Drift Protocol shared the latest updates on April 8 on the X platform, saying it is currently actively working with its partners to develop a coordinated and consistent recovery plan. At this stage, the focus is on stabilizing the situation and providing protocol-level assurance for all affected users and partner organizations. In addition, Drift Protocol announced that it will participate in the Solana Foundation’s security program STRIDE, and more details will be released later.
Recovery Plan Status: Stabilizing the Situation Is the Top Priority
Drift Protocol emphasized that the creation of the recovery plan involves multi-party coordination among partners, affected users, and ecosystem partners. The priority at present is “stabilizing the situation,” ensuring that affected users receive protection at the protocol level, and studying subsequent compensation and restoration measures.
Participation in the STRIDE program is an important component of Drift Protocol’s security hardening roadmap. STRIDE is led by Asymmetric Research and funded by the Solana Foundation. It provides independent security assessments, round-the-clock proactive threat monitoring (for protocols with TVL exceeding $10 million), and formal verification services (for protocols with TVL exceeding $100 million).
Attack Retrospective: A Detailed Breakdown of a Six-Month Intelligence Infiltration Campaign
This attack was not a traditional technical vulnerability exploit; it was a combined operation that blended social engineering with technical intrusion. The attackers posed as “quantitative trading companies interested in integration.” During a large industry conference last autumn, they proactively contacted the target personnel. They then gradually built trust through in-person meetings and communication on Telegram. Before carrying out the attack, the attackers even deposited $1 million of their own funds into the platform treasury to strengthen credibility, and after the operation was completed, they quickly disappeared without a trace.
Technical Pathways of the Attack Methods
Malicious code library injection: Embedding malicious code into the development environment through the supply-chain path to achieve silent execution
Forged applications: Luring contributors to download and execute malicious programs using tools that appear legitimate
Exploitation of development tool vulnerabilities: Achieving silent code execution effects by targeting weak points in the development process
Social engineering infiltration: Using third-party intermediaries to carry out in-person meetings and avoid the risk of direct nationality identification
Drift Protocol noted that the personnel conducting in-person contact were not citizens of North Korea. Actors with such national backgrounds typically carry out on-site infiltration missions through third-party intermediaries.
AppleJeus Attribution: Digital Attack Footprints of a North Korean Intelligence Organization
Drift Protocol attributed this attack with medium-to-high confidence to the threat organization AppleJeus (also known as Citrine Sleet). Previously, the cybersecurity company Mandiant had linked the organization to the 2024 hacking attack against Radiant Capital. Incident responders said that both on-chain analysis and identity overlap patterns point to the involvement of personnel related to North Korea, but Mandiant has not yet officially confirmed this attribution.
A strategy director at a blockchain security company said that the adversaries cryptocurrency teams face currently are more like “intelligence agencies” than traditional hackers. He added that the core security issue highlighted by this incident is not the number of transaction signers, but the “lack of fundamental understanding of transaction intent,” which causes signers to be tricked into approving malicious operations.
Industry Alert: DeFi Ecosystem May Have Been Broadly Infiltrated
A security researcher involved in this investigation said that the DeFi ecosystem may already have been broadly infiltrated by actors like this and speculated that related organizations have been involved in influencing multiple protocols for a long time. This claim suggests that Drift Protocol’s attack may not be an isolated incident, but rather part of a larger-scale ongoing infiltration campaign, putting fundamental reflection pressure on the security defense architecture of the entire decentralized finance ecosystem.
Frequently Asked Questions
What progress has been made on Drift Protocol’s recovery plan for the $285 million theft?
Drift Protocol said it is actively working with partners to develop a coordinated and consistent recovery plan. At this stage, the focus is on stabilizing the situation and providing protocol-level assurance for all affected users and partners. It also announced that it will participate in STRIDE, the security program under the Solana Foundation, and that further details will be released separately.
How was Drift Protocol attacked?
The attackers disguised themselves as a quantitative trading company. Over six months, they built trust through in-person meetings and social engineering infiltration. They also pre-injected $1 million in real funds to increase credibility. Ultimately, they carried out silent code execution through a malicious code library, a forged application, and exploitation of vulnerabilities in development tools, stealing approximately $285 million.
Has the connection between this attack and the North Korean intelligence organization been confirmed?
With medium-to-high confidence, Drift Protocol attributed the attack to the threat organization AppleJeus. On-chain analysis and identity overlap patterns point to North Korea-related personnel involvement. However, Mandiant, the cybersecurity company, has not yet officially confirmed this attribution.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Polymarket Prepares pUSD Rollout and Protocol Upgrade to Cut Failed Trades
Polymarket's protocol upgrade introduces pUSD, a USDC-backed collateral token on Polygon, enhancing order management, reducing failed trades, and lowering gas costs. The update aims for a smoother user experience while improving trading architecture and security.
CryptoNewsFlash12m ago
Nous Research Deep Dive: A Decentralized AI Lab That Paradigm Invested in at a $1B Valuation, Comprehensive Breakdown of the Hermes Model and the Psyche Network
Nous Research is an open-source AI lab focused on the Hermes series of models. In 2025, it received a $50 million investment from Paradigm, valuing it at $1 billion. What makes it unique is that it develops AI technology with a crypto-native team and then integrates it with the blockchain. Its core product, the Hermes model, is designed around the goal of reducing the refusal rate, and its data sources rely mainly on synthetic data. At the same time, Psyche Network builds a decentralized AI training network on Solana, incentivizing participants through a token mechanism. Nous Research adopts an open-source and decentralized strategy, aiming to demonstrate its technical capability and feasibility.
ChainNewsAbmedia1h ago
Ondo Finance submits a letter to the U.S. SEC requesting no enforcement action, concerning on-chain record-keeping of tokenized securities rights on the rights chain
Ondo Finance filed a request with the SEC on April 13, seeking confirmation that recording securities interests on the Ethereum mainnet in a tokenized form is compliant under certain patterns. Ondo believes that this on-chain recording can improve collateral monitoring, optimize processes, and simplify reconciliations, with the goal of operating in coordination with traditional finance.
GateNews3h ago
Pi Network Distributes 26.5M PI to 1M KYC Validators
Pi Network has taken another step forward in building its ecosystem. The project recently distributed 26.5 million PI tokens to more than 1 million KYC validators.
These rewards were given to users who helped verify identities on the network. This process is important. Because it ensures that
Coinfomania3h ago
Aave Faces a Major Trust Crisis: Service Providers Exit En Masse, with “Technology, Governance, and Risk Control” Fully Failing
Author: Jae, PANews
Compared with the external pressure of a bear market, Aave has instead seen a “black swan” emerge internally first.
Aave, which has long occupied the throne of lending agreements, is now facing the most severe ecosystem shake-up since its founding. There has been no hacker attack, no code vulnerabilities—only power gone out of control and conflicting interests.
From BGD Labs, a technical cornerstone, decisively leaving, to a public break between governance pioneer ACI (Aave Chan Initiative), and then to Chaos Labs, the risk-management steward, announcing that it is parting ways— a major “service provider retreat” is unfolding.
The depth of this game goes far beyond a mere cooperation dispute; it has triggered
区块客4h ago
Hyperliquid introduces a priority fee mechanism on mainnet; the order priority fee cap is reduced to 8 bps
Hyperliquid founder Jeff announced on Discord that the priority fee mechanism has been live on the mainnet in Alpha mode, including two types: Gossip and Order. Users can pay with HYPE tokens; the order priority fee cap has been reduced from 20 bps to 8 bps. Currently, it only applies to IOC orders for HIP-3 assets.
GateNews5h ago
