#Gate广场四月发帖挑战

Drift $285 million Heist: North Korean Hackers' "Stealth" Script

“Meeting engagement” is the key turning point in this largest DeFi heist in history. This is not merely a technical vulnerability but a highly sophisticated “social engineering” infiltration operation. North Korean hackers disguised their identities to deceive the team and gain their trust in the real world.

1. Attack Truth: Not Breaking In, But “Deceiving for Keys”

“Man-in-the-middle” Trap: Preliminary investigations show that the attackers did not directly breach the smart contract code but disguised themselves as investors or partners, engaging with Drift team members at industry conferences or online meetings. After building trust through long-term social interactions, they induced the team to sign transactions that appeared harmless but actually contained backdoor permissions.

Lethal Combo: The hackers exploited Solana’s Durable Nonce feature to have the team sign “delayed execution” transactions in advance. Coupled with Drift’s recent governance changes that switched multi-signature requirements to a 2/5 threshold and removed the timelock, the hackers gained admin privileges instantly on April 1 and drained the treasury.

2. North Korea (DPRK) Suspected: State-Level Hacker “Standard Operating Procedure”

Method Consistency: Blockchain analysis firms Elliptic and TRM Labs pointed out that the long-term testing transactions before the attack, along with rapid cross-chain money laundering (quickly converting stolen funds into ETH), are highly consistent with the modus operandi of North Korea’s Lazarus Group and other state-sponsored hacking organizations.

Funds Scale: The loss amounts to approximately $285 million, making it the largest DeFi attack since 2026 and the second-largest in Solana’s history (second only to the Wormhole incident).

3. Latest Developments and Market Impact

Official Statement: The Drift team has sent on-chain messages to the hacker’s wallet saying “We are ready to speak,” attempting to initiate negotiations. However, given North Korean hackers’ history of rarely returning funds, recovery prospects are slim.

SOL Ecosystem Impact: The incident caused DRIFT tokens to plummet over 40%, and Solana’s TVL saw significant outflows. Market confidence in DeFi, especially regarding multi-signature management and oracle price feeds, has hit rock bottom.

Key Lesson: The security boundary of DeFi is not just code but “people.” When teams participate in offline social activities or manage multi-signature permissions, they become targets for advanced persistent threats (APTs). For investors, protocols without timelocks are currently an extremely high-risk red flag.