(Updates with user reactions in paragraphs 6 and 7)
Drift Protocol’s $280mn breach was likely carried out by North Korea-linked scammers, who used crypto conferences to establish trust and carry out the massive attack, according to new information published by the platform.
Last week, the perpetual futures exchange suffered a major exploit that drained its vault and caused its governance token, DRIFT, to tank over 40%. The incident appears to be the next-largest attack on a Solana decentralized finance (DeFi) project after the $326mn Wormhole breach that took place in 2022.
Baiting employees at conferences
The exploit followed months of preparation, including a series of in-person and online interactions, Drift said in an updated report posted on X. During the second half of 2025, Drift’s employees were approached by several individuals claiming to be employees of a crypto trading firm. These actors held meetings with the team during well-known crypto conferences.
The actors demonstrated deep knowledge of crypto markets and maintained credible online profiles with established industry connections. After building trust, they held multiple follow-up calls with Drift’s management and were eventually onboarded as a client, depositing $1mn into a trading account, according to the report.
Using a combination of social engineering tricks and their business access, the
hackers were able to gain access to the protocol’s admin keys and eventually drain the treasury.
Trust tested as backlash builds
While Drift has moved quickly to publish a detailed update on the attack, its response, and the suspected origins, the incident has nonetheless triggered concern across parts of the crypto community. Users on X expressed dismay regarding their inability to access funds following the suspension of key protocol functions.
Some industry observers criticized what they described as an operational security failure, calling the breach "inexcusable" and urging Drift to compensate those impacted transparently. Others warned about the broader implications for the Solana DeFi ecosystem, with blockchain risk analytics firm Chaos Labs describing it as a potential "contagion event" affecting interconnected protocols and user deposits.
The North Korea link
Drift said the attack bears the hallmarks of North Korean-linked groups, citing both the social engineering techniques used and the wallets involved in moving the stolen funds, adding that its investigations are ongoing.
The North Korean regime is one of the world's largest sponsors of crypto-related cybercrime. The country, which has been largely excluded from global trade due to sanctions, uses hacking groups as a means to raise funds.
These groups stole over $2bn worth of digital assets last year according to analysis from blockchain intelligence service Chainalysis, bringing their total haul to over $6.8bn.