hack. The panel unpacks the tactics of state-sponsored attackers such as North Korea’s DPRK, discussing how they target open-source developers, leverage supply chain attacks, and exploit composability in DeFi systems. The episode also covers the repercussions of such incidents, strategies for minimizing risks, and the response coordination within the crypto security community. In the latter part, the group pivots to analyze the sensational Claude Code source leak in AI, exploring its implications for software development and the evolving practices of building and sharing code in a world increasingly driven by agents and automation.
Key Discussion Points & Insights
1. Drift Protocol Hack: Real-Time “Active Mortem”
- The Hack: A devastating exploit on Drift, causing over $250M in losses. The team discusses details still emerging just hours after the incident.
- [01:31] Kane: “It's not really a postmortem yet. It's like an active mortem... We'll do our best to unpack it but this is all like somewhat in flight.”
- Attribution: Immediate speculation about DPRK’s involvement, paralleling the recent Axios supply chain attack.
- [02:22] Kane: “We think that this is probably... I think it's DPRK, right?”
- [02:33] Taylor: “I can't attribute publicly like this... The timing feels sus... But a lot of times with these things, it's a bit more complex.”
Supply Chain and Social Engineering Tactics
- DPRK hackers target open-source maintainers via phishing and compromised video calls (Zoom, now often Microsoft Teams), persuading victims to run malicious commands.
- [04:34] Taylor: “Now more often it's... a Microsoft Teams call, but it's exactly the same. The exact same flow we usually see in crypto.”
- The insidious nature: Maintainers often don’t notice the compromise until weeks or months later—until it's too late and their code/library is weaponized.
- [10:34] Taylor: “You don't immediately see anything happening... You wake up one morning in the future and, like, things are just wrecked. And...the notifications are other people telling you...not you yourself.”
Technical Deep Dive into Malware Persistence
- Even advanced security setups can be bypassed. Once an attacker gets access to developer tokens, MFA, or device-level defenses are irrelevant.
- [07:05] Taylor: “If your computer is completely compromised...that token is basically what you use to access these things... They can just use that to basically literally be you.”
- Advanced malware like DPRK’s is “Mac native,” often undetectable by standard antivirus, and characterized by “heartbeat” pings to await attacker instruction.
- [15:51] Taylor: “With DPRK, they almost always have what we call a heartbeat ping... Every sixty seconds, it asks if there's anything you want me to do.”
Practical Defense Strategies
- Pin your dependencies and avoid immediate auto-updates.
- Adopt dedicated, air-gapped hardware for sensitive tasks.
- [16:40] Kane: “If you're in crypto and you have raised significant money and you do not have a pile of MacBooks sitting around that you are rotating through...”
- [14:07] Taylor: (on antivirus) “If you have significant amounts of crypto...the answer is CrowdStrike.”
Attack Surfaces: Mac vs Windows vs Linux
- Mac is no longer a safe harbor—DPRK malware is often Mac-focused because many crypto devs use Mac.
- Modern malware targets users, not OS, exploiting whatever device developers most commonly use.
- [17:57] Taylor: “DPRK is probably one of the most sophisticated in what I would call Mac native malware. They write their malware just for Macs because all the crypto founders use Macs.”
2. Real-World Attack Stories & Scams
- Man-in-the-middle & Business Email Compromise:
- Example: A VC lost $2M USDC due to a subtle man-in-the-middle after a malicious email thread.
- [23:33] Luca: “One of the VCs actually got hit with a man in the middle attack. So they sent us $2 million... they sent a dude in Nigeria $2 million in USDC.”
- [25:03] Taylor: “It's called business email compromise... When push comes to shove...the [account] switches. They do it with banks, too.”
- Example: A VC lost $2M USDC due to a subtle man-in-the-middle after a malicious email thread.
- Phishing Warnings:
- Merely clicking a phishing link is not usually catastrophic, but subsequent steps (e.g., accepting signatures, copy-pasting into Terminal) amplify risk.
- [19:41] Taylor: “Usually it's more than clicking...It's not necessarily like an exe...but usually...downloading a command and running it.”
