Hassan Maishera
TL;DR
-
Drift says its $280 million exploit was the result of a six-month social engineering attack allegedly carried out by North Korea-linked actors.
-
The hackers posed as a quantitative trading firm, cultivated Drift contributors across multiple international conferences, and deposited more than $1 million of their own capital into an Ecosystem Vault as cover.
Drift Protocol Links $280M Exploit to Months-long Social Engineering Campaign Tied to Suspected North Korean Actors
Drift Protocol has released its most detailed account yet of the April 1 exploit that drained roughly $280 million from its platform, attributing the breach to a highly coordinated social engineering operation that unfolded over nearly six months.
According to Drift, the attack began as early as fall 2025, when individuals posing as a quantitative trading firm approached contributors at a major crypto conference. The group expressed interest in integrating with the protocol and established contact via Telegram, later continuing in-person interactions across multiple industry events worldwide.
— Drift (@DriftProtocol) April 5, 2026
Between December 2025 and January 2026, the actors deepened their engagement by onboarding an Ecosystem Vault on Drift. They completed standard integration processes, participated in multiple working sessions, and deposited over $1 million in capital — behavior that closely mirrored legitimate institutional participants.
A forensic review following the exploit identified this relationship as the most likely entry point. Drift noted that communication logs and malicious tools tied to the attackers were wiped almost immediately once the attack was executed.
Drift’s investigation highlights two likely intrusion vectors. In one case, a contributor may have been compromised after cloning a repository shared by the attackers under the guise of deploying a frontend interface. In another, a contributor was persuaded to install a beta wallet application distributed via Apple’s TestFlight.
The repository-based attack may have leveraged a known vulnerability in development tools like VS Code and Cursor, which allowed malicious code execution simply by opening a file or project — without user interaction.
Exploit leveraged Solana mechanics, not code flaws
The exploit itself did not stem from a smart contract vulnerability. Instead, Drift described a “novel” attack using durable nonces — a legitimate feature of the Solana network that enables pre-signed transactions.
Attackers reportedly secured multisig approvals in advance, likely through deception or transaction misrepresentation. These pre-authorized transactions were later executed to seize administrative control and drain funds within minutes.
With assistance from SEAL 911, Drift said it has “medium-high confidence” that the operation is connected to the same state-backed actors behind the $50 million Radiant Capital hack in 2024.
The group is widely associated with North Korea’s Reconnaissance General Bureau and tracked by security firms such as Mandiant under identifiers including UNC4736, also known as AppleJeus or Citrine Sleet.
Drift cited both onchain evidence and operational similarities, including overlapping fund flows and reused personas linked to prior DPRK activity. However, the protocol emphasized that individuals who interacted in person at conferences were likely intermediaries, as such groups commonly use third parties to build credibility.
Formal attribution from Mandiant remains pending as device-level forensic analysis continues.
The team added that it has frozen all protocol operations, removed compromised wallets from its multisig setup, and flagged attacker addresses with exchanges and bridge operators.
According to the onchain investigator ZachXBT, Circle was slow to respond as attackers bridged approximately $232 million in USDC from Solana to Ethereum without being halted.
The breach marks the largest DeFi exploit of 2026 so far and ranks among the most significant incidents in Solana’s history, second only to the 2022 Wormhole hack.
Drift Protocol’s native DRIFT token is down 46% in the last seven days and currently trades at $0.03523.
