Drift Protocol, a decentralized derivatives exchange built on the Solana blockchain, has disclosed that its platform was compromised in April 2026 through a lengthy infiltration attributed to a North Korean-linked hacking group. The team’s detailed account describes how attackers posed as legitimate quantitative traders to earn trust and gradually access internal systems before executing the $285 million exploit.
The infiltration and setup
The operation began at a major crypto industry conference in the fall of 2025, where Drift contributors first met a group representing themselves as a quantitative trading firm. Over six months, these individuals established themselves as credible technical partners, engaging in extensive conversations about trading strategies and vault development via Telegram and in-person meetings across several countries.
By December 2025, the group had onboarded an Ecosystem Vault to Drift’s platform and deposited more than $1 million, further deepening their integration by participating in multiple working sessions. Relationships between Drift’s contributors and the group grew stronger, making the infiltration increasingly difficult to detect.
As the attackers gained access and influence, they positioned themselves to exploit Drift’s systems effectively. On April 1, 2026, communications with the group abruptly ceased, their Telegram accounts were deleted, and a sophisticated attack was launched, draining $285 million from the protocol.
Drift Protocol is an open-source, decentralized derivatives exchange aiming to offer low-cost trading and innovative DeFi products to users in the Solana ecosystem. Since its inception, it has garnered recognition for active community engagement and technical development within DeFi.
Technical attack and forensic findings
Investigators identified multiple points of compromise. One attack vector was traced to a code repository shared for vault frontend deployment, which, when cloned, may have leveraged a vulnerability in VSCode and Cursor editors flagged within the cybersecurity community from late 2025. This vulnerability enabled arbitrary code execution without user prompts.
Another entry point involved a Drift contributor being persuaded to install a TestFlight application described as a crypto wallet, which could have opened further access for the attackers. Analysis of compromised hardware remains ongoing as Drift continues its investigation.
Attribution work, supported by security firm Mandiant and the SEALS 911 team, links the perpetrators with medium-high confidence to UNC4736, a North Korean state-affiliated group previously known for the Radiant Capital hack in October 2024. Fund movements and operational patterns showed substantial overlap with prior campaigns attributed to North Korean cyber actors, though the individuals involved in-person were not North Korean nationals but likely third-party intermediaries.
Mandiant has not issued a formal public attribution regarding the Drift Protocol exploit. Forensic work continues, and further updates are expected as more evidence emerges.
Industry response and heightened vigilance
In response to the breach, Drift Protocol immediately froze all remaining platform functions, removed compromised wallets from its multisig structure, and flagged attacker accounts with exchanges and bridge operators. Collaboration with Mandiant and SEALS 911 is ongoing to enhance investigative efforts and prevent additional risks.
Several independent security researchers, including @armaniferrante, reacted to the detailed disclosure by urging other crypto teams to suspend operations temporarily and run thorough security checks.
He stressed the necessity for “custody, risk, access control and dependency audits” across DeFi projects, regardless of demands from investors or token holders.
Members of the security community such as @tayvano_, @tanuki42_, @pcaversaccio, and @bax1337 received public acknowledgment from Drift for their contributions in tracking the threat actors. Drift also encouraged any projects facing similar threats to contact SEAL911 for coordination and support as investigations progress.
