Drift Says $280 Million Hack Was Six-Month Operation Linked to North Korea

The hack of Solana-based derivatives exchange Drift may have been the result of a prolonged infiltration campaign by a group linked to North Korea.

The Block reported on Aug. 5 that Drift described the roughly $280 million hack on Aug. 1 as a coordinated operation prepared over about six months. The attackers approached the company while posing as a trading firm at global events in the second half of 2025, then built trust through in-person contact and collaboration.

They onboarded to the platform as legitimate users, deposited more than $1 million and joined collaborative work, which Drift's analysis said helped them secure a path to internal access.

Drift said the attack did not exploit a smart-contract vulnerability. Instead, it combined social engineering with system weaknesses. The exchange cited signs that developers' devices were compromised through access to a malicious repository or by persuading them to install a malware-laced application via TestFlight.

The attackers then used Solana's durable nonce feature. Armed with multisignature approvals obtained in advance, they seized administrator privileges and withdrew funds in a short period.

Based on on-chain fund flows and attack patterns, Drift said the incident was likely carried out by the same North Korea-linked group behind the 2024 Radiant Capital hack. It added that the individuals who made direct contact appear to have been third parties, pointing to a sophisticated approach that combined identity concealment with offline networks.

Drift has suspended protocol functions and is removing compromised wallets as part of its response. The exchange said the incident was the biggest DeFi hack this year and the second-largest security breach on record in the Solana ecosystem.