Drift says the multi-million-dollar hack was the result of a months-long social-engineering campaign likely tied to DPRK, not a smart contract failure.
Drift, one of the biggest decentralized perpetual exchanges on Solana, said in a post-mortem on April 5 that the April 1 attack drained about $285 million and was not just a bug in its code.
The team says the operation involved individuals posing as a “quantitative trading firm,” who met Drift contributors at a conference in Fall 2025. They also chatted on Telegram and built trust through a live vault integration.
On top of that, they even deposited over $1 million of capital into Drift before the theft happened. The post-mortem reads:
“It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months.”
The Drift team emphasized that the individuals who appeared in person “were not North Korean nationals,” implying they were just intermediaries somehow hired by DPRK.
How Drift Was Hacked
Drift says the suspected entry points included a fake code repository and a fake wallet app for Apple’s TestFlight app-testing system. The attackers also used tools like VSCode and Cursor where opening a project could run code even without any warning.
Drift also said, with “medium-high confidence,” that the attackers overlap with the group behind the Radiant Capital hack.
- Radiant Capital is another DeFi protocol that lost about $50 million in an October 2024 breach. Later, the attack was linked to UNC4736, a North Korea-associated group.
Largest Crypto Hack on Solana in 2026
It remains unclear how a project of Drift’s size ended up with relatively weak security practices. Some even suggested the team had no real multisig security practices and no meaningful protections around upgrades at all.
Analysts at blockchain forensic firm TRM Labs noted on April 2 blog post that on March 27, a few days before the attack happened, Drift migrated its Security Council to a new 2-out-of-5 threshold configuration with zero timelock. That eliminated the delay that would have allowed detection and intervention.
It’s also still unclear why the Drift team didn’t detect this updage, which TRM Labs described as the “exploitable gap.” TRM Labs added that the Drift exploit is “the largest DeFi hack of 2026.” It’s also the second-largest in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022.
