Crypto experts slam Drift Protocol after months long hack drains $280M

Crypto attorney Ariel Givner argues that Drift Protocol failed to take basic steps to protect its systems, leading to the $280 million exploit. She’s called the platform out for civil negligence, noting that the protocol’s team made a glaringly obvious security mistake.

She further slammed the firm for its response after the hack. “You can’t just shrug, say ‘state hackers did it,’ and leave users holding the bag. People trusted Drift with their funds… not with playing risky games against pro attackers,” Givner contended.

The breach, first disclosed on April 1, forced the Solana-based platform to suspend deposits and withdrawals as attackers seized control of key governance mechanisms. Investigations show the exploit was not a simple code vulnerability but a highly coordinated operation involving social engineering and pre-approved malicious transactions.

Givner says Drift Protocol did not follow basic security procedures

According to legal expert Givner, Drift Protocol failed to implement basic security procedures, including the use of air-gapped systems for signing keys and separating everyday developer work from financial controls.

She explained that the firm did not isolate its multisig controls; instead, it used the same devices linked to those controls to download unauthenticated malware-infected platforms. She also claimed the staff interacted with unvetted individuals at conferences and on Telegram for months, despite the well-known risks of hackers and exploit incidents. She argued, “Don’t trust people just because you shook hands at an event. Every serious project knows this. Drift didn’t follow it.”

Givner also criticized the firm for not giving clear details on compensation. She claimed the company has offered only excuses rather than a concrete strategy to compensate victims. Thus, she urged the firm to fix the issue and repay customers, and warned it to prepare for litigation over its lack of oversight.

Drift Protocol says the hacker group deposited $1 million into the protocol to establish their legitimacy

According to Drift’s internal findings, the attack was the result of a structured campaign that began as early as late 2025, with hackers posing as legitimate industry participants and building trust with contributors over time.

In an X article, Drift Protocol had revealed that attackers spent months building trust after posing as a professional trading firm at an October 2025 conference. For six months, the attackers maintained contact with the contributors through various conferences, shared verified career profiles, and demonstrated solid technical knowledge in their discussions, according to the firm.

The protocol’s team also acknowledged holding Telegram conversations with contributors around trading strategies and vault integration ideas. It even noted that the hacker group successfully onboarded an ecosystem vault and deposited more than $1 million into the protocol.

The team explained that attackers circulated compromised repos and applications during the collaboration. Leading to the exploit, one contributor downloaded a repository disguised as a deployment utility, and another installed a fraudulent TestFlight wallet app. The team also identified a vulnerability in VS Code and Cursor that contributed to the exploit.

So far, the platform has halted all protocol functions, excluded compromised wallets from its multisig structure, and marked attacker wallets across exchanges and bridges. Additionally, it called on Mandiant to help in the investigation.

Generally, the platform lost a wide range of assets in the exploit, including 66.4 million USDC, 477,000 WETH, 2.7 million JLP, 23.3 million MOODENG, 5.6 million USDT, 5.2 million USDS, 2.6 million JUP, and 583,000 RAY in just 12 minutes after 31 transactions. On-chain security firm PeckShield Inc. was among the first to identify the breach, reporting that the attackers had already converted much of the loot into Circle’s USDC stablecoin.

Meanwhile, blockchain investigator ZachXBT attributed the hack to North Korean cyber teams under the Lazarus Group. He stated that the group normally employs complex identities and middlemen to establish long-term access before attacking. But Drift Protocol noted that the people they saw at conferences were not North Korean nationals but likely intermediaries hired for the operation.