Drift details how suspected North Korean attackers stole $270M posing as a quant trading firm in a 6+ month operation with in-person meetings and a $1M+ deposit
Attackers posed as a trading firm, met Drift contributors in person across multiple countries, deposited $1 million of their own capital …
CoinDesk Shaurya Malwa
Related Coverage
- Drift links $280 million exploit to six-month social engineering op run by suspected North Korean actors The Block · Zack Abrams
- Drift Hack Update: Protocol Shares Latest Security Update On April 1 Exploit CoinGape
- Drift Protocol $280M exploit took ‘months of deliberate preparation’ Cointelegraph · Ciaran Lyons
- Drift links $280M hack to radiant attackers crypto.news · Olivia Stephanie
- ‘We Are Ready to Speak’: Drift Beckons North Korea-Linked Hackers Following $285M Exploit Decrypt · André Beganski
- Drift Protocol Hack: How a North Korean Group Spent Six Months Infiltrating a DeFi Protocol Blockonomi · Brenda Mary
- ‘We Are Ready to Speak’: Drift Beckons North Korea-Linked Hackers Following $285M Exploit Yahoo Finance · Eth-Usd
- Solana Drift Protocol drained of $285M via fake token and governance hijack Hacker News
Discussion
-
@driftprotocol
@driftprotocol
on x
Drift Protocol — Incident Background Update
-
@coindesk
@coindesk
on x
ANALYSIS 🧵: The $270M Drift Protocol hack was a six-month North Korean intelligence operation. Attackers posed as a quant trading firm, met contributors in person at conferences across multiple countries, and deposited $1M of their own capital before executing the drain.
-
@laurashin
Laura Shin
on x
Covering crypto as a journalist is like living in a Hollywood movie ... I only wish this were fiction
-
@coindesk
@coindesk
on x
The compromise came through two vectors: → A malicious TestFlight app presented as their wallet product → A known VSCode/Cursor vulnerability where opening a file silently executes arbitrary code — flagged by the security community since late 2025
-
@coindesk
@coindesk
on x
Once devices were compromised, attackers obtained two multisig approvals. Those pre-signed transactions sat dormant for more than a week. On April 1, they drained $270M from Drift's vaults in under a minute.
-
@omeragoldberg
Omer Goldberg
on x
Diving deep on Drift's exploit w/ @laurashin on @Unchained_pod. This exploit was methodical and calculated. The exploiters spent time studying Drift deeply. The game of security/risk is asymmetric: You only need to be wrong once for it to be over.
-
@coindesk
@coindesk
on x
The uncomfortable question the Drift exploit is now asking the industry: If attackers are willing to spend six months and $1M building a legitimate presence, meet your team in person, and wait — what security model catches that? Drift warns the attack exposes deep weaknesses in
-
@laurashin
Laura Shin
on x
Another week, another DeFi exploit 🫠 @omeragoldberg joined me to unpack the Drift Protocol hack: ⁉️ What went wrong? 👀 How the attack resembles the Mango DAO and Resolv exploits 🤔 Why was Circle so slow to react? ⚠️Are North Korean state actors behind the attack? [video]
-
@toly
@toly
on x
Terrifying
-
@armaniferrante
Armani Ferrante
on x
I'll probably get attacked for saying this, but every team in crypto should use this as an opportunity to slow down and focus on security. If possible, dedicate an entire team to it. I know how hard it is. There's an enormous amount of pressure to grow at all costs. Your
-
@joshkale
Josh Kale
on x
This story is insane. North Korea stole $285 million from a crypto protocol in 12 minutes. But the operation started 6 months ago with real life spies. It reads like a thriller: A group posing as a quant trading firm approached Drift Protocol contributors at a crypto conference […
-
@givnerariel
Ariel Givner
on x
The more I sit on this, the more I can't help but think we're dealing with a civil negligence issue. Sorry for how long this rant will be in advance, but I'm just so angry. Drift Protocol was handling hundreds of millions in user money. They knew crypto is full of hackers -
-
@jacobvcreech
Jacob Creech
on x
Don't trust anyone Don't install apps Have dedicated devices for signing The game has changed Review your security practices and verify they fulfill your needs
-
@ashcrypto
@ashcrypto
on x
THIS IS INSANE.🤯 North Korea stole $285 million in 12 minutes. Drift is the biggest trading platform on Solana. The code was fine. Two audits found nothing wrong. North Korea didn't touch the code. They went after the people. They made a fake token called CarbonVote. Put in [imag…
-
@nicrypto
Nic
on x
So, let me get this straight. The $280m Drift hack took six months of: - Attending crypto conferences. - Meeting the team in person. Multiple times. - Depositing $1M of their own capital to build trust. - Sharing a GitHub link. The biggest DeFi exploit of the year started at a
-
@gauthamzzz
@gauthamzzz
on x
north korea deposited $1M into drift, attended conferences for 6 months, and built real relationships with the team. the most dangerous hackers don't look like hackers.
-
@mert
@mert
on x
pretty crazy if true tl:dr - hackers casually gained trust via irl conference meet, setup tg channel and became a customer, started building integrations over 6 months and then got one person with a testflight link to show off what they built
-
@vibhu
@vibhu
on x
The underlying lessons here: Keep your wallets away from your work laptop and phone Dedicated device for signing, maybe running on a cellular connection Trust nobody
-
@tayvano_
Tay
on x
I beg everyone in crypto to read this in full. I expected this to be another case of social engineering, likely some recruiter/job offer shit. I was very wrong. And the depth of the operation and personas makes me think they already have multiple other teams on lock. 😳