- Merely clicking a phishing link is not usually catastrophic, but subsequent steps (e.g., accepting signatures, copy-pasting into Terminal) amplify risk.
User Safety Recommendations
- Always verify URLs, especially after time away from the space where muscle memory’s “skeptical brain” may fail.
- [21:47] Kane: “I click the incorrect link, open it up, looks like D Bank, I start going through, click Connect wallet...I was so close to pressing it. And then...no, no, no, this is wrong.”
- Pin dependencies, delay updates, and use policies requiring minimum code age before deploying to production.
- [13:34] Kane: “In our repo...if something's less than seven days old, you can't actually have it in there at all.”
3. Mechanics of the Drift Protocol Attack
- Summary: Admin key compromise (likely via malware or similar) led to protocol parameter alteration and pool draining.
- [31:40] Kane: “It seems like there was an admin key that was compromised that then locked drift out of the admin functions so they couldn't freeze the contract.”
- [34:57] Taylor: “They compromised the admin...had to create a new market, update thresholds, update parameters...had to do more work than normal.”
- [36:50] Kane: “This is not like a hack. There's a key compromise...they just changed parameters and made it a thing.”
- Safety structures like multi-sig and circuit breaker limits helped slow the exploit, though not enough to prevent it entirely.
- [35:03] Taylor: “As far as key compromise hacks go, they had to do more work than normal. So yeah...optimistic take is this is...progress.”
Contagion Risks and Collateral Damage
- Composability amplifies systemic risks, but in this case, the panel feels collateral protocols like Jupe Lend are largely safe due to prudent liquidity management.
- [27:52] Taylor: “Solana...actually do have a lot of policies and controls on...liquidity mechanisms...they're taking action so hopefully they can contain it.”
USDC & Asset Freezing Debate
- Circle criticized for slow/standoffish stance on freezing stolen funds—unlike Tether’s more active approach.
- [29:05] Taylor: “They [Circle] say...we're gonna just...You have to make the US Government force us to do that. Personally, I think that's the stupidest position you can take.”
4. Security Community & SEAL 911
- SEAL 911’s Role: Top volunteer go-team for crypto security emergencies, with experts across smart contracts, malware, tracing, and phishing.
- [41:22] Taylor: “That’s why I’m in a freaking hoodie right now...CL 911. 50 people who are just, like, super experienced.”
- Open Invitation: If you suffer a security incident, CL 911 (SEAL 911) is the best starting point and is donation-based.
- [42:20] Kane: “The odds that you have anyone better than SEAL 911 is zero.”
- [42:35] Taylor: “We're donation based, so you have to donate to us. Otherwise we have to get real jobs.”
5. Pivot: Claude Code Source Leak (AI)
What Happened
- The source code to Claude Code (Anthropic’s AI agentic code harness) was found, reportedly checked in for months before anyone noticed.
- [49:35] Kane: “The code was sitting there for like three months, checked in, and no one noticed...a level of security through obscurity that's kind of wild.”
Why It Matters
- Shows how critical code—once zealously guarded—is now less valuable, as models change every few months, and the value has shifted to the underlying “math ball” (weights/training).
- [54:10] Kane: “The value of code is so ephemeral...it doesn't even matter. It's not even that big of a deal.”
- [56:38] Kane: “Claude code is just a harness. The value...is based on the models, not this harness.”
Interesting Findings in the Leaked Code
- System prompt: Heavily repetitive safety reminders (“don’t do illegal things” repeated many times).
- Agentic design: The code is “slopped together” but works; code is rebuilt constantly by agents, with no line older than 6 months.
- [49:35] Kane: “It's just like shit thrown in a bucket in a crazy wild...but the best code. This is some of the most valuable code...”
- Potential for rapid mimicry: The code was ported to Rust before anyone really finished reading/documenting it.
- Open source implication: Leaked code will boost the capability of open models, as best agentic strategies can be adopted/copy-pasted.
Quote Highlights
- [54:29] Kane: “The fact that it's been ported to Rust before anyone knows what it does is...such a sign of the times...”
