Solana co-founder Anatoly Yakovenko has labeled the recent Drift Protocol hack as "terrifying" following revelations that it was orchestrated by North Korean hackers through a sophisticated social engineering attack. The incident, which saw $270 million drained from the Drift Protocol, marks the largest hack within the Solana ecosystem to date, forcing the protocol to halt all deposits and withdrawals and issue an explicit warning to users about the severity of the event.

A report shared by Drift Protocol detailed the alarming six-month preparation that culminated in the historic breach. The perpetrators, strongly suspected to be a North Korean state-affiliated threat group, began their operation in late 2025. They utilized third-party intermediaries, who were not North Korean nationals, to physically approach Drift contributors at major crypto conferences. These attackers presented themselves as representatives of a legitimate quantitative trading firm, leveraging verifiable professional backgrounds and technical fluency to establish credibility.

Between December 2025 and January 2026, the fake trading firm successfully onboarded an Ecosystem Vault on Drift, even depositing over $1 million of their own capital to reinforce their facade. The attackers meticulously maintained this elaborate illusion for half a year, engaging in multiple working sessions and face-to-face meetings with Drift contributors at various international conferences through February and March 2026. By April, they had successfully cultivated a trusted business relationship, leading Drift contributors to drop their guard.

This established trust enabled the attackers to share links to projects they claimed to be developing. One contributor cloned a code repository provided by the attackers, which likely contained a known vulnerability targeting VSCode and Cursor text editors. Simultaneously, a second contributor was persuaded to download a fraudulent TestFlight application. Following the successful exploitation, the attackers swiftly scrubbed all their Telegram chats and wiped the malicious software, leaving minimal traces of their sophisticated operation.