A major security breach at Solana-based DeFi platform Drift Protocol has exposed users to catastrophic losses, with critics slamming the firm's response as inadequate. The months-long exploit, which siphoned approximately $280 million, forced the platform to halt deposits and withdrawals after attackers seized control of key governance mechanisms through a sophisticated social engineering campaign, not a simple code flaw.

Givner says Drift Protocol did not follow basic security procedures

According to legal expert Givner, Drift Protocol failed to implement basic security procedures, including the use of air-gapped systems for signing keys and separating everyday developer work from financial controls.

She explained that the firm did not isolate its multisig controls; instead, it used the same devices linked to those controls to download unauthenticated malware-infected platforms. She also claimed the staff interacted with unvetted individuals at conferences and on Telegram for months, despite the well-known risks of hackers and exploit incidents. She argued, “Don’t trust people just because you shook hands at an event. Every serious project knows this. Drift didn’t follow it.”

Givner also criticized the firm for not giving clear details on compensation. She claimed the company has offered only excuses rather than a concrete strategy to compensate victims. Thus, she urged the firm to fix the issue and repay customers, and warned it to prepare for litigation over its lack of oversight.

Drift Protocol says the hacker group deposited $1 million into the protocol to establish their legitimacy

According to Drift’s internal findings, the attack was the result of a structured campaign that began as early as late 2025, with hackers posing as legitimate industry participants and building trust with contributors over time.

In an X article, Drift Protocol had revealed that attackers spent months building trust after posing as a professional trading firm at an October 2025 conference. For six months, the attackers maintained contact with the contributors through various conferences, shared verified career profiles, and demonstrated solid technical knowledge in their discussions, according to the firm.

The protocol’s team also acknowledged holding Telegram conversations with contributors around trading strategies and vault integration ideas. It even noted that the hacker group successfully onboarded an ecosystem vault and deposited more than $1 million into the protocol.

The team explained that attackers circulated compromised repos and applications during the collaboration. Leading to the exploit, one contributor downloaded a repository disguised as a deployment utility, and another installed a fraudulent TestFlight wallet app. The team also identified a vulnerability in VS Code and Cursor that contributed to the exploit.

So far, the platform has halted all protocol functions, excluded compromised wallets from its multisig structure, and marked attacker wallets across exchanges and bridges. Additionally, it called on Mandiant to help in the investigation.

Generally, the platform lost a wide range of assets in the exploit, including 66.4 million USDC, 477,000 WETH, 2.7 million JLP, 23.3 million MOODENG, 5.6 million USDT, 5.2 million USDS, 2.6 million JUP, and 583,000 RAY in just 12 minutes after 31 transactions. On-chain security firm PeckShield Inc. was among the first to identify the breach, reporting that the attackers had already converted much of the loot into Circle’s USDC stablecoin.

Meanwhile, blockchain investigator ZachXBT attributed the hack to North Korean cyber teams under the Lazarus Group. He stated that the group normally employs complex identities and middlemen to establish long-term access before attacking. But Drift Protocol noted that the people they saw at conferences were not North Korean nationals but likely intermediaries hired for the operation.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.