A sophisticated, six-month intelligence operation, not a simple smart contract bug, led to one of the largest thefts in the history of decentralized finance.
Back
Back
Drift Says $280M Heist Was 6-Month Plot by Suspected NK Hackers
Solana-based decentralized exchange Drift Protocol lost approximately $280 million in a security breach on April 1, which the project now attributes to a highly coordinated, six-month social engineering campaign by actors with suspected links to North Korea.
"The preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation," the Drift team said in a statement on Saturday.
The attack drained over 50 percent of the protocol's total value locked (TVL), with attackers stealing assets including USDC, Solana, and wrapped Bitcoin. In the immediate aftermath, the platform's native DRIFT token plunged more than 90 percent from its all-time high to as low as $0.041, according to CoinGecko data.
The exploit exposes a critical vulnerability in the DeFi sector beyond smart contract code, highlighting organized operational security threats from state-sponsored groups. The incident's impact was magnified by allegations from on-chain analysts that stablecoin issuer Circle failed to intervene, allowing the attackers to move over $230 million in stolen USDC from Solana to Ethereum.
A Six-Month Deception
According to Drift, the operation began around October 2025 when individuals posing as a quantitative trading firm initiated contact with Drift contributors at a major crypto conference. Over the next six months, the group built trust through in-person meetings at multiple industry events.
Drift stated the individuals were "technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated." After establishing this trust, they allegedly used shared malicious links and tools to compromise contributors' devices. This access allowed them to exploit administrative permissions and use a Solana feature known as durable nonces to pre-sign and execute a rapid series of withdrawals, draining user vaults in minutes.
With "medium-high confidence," Drift and security analysts have linked the attack to the same group behind the October 2024 hack of Radiant Capital, which also involved social engineering and malware.
Circle's Inaction Under Scrutiny
The fallout extended beyond Drift, placing USDC issuer Circle in the spotlight. On-chain investigator ZachXBT alleged that Circle had a roughly six-hour window to freeze more than $230 million in stolen USDC as the attacker bridged the funds from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol (CCTP).
The funds were moved across more than 100 separate transactions during normal business hours. Critics noted that Circle has previously frozen approximately $110 million in assets for compliance and law enforcement reasons, questioning why it did not act during an active, large-scale theft. Circle has not publicly detailed its reasoning for the apparent inaction. The incident raises significant questions about the role and responsibilities of centralized stablecoin issuers in preventing the movement of illicit funds.
Drift has since suspended all protocol activity and initiated on-chain messages to the attacker's wallets in an attempt to negotiate the return of funds.
This article is for informational purposes only and does not constitute investment advice.
Features
Resources
© 2026 Finture Development Limited. All rights reserved