- [64:40] Kane: “We don't call it copy pasting. It's code laundering now.”
- [64:08] Taylor: “There's like a net benefit for the world here, right? ...The insight is remarkable.”
6. Human Factors in Security and Organization
Team Dynamics & Archetypes
- Knowing team members’ archetypes (e.g. INTJ - architect) can radically improve communication, conflict resolution, and productivity.
- [71:35] Luca: “Understanding each of one of your employees' archetypes because you'd be surprised how addressing problems in different ways can get to the end conclusion a lot easier.”
- [73:49] Taylor: “It reminds you that your brain is different than other people's brains, which is so easy to forget.”
Role Specialization
- Maximize everyone’s strengths and let experts handle strategic functions—devs, negotiators, communicators.
- Building infrastructure for rapid, volunteer security responses (like SEAL 911) key to ecosystem safety.
Notable Quotes & Memorable Moments (with Timestamps)
-
"You have to imagine as an open source maintainer that you are so much more susceptible. ...They're just not used to the kind of adversarial world..."
– Kane Warwick, [05:02] -
"When you authorize a token and save to your computer, that token is basically what you use to access these things for however long...If your computer is completely compromised the way that DPRK compromises computers, that token, they take that token and they reuse it."
– Taylor Monahan, [07:05] -
"With DPRK they almost always have what we call a heartbeat ping....your device pings out every 60 seconds and asks if there's anything. Yo dprk, anything you want me to do?"
– Taylor Monahan, [15:51] -
"The odds that you have anyone better than SEAL 911 is zero. You just don't...."
– Kane Warwick, [42:20] -
"We don't call it copy pasting. It's code laundering now."
– Kane Warwick, [64:40] -
"Claude code is just a harness. The value ...is based on the models, not this harness."
– Kane Warwick, [56:38]
Table of Key Segments & Timestamps
| Segment | Start Time | Key Themes | |------------------------------------------------|------------|-------------------------------------------------------------| | Intro & Drift Hack Overview | 01:01 | Hack details, real-time analysis, speculation (DPRK link) | | Tactics of DPRK & Supply Chain Attacks | 02:33 | Social engineering, open-source risks | | How Malware Gains Persistence | 07:05 | Developer tokens, heartbeat pings, advanced malware | | Preventative Security Tips | 11:34 | Pin dependencies, hardware hygiene, EDR vs AV | | Mac vs Windows: Modern Malware | 17:02 | Mac-focused threats, platform nuances | | Real-World Case Studies (VC loses $2M) | 23:27 | Business email compromise, systemic risk | | Attack Mechanics: Drift Protocol | 31:40 | Admin key compromise, contract parameter changes | | Contagion & Defensive Composability | 26:50 | Jupe Lend, protocol design, composability | | Asset Freezing (USDC vs Tether) | 28:34 | Legal standoffs, philosophy behind freezing funds | | Security Communities and Response (SEAL 911) | 40:45 | Coordination and response model for hacks | | AI Interlude: Claude Code Source Leak | 49:35 | Code leak, security philosophy in agentic world | | Harness vs Model: AI Security Implications | 56:38 | Importance of model weights, ephemeral code | | Organizational Takeaways: Archetypes | 71:35 | Communication, team management, knowing strengths | | Wrap-up | 75:15 | Reflections, final tips |
Conclusion
This episode offers a vivid and accessible “from the trenches” look at how state-level and opportunistic hackers target DeFi and crypto ecosystems. It emphasizes the human angle—maintainers as weak points, the difficulty of perfect defense, and the irreplaceable value of rapid collaboration (as embodied by SEAL 911). The panel’s technical depth, war stories, and humor make this essential listening for anyone interested in crypto security, DeFi, or the changing landscape of AI-powered coding and software development.
For crypto and Web3 builders, the message is clear:
Remain vigilant, invest in endpoint security, don’t rely on legacy platform wisdom, foster organizational awareness (archetypes matter!), and know who to call (SEAL 911) when things inevitably go sideways.
As the AI segment underscores, expect constant, chaotic evolution—and be ready to adapt.