Drift Protocol has released preliminary findings detailing the mechanics of the April 1, 2026, exploit that resulted in the theft of approximately $285 million from the Solana-based decentralized finance (DeFi) exchange. The platform disclosed that the breach was the culmination of a six-month social engineering operation executed by highly resourced threat actors rather than a standard smart contract flaw.
Drift has frozen all remaining protocol functions, removed compromised wallets from its multisig, and flagged the attackers’ addresses across cryptocurrency exchanges and bridge operators. The cybersecurity firm Mandiant has been engaged to conduct a full forensic investigation.
The Six-Month Infiltration
According to the incident background update, the attackers presented themselves as a quantitative trading firm. Beginning in Fall 2025, the group initiated targeted, face-to-face engagements with specific Drift contributors at major cryptocurrency conferences.
The operatives demonstrated technical fluency, provided verifiable professional backgrounds, and displayed a deep understanding of Drift’s operations. Between December 2025 and January 2026, the group onboarded an Ecosystem Vault onto the protocol. They deposited over $1 million of their own capital and participated in multiple working sessions, deliberately building an operational presence and trust within the ecosystem.
Drift noted that the individuals who attended these in-person meetings were not North Korean nationals. The report highlighted that state-sponsored actors operating at this level frequently deploy third-party intermediaries to conduct face-to-face relationship-building and establish legitimacy.
Attack Vectors and Execution
Following a forensic review of affected devices and accounts, Drift outlined the potential intrusion vectors used to compromise the protocol’s multisig signers:
- One contributor was compromised after cloning a code repository shared by the group under the guise of deploying a frontend for their vault.
- This vector likely exploited a known vulnerability in the VSCode and Cursor code editors active between December 2025 and February 2026, which allowed arbitrary code execution silently without user prompts.
- A second contributor was manipulated into downloading a malicious TestFlight application framed as a new wallet product.
When the exploit was executed on April 1, the attackers simultaneously scrubbed their Telegram chat histories and removed the malicious software. According to blockchain intelligence firm TRM Labs, the attackers utilized their compromised access to deploy pre-signed transactions. They listed a manufactured asset, the CarbonVote Token (CVT), as legitimate collateral, allowing them to rapidly drain real assets, including USDC and JLP, from the protocol in minutes.
Attribution to North Korean Hackers
Working alongside the SEAL 911 security team, Drift assesses with medium-high confidence that the operation was carried out by the threat actors responsible for the October 2024 Radiant Capital hack. Mandiant tracks this North Korean state-affiliated group as UNC4736, also known as AppleJeus or Citrine Sleet.
The attribution is based on on-chain fund flows staging the Drift attack that trace directly back to the Radiant Capital exploit, as well as operational overlaps with known Democratic People’s Republic of Korea (DPRK) linked activity. Independent blockchain researchers at TRM Labs and Elliptic have also corroborated the DPRK attribution based on the laundering methodologies and network-level indicators observed during the attack.
Drift has urged other ecosystem teams to audit multisig access and contact SEAL 911 immediately if they suspect they have been targeted by a similar operation.
Listen to our latest episode
This article is published on BitPinas: Drift Protocol Hack Explained: Six-Month Social Engineering Led to $285M Solana DeFi Exploit
What else is happening in Crypto Philippines and beyond?
