Solana co-founder Anatoly Yakovenko has described the recent Drift Protocol hack as "terrifying" after it was revealed that it was the result of a sophisticated social engineering attack that was pulled off by North Korean hackers. 

As reported by U.Today, Drift Protocol was recently drained of $270 million, which is the largest Solana hack to date within the ecosystem. The protocol was forced to halt all deposits and withdrawals, explicitly warning users that the incident was not an April Fools' joke.

Six months in the making 

The report, which was recently shared by Drift Protocol, has revealed that the bad actors behind the historic hack physically stalked and socially engineered the developers in real life. This required alarming patience and resources. 

The operation is heavily suspected to be the work of a North Korean state-affiliated threat group. 

Starting in late 2025, third-party intermediaries (who were not North Korean nationals) physically approached Drift contributors at major crypto conferences. The attackers, who boasted verifiable professional backgrounds and technical fluency, posed as a quantitative trading firm looking to integrate with the protocol. 

The fake trading firm onboarded an Ecosystem Vault on Drift between December 2025 and January 2026 and deposited more than $1 million of their own capital. 

The attackers had managed to maintain the illusion for half a year. They were working closely with Drift contributors through multiple working sessions and meeting them face-to-face at various international conferences through February and March 2026.

By April, the attackers had successfully established a trusted business relationship. The Drift contributors did not suspect foul play when the group shared links to projects they claimed to be building.

One contributor cloned a code repository shared by the attackers. This repository likely contained a known vulnerability affecting the VSCode and Cursor text editors. A second contributor was convinced to download a fake TestFlight application.

The attackers scrubbed all of their Telegram chats and wiped the malicious software after the successful exploit.