Drift links $280M Solana exploit to months-long North Korea operation

Drift Protocol released its most detailed account of the April 1 exploit that drained about $280 million from its Solana-based perpetuals exchange, describing a months-long operation and linking it, with medium-high confidence, to UNC4736, a group associated with North Korea and the 2024 Radiant Capital hack.

The team’s update, published Saturday, traces the operation to around fall 2025, when individuals presenting as a quantitative trading firm approached contributors at a major crypto conference to discuss integrating with the protocol. A Telegram group was created at that first meeting, with follow-up, in-person meetings at industry events in several countries.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, completed standard documentation, joined working sessions with contributors, and deposited more than $1 million of their own funds. The onboarding process mirrored how legitimate trading firms typically connect to the exchange, according to the project.

Forensic reviews of affected devices and communications after the hack point to that relationship as the likely intrusion path. Telegram chats and related malware were wiped as the attack began. The preliminary assessment highlights two possible compromise methods: one contributor may have been infected after cloning a code repository shared under the pretense of deploying a vault frontend, and another may have been compromised after installing a beta version of a purported wallet app via Apple’s TestFlight.

For the repository vector, the team flagged a vulnerability affecting VS Code and Cursor that researchers had warned about from December 2025 through February 2026. The flaw allowed silent execution of arbitrary code when a user opened a file, folder, or repository. The exploit did not involve a smart contract bug. Instead, Drift described a “novel attack involving durable nonces,” a Solana feature that lets users pre-sign transactions for later execution. The attacker appears to have obtained multisig approvals in advance-likely through social engineering or mislabeled transactions-then used those pre-signed authorizations to assume Security Council controls and drain funds within minutes.

With support from the SEAL 911 incident-response community, Drift assesses with medium-high confidence that the same state-linked actors behind the $50 million Radiant Capital attack in October 2024 executed this operation. That earlier incident has been attributed by Mandiant to UNC4736, also known as AppleJeus or Citrine Sleet. Drift engaged Mandiant to lead the forensic investigation. Formal attribution for the Drift exploit remains pending until device forensics are complete.

The assessment rests on on-chain and operational overlaps. Fund flows used to prepare and test the April 1 attack trace back to entities tied to the Radiant incident, and the personas in this campaign share characteristics with documented DPRK-linked activity. The individuals who met Drift contributors at conferences were not North Korean nationals. According to the update, groups operating at this level often use third-party intermediaries for relationship building, and the profiles presented during the campaign included full work histories, public credentials, and professional networks designed to pass counterparty checks.

After the exploit, remaining protocol functions were frozen, compromised wallets were removed from the multisig, and attacker addresses were flagged with exchanges and bridge operators. On-chain analyst ZachXBT criticized stablecoin issuer Circle for what he characterized as a slow response, alleging the attacker bridged about 232 million USDC from Solana to Ethereum via CCTP over six hours without freezes.

The incident is the largest DeFi hack reported in 2026 to date and the second-largest security event in Solana’s history, after the $325 million Wormhole bridge breach in 2022.

Drift credited independent researchers and SEAL 911 members Taylor Monahan, tanuki42_, pcaversaccio, and Nick Bax with assisting in identifying the actors, and urged projects that suspect similar targeting to contact SEAL 911.

“For real though – this is the most elaborate and targeted attack I think I’ve seen perpetrated by DPRK in the crypto space,” researcher tanuki42_ wrote on X, adding that other protocols may have been approached using similar methods.