The Drift hack turned out not to be a one-off attack, but a long-term operation involving offline contacts, fake personas, and targeted approaches to protocol employees. Preparation took about six months, and the damage amounted to approximately $280 million. The project links the attack to the same entities behind the Radiant Capital hack in 2024.
The Operation Began With Conferences
The first contacts occurred in the fall of 2025. People presenting themselves as a quantitative trading company met ecosystem participants at a conference, created a Telegram group, and continued communication at other events in different countries.
The scheme looked convincing. In December 2025 and January 2026, this group connected their own vault to the Drift ecosystem, went through standard work sessions, and contributed more than $1 million in capital. From the outside, it looked like a regular integration.
Two Likely Infection Vectors
After the attack, the team analyzed devices and communications. Two main scenarios are being considered.
The first is related to the code repository. One of the participants could have infected their device after cloning a project that was presented as an interface. The second scenario involves installing a test version of an app via TestFlight, which was presented as a wallet.
Separately, a vulnerability in code editors is noted, which was warned about at the end of 2025. In some cases, opening a file or folder could launch malicious code without notifying the user.
The Error Was Not in the Code
Drift emphasizes a key point. The hack was not related to a smart contract bug.
The attack used the network’s delayed transaction mechanism. The attackers obtained multisig approvals in advance, likely through operation misrepresentation or social engineering. After that, they quickly gained administrative access and withdrew funds.
This changes the perception of risk. Even correct code does not protect if people and processes are compromised.
Why Suspicion Again Leads to North Korea
The project points to overlaps with the Radiant Capital attack. The behavior models, fund movements, and personas used are similar.
However, the individuals who personally attended meetings were not North Korean citizens. According to Drift, intermediaries with real profiles and histories are used at this level, capable of passing partner checks.
What Is Happening With the Protocol Now
After the attack, Drift froze protocol functions, removed compromised wallets from the multisig, and handed over the attackers’ addresses to exchanges.
The speed of fund movement drew particular attention. Over $200 million in stablecoins was transferred between networks within a few hours without being blocked.
This incident has already become the largest in DeFi in 2026 and the second largest in Solana’s history.
Why This Matters for the Market
The Drift story shows a shift in attack models. It’s no longer just about code.
Attackers build trust, work through conferences, chats, and real-life meetings. They embed themselves in processes and wait for the moment when signatures are obtained.
This raises security requirements. Now, not only the protocol, but also people, devices, and work tools need protection.
What’S Next?
For Drift, the next stage is completing the analysis and attempting to trace assets. For the market, the conclusion is broader. Smart contract audits are no longer enough. Processes, access, and the human factor are now in focus.
If the connection to North Korean entities is confirmed, the industry will have to reconsider its approach to security. Including how business relationships are built within the sector.
Read More: Algorand Rises 23% After Google AI Report
