Drift Protocol, a decentralized exchange built on Solana, has initiated onchain communication with wallets believed to be connected to a major exploit that outside firms have estimated at between $280 million and $286 million. The protocol announced the move on X, stating it had sent messages from its Ethereum address to four wallets linked to the attacker. The team urged the exploiter to respond through Blockscan chat, stating simply, “We are ready to speak.”
Onchain messaging has become a widely used tactic in the aftermath of crypto exploits, enabling protocols to communicate directly with attackers while preserving a degree of anonymity for both parties. The approach has precedent: in the case of the Euler Finance hack, similar outreach contributed to a partial recovery of stolen funds. Drift’s decision to pursue this channel reflects a broader industry pattern of attempting negotiation before other remedies are exhausted.
Separately, an unidentified sender using the ENS name readnow.eth also contacted wallets associated with the attacker on Thursday, a day before Drift’s official outreach. That sender claimed to possess information about the identities behind the attack and demanded a payment of 1,000 ETH in exchange for silence. Those claims could not be independently verified and may represent an attempt to mislead or pressure the wallet holder.
The incident illustrates how unverified third-party messages can circulate onchain alongside official communications in the wake of a major exploit. Such messages add complexity to an already difficult recovery process and may complicate efforts to establish a clear line of dialogue with the attacker. Protocols and investigators must therefore distinguish between credible outreach and opportunistic interference.
According to SolanaFloor, the exploit has affected at least 20 Solana-based protocols to date, including decentralized finance platform Gauntlet, which is estimated to have suffered losses of approximately $6.4 million. Blockchain security firm Cyvers reported that the impact was still expanding as of Friday morning, with no funds recovered in the 48 hours following the attack. Cyvers described the operation as a “weeks-long, staged” effort.
Cyvers noted that the attacker had set up durable nonces — a Solana feature that allows users to pre-sign transactions for future execution — several days before the exploit was carried out. The firm drew a comparison to the Bybit hack, describing both incidents as sharing the same underlying vulnerability: signers unknowingly approving malicious transactions, despite differing in technique. This suggests a level of planning and technical sophistication that extended well beyond a spontaneous attack.
Some figures within the industry, including Ledger chief technology officer Charles Guillemet, have suggested the exploit may involve actors linked to North Korea, though those claims remain unconfirmed. As of publication, no funds have been recovered and no party has publicly claimed responsibility for the attack. Investigations are ongoing across multiple affected protocols.
Originally reported by CoinTelegraph.
