An investigation into the $280 million hack of Drift, the Solana-based decentralized finance protocol, has left the crypto industry horrified, as many other projects might already be “on lock” by the same criminals.

Last week’s events came as a shock to many, as the Solana-based decentralized finance protocol Drift lost more than $280 million in a single cyberattack. A malicious actor gained unauthorized access to Drift Protocol, resulting in the largest security incident of the year so far.

In its "incident background update," the team said that its preliminary investigation showed that the platform became the target of a “structured intelligence operation" that required organizational backing, significant resources, and six months of preparation.

They suspect that it all started when, at a major conference, Drift contributors were approached by a group of individuals supposedly from a quantitative trading firm looking to integrate with the protocol. This was followed by months of conversations about trading strategies and potential vault integrations, culminating in the creation of a functioning operational presence within the Drift ecosystem.

The suspected attackers even deposited $1 million of their own funds. Meanwhile, right after the theft on April 1st, their Telegram chats and malicious software had been completely scrubbed.

According to Drift, there may have been three attack vectors: one of their contributors might have been compromised after cloning a code repository that the attackers shared, pretending it was a frontend for their vault; a second person was tricked into downloading a fake TestFlight app that the group presented as their official wallet product, and for the repository attack, it’s possible the hackers used a serious vulnerability in VSCode and Cursor editors that was widely known from December 2025 to February 2026, and simply opening the project in the editor was enough to run malicious code with no warning at all.

It is now suspected that a North Korean state-affiliated group, UNC4736, also known as AppleJeus or Citrine Sleet, was behind the attack. They're also suspected of hacking Radiant Capital in 2024.

"It is important to note that the individuals who appeared in person were not North Korean nationals," Drift said, reminding that the state-affiliated hackers often use third parties to provide specific services. In this case, the group that approached the protocol's team had fake identities that were developed over months.

Meanwhile, reactions across the crypto industry to this "incident background" have been telling.

"I expected this to be another case of social engineering, likely some recruiter/job offer shit. I was very wrong," Taylor Monahan, security expert and researcher at crypto wallet Metamask, said, adding that the depth of the operation and personas make her think that the criminals already have "multiple other teams on lock."

According to her, the whole crypto industry needs to ramp up its security efforts – a call that has been repeated constantly over the years after every major hack.

Meanwhile, attorney Ariel Givner, a critical security voice in this story, said that Drift’s operational security "failure is inexcusable."

"The hackers showed up at conferences. Shook hands. Smiled. Paid for a customer account. Built actual integrations. Then one TestFlight link flipped 2/5 multisig signers. $1M deposit. $280M exit," she added, warning that many other hacker teams might be just waiting, already integrated into ecosystems, to do the same to other protocols.

"I would almost put money on there being multiple, just sitting and waiting," she concluded.

---

Unlock more exclusive Cybernews content on YouTube.