Drift Protocol on Saturday published its most detailed account yet of the April 1 exploit that drained approximately $280 million from the Solana-based perpetuals exchange, describing what the team called a “structured intelligence operation” that took roughly six months to stage.
According to the update, the initial contact came in or around fall 2025, when individuals presenting as a quant trading firm approached Drift contributors at a major crypto conference and expressed interest in integrating on the protocol. A Telegram group was set up at that first meeting, and the same individuals continued meeting Drift contributors face-to-face at industry events across multiple countries over the following months.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, filling out the standard strategy form, sitting through multiple working sessions with contributors, and depositing more than $1 million of their own capital. Drift said the behavior was consistent with how legitimate trading firms typically integrate with the protocol.
Forensic review of affected devices and communication histories after the exploit pointed to that relationship as the probable intrusion path. Drift said the group’s Telegram chats and associated malicious software were scrubbed in the moments the attack went live.
Two possible vectors
Drift’s preliminary assessment identifies two candidate compromise methods. One contributor may have been infected after cloning a code repository the group shared under the pretext of deploying a frontend for their vault. A second contributor was induced to install a beta version of an app through Apple’s TestFlight build that the group described as their wallet product.
For the repository path, Drift flagged a VS Code and Cursor vulnerability that security researchers had been publicly warning about between December 2025 and February 2026, in which simply opening a file, folder, or repository in the editor could silently execute arbitrary code with no user prompt.
The exploit itself, as The Block previously reported, did not involve a smart contract bug. Drift has described it as a “novel attack involving durable nonces,” a legitimate Solana primitive that allows transactions to be pre-signed and executed later. The attacker obtained multisig approvals in advance, likely through social engineering or transaction misrepresentation, then used the pre-signed authorizations to seize Security Council administrative powers and drain the protocol in minutes.
North Korea connection
Drift said that with the support of the SEAL 911 team, it assesses with “medium-high confidence” that the operation was carried out by the same state-sponsored North Korean actors responsible for the $50 million Radiant Capital hack in October 2024, which Mandiant attributed to UNC4736, also known as AppleJeus or Citrine Sleet, a hacker group with ties to the country’s Reconnaissance General Bureau.
The link rests on both onchain and operational overlaps, according to Drift. Fund flows used to stage and test the Drift operation trace back to the Radiant attackers, and the personas deployed across the campaign have identifiable overlaps with known DPRK-linked activity, Drift said.
Notably, Drift stressed that the individuals who appeared at conferences in person were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries to handle relationship-building work, the protocol said, and the profiles used in this operation had complete employment histories, public credentials, and professional networks designed to withstand counterparty due diligence.
Mandiant, which Drift has engaged to lead the forensic investigation, has not formally attributed the Drift exploit. That determination is pending completed device forensics.
Current state of Drift
Drift said all remaining protocol functions have been frozen, the compromised wallets have been removed from the multisig, and attacker addresses have been flagged with exchanges and bridge operators. Onchain sleuth ZachXBT has separately criticized stablecoin issuer Circle for what he called a slow response, alleging the attacker bridged roughly 232 million USDC from Solana to Ethereum via CCTP over six hours without any funds being frozen.
The Drift exploit is the largest DeFi hack of 2026 to date and ranks as the second-largest security incident in Solana’s history behind the $325 million Wormhole bridge attack in 2022.
Drift credited independent researchers and SEAL 911 members Taylor Monahan, tanuki42_, pcaversaccio, and Nick Bax for their work identifying the actors, and urged any teams that believe they may have been targeted by the same group to contact SEAL 911 directly.
“For real though – this is the most elaborate and targeted attack I think I’ve seen perpetrated by DPRK in the crypto space,” tanuki42_ wrote on X, in addition to warning that other protocols may have been targeted as well. “Recruiting multiple facilitators and then getting them to target specific people in real life at major crypto events is a wild tactic.”
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
