Author:Exposing Satoshi Nakamoto
Drift Protocol on Saturday published its most detailed account yet of the April 1 exploit that drained approximately $280 million from the Solana-based perpetuals exchange, describing what the team called a "structured intelligence operation" that took roughly six months to stage.
According to the update, the initial contact came in or around fall 2025, when individuals presenting as a quant trading firm approached Drift contributors at a major crypto conference and expressed interest in integrating on the protocol. A Telegram group was set up at that first meeting, and the same individuals continued meeting Drift contributors face-to-face at industry events across multiple countries over the following months.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, filling out the standard strategy form, sitting through multiple working sessions with contributors, and depositing more than $1 million of their own capital. Drift said the behavior was consistent with how legitimate trading firms typically integrate with the protocol.
Forensic review of affected devices and communication histories after the exploit pointed to that relationship as the probable intrusion path. Drift said the group's Telegram chats and associated malicious software were scrubbed in the moments the attack went live.
Two possible vectors
Drift's preliminary assessment identifies two candidate compromise methods. One contributor may have been infected after cloning a code repository the group shared under the pretext of deploying a frontend for their vault. A second contributor was induced to install a beta version of an app through Apple's TestFlight build that the group described as their wallet product.
For the repository path, Drift flagged a VS Code and Cursor vulnerability that security researchers had been publicly warning about between December 2025 and February 2026, in which simply opening a file, folder, or repository in the editor could silently execute arbitrary code with no user prompt.
The exploit itself, as The Block previously reported, did not involve a smart contract bug. Drift has described it as a "novel attack involving durable nonces," a legitimate Solana primitive that allows transactions to be pre-signed and executed later. The attacker obtained multisig approvals in advance, likely through social engineering or transaction misrepresentation, then used the pre-signed authorizations to seize Security Council administrative powers and drain the protocol in minutes.
North Korea connection
Drift said that with the support of the SEAL 911 team, it assesses with "medium-high confidence" that the operation was carried out by the same state-sponsored North Korean actors responsible for the $50 million Radiant Capital hack in October 2024, which Mandiant attributed to UNC4736, also known as AppleJeus or Citrine Sleet, a hacker group with ties to the country's Reconnaissance General Bureau.
The link rests on both onchain and operational overlaps, according to Drift. Fund flows used to stage and test the Drift operation trace back to the Radiant attackers, and the personas deployed across the campaign have identifiable overlaps with known DPRK-linked activity, Drift said.
Notably, Drift stressed that the individuals who appeared at conferences in person were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries to handle relationship-building work, the protocol said, and the profiles used in this operation had complete employment histories, public credentials, and professional networks designed to withstand counterparty due diligence.
Mandiant, which Drift has engaged to lead the forensic investigation, has not formally attributed the Drift exploit. That determination is pending completed device forensics.
Current state of Drift
Drift said all remaining protocol functions have been frozen, the compromised wallets have been removed from the multisig, and attacker addresses have been flagged with exchanges and bridge operators. Onchain sleuth ZachXBT has separately criticized stablecoin issuer Circle for what he called a slow response, alleging the attacker bridged roughly 232 million USDC from Solana to Ethereum via CCTP over six hours without any funds being frozen.
The Drift exploit is the largest DeFi hack of 2026 to date and ranks as the second-largest security incident in Solana's history behind the $325 million Wormhole bridge attack in 2022.
Drift credited independent researchers and SEAL 911 members Taylor Monahan, tanuki42_, pcaversaccio, and Nick Bax for their work identifying the actors, and urged any teams that believe they may have been targeted by the same group to contact SEAL 911 directly.
"For real though - this is the most elaborate and targeted attack I think I've seen perpetrated by DPRK in the crypto space," tanuki42_ wrote on X, in addition to warning that other protocols may have been targeted as well. "Recruiting multiple facilitators and then getting them to target specific people in real life at major crypto events is a wild tactic."
