How DPRK Drained $28550M from Drift — and Got Into Your Device First

Summary

• The discussion analyzes the $250M+ Drift Protocol hack, which was only ~2 hours old at recording time, making details speculative.
• A primary, unconfirmed suspicion is DPRK (North Korea) involvement, given their crypto-focused motives and the timing of the related Axios supply chain attack the day prior.
• DPRK actors are described as not highly sophisticated but effective, commonly using social engineering (e.g., fake VC Zoom/Teams calls) to compromise individual developers and open-source maintainers.
• Their key attack vector involves stealing session tokens from a compromised computer, which allows them to bypass 2FA/MFA entirely and act as the user without triggering login alerts.
• This malware often remains dormant for weeks or months, using a "heartbeat ping" to check for commands, and is designed to evade standard antivirus (AV) detection.
• For high-value targets in crypto and open-source, standard AV is insufficient; Endpoint Detection and Response (EDR) solutions like CrowdStrike are recommended as they detect malicious behavior patterns, not just known malware hashes.
• Critical advice for crypto founders and open-source maintainers: use physically separate, rotated devices for sensitive operations to contain potential compromises.
• Developers can mitigate supply chain risk by "pinning" dependencies, implementing minimum age requirements for new packages (e.g., 7 days), and not auto-updating immediately.
• A victim often only discovers a compromise when external parties notify them; there are typically no direct alerts from their own accounts or systems.