Drift hacking causes $280 million in losses… “A coordinated attack prepared over six months, linked to a North Korea-affiliated group”

The hacking incident at Solana-based derivatives exchange Drift has raised the possibility that it was a long-term infiltration operation carried out by a North Korea-linked group.

According to The Block on the 5th (local time), Drift said the roughly $280 million hack that occurred on the 1st was a coordinated operation prepared over about six months. The attacker reportedly approached a trading firm by posing as one at a global event in the second half of 2025, then built internal trust through subsequent offline meetings and collaboration.

They were said to have onboarded onto the platform like legitimate users, deposited more than $1 million, and participated in collaborative processes—steps believed to have helped them secure an internal access path.

The attack method combined social engineering with system vulnerabilities rather than exploiting a smart-contract flaw. Signs suggest the attacker compromised developers’ devices by gaining access to a repository containing malicious code or inducing installation of a TestFlight-based application.

The attacker then reportedly used Solana (SOL)’s “durable nonce” feature to seize administrator privileges based on previously obtained multi-signature approval authority and withdraw funds within a short period.

Based on on-chain fund flows and attack patterns, Drift assessed that this incident is highly likely the work of the same North Korea-linked group behind the 2024 Radiant Capital hack. However, the individuals who made direct contact were believed to have used third parties, indicating a sophisticated approach combining identity masking with offline networks.

Drift is currently taking response measures, including suspending protocol functions and removing compromised wallets. The incident was the largest DeFi hack this year and was recorded as the second-largest security breach ever within the Solana ecosystem.