Overview of the Hacking Incident
Anatoly Yakovenko, co-founder of Solana, has characterized the recent hacking incident involving Drift Protocol as “terrifying.” This breach, indicative of a well-crafted social engineering scheme executed by North Korean hackers, has resulted in a staggering loss of $270 million, marking it as the most significant hack in the Solana ecosystem to date. In light of the situation, the protocol has halted all deposits and withdrawals while assuring users that the event was not an April Fools’ prank.
Details of the Attack
Detailed reports from Drift Protocol reveal that the attackers resorted to physical surveillance and manipulation of the protocol’s developers to execute their plan. This involved a level of patience and resources that is both alarming and sophisticated. The incidents point to a potential link with a state-sponsored group from North Korea.
Execution of the Scheme
Beginning in late 2025, individuals who were intermediaries—not from North Korea—approached the Drift team members at major cryptocurrency conferences. These imposters presented themselves as professionals from a quantitative trading firm, keen to collaborate with Drift Protocol. As part of their ruse, they managed to onboard an Ecosystem Vault on Drift and injected over $1 million of capital between December 2025 and January 2026.
For approximately six months, these hackers succeeded in maintaining their deception. They frequently engaged with Drift contributors during numerous working sessions and made personal connections at international crypto conferences through early 2026. By April 2026, they had built a rapport that led the contributors to trustingly explore various projects the attackers claimed to be initiating.
Consequences of the Deception
During this period, as the deception continued, one contributor inadvertently cloned a code repository that contained exploitable vulnerabilities associated with VSCode and Cursor text editors. Another was deceived into downloading a fraudulent TestFlight application. Following the execution of their exploit, the hackers meticulously deleted their Telegram discussions and erased the malicious software used during the attack.
