Drift Protocol released a comprehensive report on Saturday detailing the April 1 exploit that resulted in the theft of approximately $280 million from the Solana-based exchange. The team characterized the incident not as a simple technical breach, but as a “structured intelligence operation” that was meticulously staged over a six-month period. According to the update, the infiltration began in the fall of 2025 when individuals posing as representatives of a legitimate quantitative trading firm approached Drift contributors at a major industry conference. Over the following months, these actors maintained a persistent physical presence, meeting with the Drift team face-to-face at various global events to build trust and professional rapport.
The deception deepened between December 2025 and January 2026, when the group successfully onboarded an Ecosystem Vault on the Drift platform. To maintain their cover, the attackers followed standard procedures, including submitting strategy forms, participating in technical working sessions, and even depositing $1 million of their own capital into the protocol. Drift noted that this behavior perfectly mirrored that of legitimate institutional partners. However, forensic analysis conducted after the exploit suggests this relationship served as the primary intrusion vector. In a chilling display of operational security, the group’s communication channels and associated malicious software were reportedly scrubbed the moment the attack was initiated.
Investigators have identified two primary methods used to compromise the internal systems. In the first scenario, a contributor may have been infected after cloning a code repository shared by the group under the guise of a frontend deployment for their vault. Drift specifically highlighted a known vulnerability in VS Code and Cursor editors—publicly discussed by researchers early in 2026—that allowed for the silent execution of code upon opening a file. Alternatively, a second contributor was induced to install a malicious beta application via Apple’s TestFlight, which the attackers misrepresented as a proprietary wallet product.
Unlike many decentralized finance breaches, the exploit did not stem from a flaw in the protocol’s smart contracts. Instead, the attackers utilized a “novel attack involving durable nonces,” a legitimate Solana primitive. By obtaining multisig approvals in advance through social engineering or the misrepresentation of transactions, the hackers were able to seize Security Council administrative powers. This allowed them to drain the protocol’s assets in a matter of minutes. Drift, supported by the SEAL 911 emergency response team, has stated with “medium-high confidence” that the operation is the work of North Korean state-sponsored actors, specifically the group known as AppleJeus or Citrine Sleet.
The connection to North Korea is supported by both on-chain and operational evidence. Drift reported that the funds used to stage the attack were traced back to the $50 million Radiant Capital hack of 2024, an event previously attributed to the same North Korean threat actors. Notably, the protocol clarified that the individuals who attended conferences in person were likely not North Korean nationals, but third-party intermediaries hired to bypass counterparty due diligence. These facilitators possessed robust professional profiles and public credentials designed to withstand scrutiny. While Mandiant has been engaged to lead a formal forensic investigation, a final attribution is still pending the completion of device forensics.
In the wake of the attack, which stands as the largest DeFi hack of 2026 and the second-largest in Solana’s history, Drift has frozen all protocol functions and removed the compromised wallets from its multisig. The incident has also sparked controversy regarding the speed of the industry’s response; on-chain investigator ZachXBT criticized stablecoin issuer Circle for failing to freeze approximately 232 million USDC as it was bridged from Solana to Ethereum over a six-hour window. Security researchers have described the campaign as one of the most sophisticated ever seen in the crypto space, warning other protocols that they may have been targeted by the same elaborate real-world recruitment tactics.
