Drift Protocol, a decentralized finance platform built on the Solana blockchain, suffered a $280 million exploit that attorney Ariel Givner says could have been avoided had the team followed standard operational security practices. Givner described the failure as potential civil negligence, stating that the team did not fulfill its basic duty to protect the funds it was managing. Advertisements for class action lawsuits against the platform are already circulating, according to Givner. Cointelegraph contacted the Drift team but received no response before publication.
Givner identified two key security lapses that left the platform vulnerable. The team failed to store signing keys on isolated, air-gapped systems kept separate from developer workstations, and did not conduct adequate due diligence on blockchain developers encountered at industry conferences. She noted that awareness of these practices is standard across serious projects in the space, and that the prevalence of sophisticated hackers — including state-sponsored groups — makes such precautions essential.
The Drift team published a post-mortem update on Saturday explaining how the attack unfolded. According to the team, the threat actors spent approximately six months planning and executing the exploit. The attackers first made contact with Drift developers at a major crypto industry conference in October 2025, presenting themselves as interested parties seeking protocol integrations and collaboration opportunities.
Over the following six months, the malicious actors cultivated trust with the development team. Once a sufficient level of rapport had been established, they began sending harmful links and embedding malware that compromised developer machines. The Drift team noted that the individuals who physically approached their developers are suspected of working on behalf of North Korea state-affiliated hacking groups, though they were not North Korean nationals themselves.
Drift stated with medium-high confidence that the same actors were responsible for the Radiant Capital hack in October 2024. In December 2024, Radiant Capital disclosed that its own exploit had been carried out through malware delivered via Telegram by a North Korea-aligned hacker posing as a former contractor. The connection between the two incidents suggests a coordinated and methodical threat actor operating across multiple targets in the crypto industry.
The incident highlights the growing threat of social engineering and project infiltration as attack vectors targeting cryptocurrency developers. Such tactics can result in the draining of user funds and cause lasting damage to customer trust in affected platforms. The case serves as a broader warning to the industry about the risks posed by malicious actors who invest significant time building credibility before executing their attacks.
Originally reported by CoinTelegraph.
