Crypto experts slam Drift Protocol after months-long hack drains $280 million

Crypto attorney Ariel Givner says Drift Protocol failed to take basic steps to protect its systems, contributing to a $280 million exploit. She also criticized the platform’s response after the breach, arguing that users should not be left to absorb losses after a preventable security failure.

Allegations of civil negligence and security lapses

Givner said Drift Protocol’s team made a “glaringly obvious” security mistake and was negligent in how it handled critical controls. She argued the protocol did not follow basic security procedures, including measures such as using air-gapped systems for signing keys and separating everyday developer work from financial controls.

According to Givner, Drift did not isolate its multisig controls. Instead, the same devices connected to those controls were used to download platforms that were infected with unauthenticated malware.

She also alleged that staff interacted with unvetted individuals at conferences and on Telegram for months, despite widely known risks of hackers and exploit incidents. “Don’t trust people just because you shook hands at an event. Every serious project knows this. Drift didn’t follow it,” Givner said.

How the exploit unfolded

The breach was first disclosed on April 1. Drift Protocol suspended deposits and withdrawals after attackers seized control of key governance mechanisms.

Investigations cited in the article indicate the exploit was not a simple code vulnerability. Instead, it involved a highly coordinated operation using social engineering and pre-approved malicious transactions.

Drift’s account of the attacker campaign

Drift Protocol said the hacker group deposited $1 million into the protocol to establish legitimacy. The platform’s internal findings described a structured campaign beginning as early as late 2025, with attackers posing as legitimate industry participants and building trust with contributors over time.

In an X post, Drift Protocol said attackers spent months building trust after posing as a professional trading firm at an October 2025 conference. For six months, the attackers maintained contact through conferences, shared verified career profiles, and demonstrated technical knowledge in discussions, the protocol said. Drift also acknowledged holding Telegram conversations with contributors about trading strategies and vault integration ideas, and said the attackers successfully onboarded an ecosystem vault and deposited more than $1 million into the protocol.

The protocol said attackers circulated compromised repositories and applications during the collaboration. It reported that one contributor downloaded a repository disguised as a deployment utility, while another installed a fraudulent TestFlight wallet app. Drift Protocol also identified a vulnerability in VS Code and Cursor that it said contributed to the exploit.

Losses, early findings, and attribution

The article reports that Drift Protocol lost a range of assets in the exploit, including 66.4 million USDC, 477,000 WETH, 2.7 million JLP, 23.3 million MOODENG, 5.6 million USDT, 5.2 million USDS, 2.6 million JUP, and 583,000 RAY in just 12 minutes across 31 transactions.

PeckShield Inc., an on-chain security firm, was among the first to identify the breach and reported that attackers had already converted much of the stolen funds into Circle’s USDC stablecoin.

Blockchain investigator ZachXBT attributed the hack to North Korean cyber teams under the Lazarus Group, saying the group typically uses complex identities and middlemen to establish long-term access before attacking. Drift Protocol disputed that characterization, saying the people it saw at conferences were not North Korean nationals but likely intermediaries hired for the operation.

Drift’s response

So far, Drift Protocol has halted all protocol functions, excluded compromised wallets from its multisig structure, and marked attacker wallets across exchanges and bridges. The platform also said it brought in Mandiant to assist with the investigation.