The Solana ecosystem recently witnessed its largest-ever hack, a "terrifying" event where Drift Protocol was drained of $270 million. This wasn't a straightforward technical exploit but a highly sophisticated social engineering attack, meticulously planned and executed over six months, with strong suspicions pointing to a North Korean state-affiliated threat group.
The Elaborate Deception
The attackers engaged in an alarming display of patience and resources, physically stalking and socially engineering Drift Protocol developers in real life. Beginning in late 2025, third-party intermediaries, presenting themselves as a legitimate quantitative trading firm with verifiable professional backgrounds, approached Drift contributors at major crypto conferences. Over half a year, they built a trusted business relationship by depositing over $1 million of their own capital, participating in multiple working sessions, and engaging in face-to-face meetings at international conferences. This elaborate charade fostered an environment of trust, making their subsequent malicious actions less likely to raise suspicion.
Leveraging Trust for Exploitation
Once trust was firmly established, the attackers moved to execute their exploit. They shared links to projects they claimed to be developing, leveraging the established rapport. One contributor cloned a code repository that likely contained a known vulnerability targeting VSCode and Cursor text editors, while another was convinced to download a fake TestFlight application. Immediately after the successful exploit, the attackers meticulously scrubbed all traces of their communication and wiped the malicious software, leaving behind a devastating loss and a stark reminder of the evolving threats in the crypto space.
