On April 5, 2026, Drift Protocol published a detailed follow-up on its April 1 exploit, which drained approximately $280 million from the Solana-based perpetuals exchange. The protocol described the incident as a “structured intelligence operation” spanning roughly six months, beginning at a major crypto conference in fall 2025.
According to Drift, attackers posed as representatives of a quantitative trading firm. They first approached Drift contributors at an industry event, established a Telegram group, and continued cultivating relationships through in-person meetings at multiple international conferences over the following months.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift. They completed the standard strategy form, participated in working sessions with contributors, and deposited more than $1 million of their own capital — behavior consistent with legitimate trading firms integrating with the protocol.
Forensic analysis after the exploit pointed to the cultivated relationship as the likely intrusion path. Drift identified two possible compromise methods:
The actual exploit did not rely on a smart contract bug. Instead, it leveraged durable nonces — a legitimate Solana primitive that allows pre-signed transactions to be executed later. The attackers reportedly obtained multisig approvals in advance (likely through social engineering or transaction misrepresentation), then used those authorizations to seize Security Council administrative powers and drain the protocol in minutes.
Drift and the SEAL 911 team assess with “medium-high confidence” that the operation was carried out by the same North Korea-aligned actors behind the $50 million Radiant Capital hack in October 2024 (attributed by Mandiant to UNC4736, also known as AppleJeus or Citrine Sleet, linked to North Korea’s Reconnaissance General Bureau).
Supporting evidence includes overlapping fund flows used to stage and test the Drift operation, as well as persona overlaps with known DPRK-linked activity. Notably, the individuals who appeared in person at conferences were not North Korean nationals — a common tactic where DPRK threat actors use third-party intermediaries for relationship-building.
Drift has frozen all remaining protocol functions, removed the compromised wallets from the multisig, and flagged attacker addresses with exchanges and bridge operators. Independent researcher ZachXBT publicly criticized Circle for what he described as a slow response, alleging the attacker bridged roughly 232 million USDC from Solana to Ethereum via CCTP over six hours without any funds being frozen.
The $280 million Drift exploit is the largest DeFi hack of 2026 so far and ranks as the second-largest security incident in Solana’s history, behind the $325 million Wormhole bridge attack in 2022.
Drift credited independent researchers and SEAL 911 members (including Taylor Monahan, tanuki42_, pcaversaccio, and Nick Bax) for their assistance. The protocol urged any other teams that believe they may have been targeted by the same group to contact SEAL 911 directly.
tanuki42_ commented on X: “This is the most elaborate and targeted attack I think I’ve seen perpetrated by DPRK in the crypto space. Recruiting multiple facilitators and then getting them to target specific people in real life at major crypto events is a wild tactic.”
The Drift incident highlights the growing sophistication of state-sponsored threat actors in the crypto space. Social engineering campaigns that combine in-person relationship building, technical deception (malicious repos and apps), and legitimate-looking integration processes can bypass many traditional security controls.
Protocols and contributors should treat unsolicited partnership approaches — even from seemingly professional quant firms — with extreme caution, especially when they involve sharing code, installing beta software, or granting multisig approvals.
