How the Drift hack unfolded… “Contact with North Korea-linked individuals at conferences”

Solana (SOL)-based crypto decentralized exchange Drift (DRIFT) suffered a hacking incident midweek, with North Korea being cited as a prime suspect. In particular, investigators reportedly found that the Drift team had contact with North Korea-linked individuals at a conference.

On the 5th (Korea time), Drift said on X (formerly Twitter) that an initial probe confirmed signs that some team members had, in the past, come into contact with North Korea-linked intermediaries when attending a conference. The attack is currently being seen as potentially the work of UNC4736, a North Korea-linked hacking group believed to have led the 2024 Radiant Capital hack.

According to the findings disclosed by Drift, the attack was meticulously prepared over about six months. From the second half of 2025, the attackers approached while posing as a trading firm, and built relationships by meeting team members in person at major conferences held in several countries.

They maintained ongoing communication via Telegram and other channels, discussing investment strategies and service integrations, and even deposited more than $1 million in funds. They are suspected of later installing malware on the devices of Drift team members by inducing them to access code repositories and install applications.

Earlier, on the 2nd, Drift said it would halt all deposits and withdrawals if signs of abnormal trading were detected. A total of $286 million (43 billion won) was siphoned off in the hacking attack. The hackers reportedly breached Drift’s defenses by exploiting Solana’s “durable nonce.”

The token price also plunged on the hack. Drift, which had traded around $0.07 before the incident, tumbled and is now trading around $0.03. In addition, large volumes of hacked crypto were sold off, adding further downside pressure on prices.