Solana-based decentralized exchange Drift Protocol suffered a major security breach last week, resulting in losses exceeding $280 million. After detecting suspicious activity on April 1, the platform confirmed that hackers had hijacked the 'Security Council' administrative privileges, draining user assets in just 12 minutes.
A Long-Term Infiltration Under False Pretenses
In its investigative report, Drift Protocol noted that the attack was not a spontaneous event, but the culmination of at least six months of preparation. The hackers posed as a quantitative trading firm, meeting with Drift contributors in person at various crypto industry conferences around the world.
'We now understand that this was a targeted infiltration,' Drift stated. 'Over the following six months, members of this group deliberately sought out and engaged with specific Drift contributors at major industry conferences globally.'
The hackers maintained close contact with their targets via Telegram, discussing trading strategies and treasury integrations. Given their high level of technical expertise and familiarity with Drift’s operational mechanics, these interactions appeared to be standard business dealings between a trading firm and a platform. The Telegram group in question was reportedly dissolved immediately after the theft occurred.
Investigations by blockchain intelligence firms Elliptic and TRM Labs indicate that the attack bears the hallmarks of North Korean hacking syndicates. Drift has concluded with medium-to-high confidence that the attackers are linked to UNC4736—also known as AppleJeus or Labyrinth Chollima. This group has previously been tied by Mandiant to the notorious Lazarus Group and is associated with the 2023 3CX supply chain attack and the $50 million theft from the Radiant platform in 2024.
Although the masterminds are believed to be North Korean, Drift noted that the individuals who met with contributors in person were not Korean, but rather non-Korean intermediaries.
Currently, all functions on Drift Protocol remain frozen, and the compromised wallets have been removed from the multi-signature process. The platform has alerted exchanges and cross-chain bridge operators to the wallet addresses used by the hackers in an effort to intercept the stolen funds. The investigation is ongoing, with the platform currently suspecting that the hackers gained access to key contributors' credentials either through a shared malicious code repository—possibly exploiting a VSCode or Cursor vulnerability—or via a malicious TestFlight application disguised as a wallet product.
