The $285 million exploit of the Drift protocol, linked to a North Korean state-affiliated group, has intensified scrutiny across decentralized finance and raised concerns. In the immediate aftermath, Moo, the pseudonymous founder of Elemental, a Solana-based DeFi Protocol, publicly criticized Drift’s leadership.
He described their response as inadequate and characterized the situation as a "live masterclass in gross management failure." Moo’s criticism focused heavily on communication and accountability. He argued that leadership must respond transparently during crises, particularly when users suffer financial losses. According to his statements, Drift leadership issued minimal public communication and showed limited acknowledgment of responsibility.
The discussion quickly shifted when onchain investigator ZachXBT responded publicly. He accused Moo of overlooking Elemental’s own risk exposure, alleging that Elemental had employed a DPRK-linked IT worker for several years.
ZachXBT identified the individual under multiple aliases, including Keisuke Watanabe, and listed associated online accounts, email addresses, and blockchain wallet addresses.
Moo acknowledged that Elemental had previously worked with the individual in question. He stated that the team later discovered the person had misrepresented their identity. He maintained, however, that Elemental users did not suffer direct losses related to that engagement.
Stabble’s ex-CTO Confirmed as the Same DPRK-Linked Individual
In the days following the Drift exploit, onchain investigator Tay had previously reported that North Korean IT workers have contributed to crypto protocol development since the early days of DeFi, specifically mentioning Elemental and Stabble, among other projects.
She emphasized that claims of extensive blockchain development experience on resumes should not automatically be dismissed, as some actors possess genuine technical expertise.
Following the renewed attention on DPRK-linked workers, Solana-based DEX Stabble with about $2 million in TVL, urged users to withdraw liquidity temporarily as a precaution.
The team later clarified that no exploit had occurred.
They stated that they issued the warning after discovering that a former Chief Technology Officer, who had left the project approximately one year earlier, matched the identity flagged by ZachXBT as having been on Elemental’s payroll.
Vibhu Norby, Chief Product Officer at the Solana Foundation, provided additional clarification. He explained that a new team had recently acquired Stabble and now manages the protocol. He noted that the precautionary message aimed to prioritize user safety rather than respond to an active threat.
Onchain observers noted changes to Stabble’s multisig configuration, including a reduction in the number of signers and adjustments to the team's wallets. The Stabble team confirmed these changes and attributed them to the transition to new management.
They stated that the updates occurred before public disclosure of the DPRK connection and formed part of broader operational restructuring. The team also confirmed that no pending proposals or upgrades indicated immediate risk.
Industry and Community Reactions
The response from the broader crypto community highlighted concerns about crisis communication. Several commentators criticized Stabble’s initial messaging.
Caitlin Cook, Director of Marketing at Sphere Labs, described Stabble's handling of the issue as "What Not to Do in a Crisis."
Others pointed to the broader challenge of identifying sophisticated threat actors during hiring processes. Tim Lee, Chief Marketing Officer at Titan, shared an example of an individual who appeared highly qualified during interviews but later turned out to have links to state-sponsored groups.
Independent researchers also discussed informal screening methods such as asking interviewees to insult Kim Jong Un, though these approaches remain unreliable and limited in scope.
Following the Drift hack, the Solana Foundation has introduced a new security initiative called STRIDE, which includes a crisis response network for Solana DeFi and round-the-clock threat monitoring.
The industry remains on high alert following multiple security incidents involving North Korea in recent times. It remains to be seen whether the ecosystem-wide security measures being put in place will help mitigate further unfortunate events.
Read More on SolanaFloor
Solana Products Attract $34M in Inflows While Ethereum Extends YTD Outflows
Solana Trading Terminal Volume Slumps to Lowest Point Since September 2023
Has Solana Lost the Perps Race For Good?
