GoKawiilThe Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem."
On April 1st, the Solana-based trading platform detected unusual activity that was followed by confirmation that funds had been lost in a sophisticated attack that allowed hijacking of the Security Council administrative powers.
Blockchain intelligence firms Elliptic and TRM Labs attributed the heist to North Korean hackers, who took about 12 minutes to drain user assets.
The investigation revealed that the hackers had been preparing the attack for at least six months, posing as a quantitative firm and approaching Drift contributors in person at multiple crypto conferences.
“It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months,” Drift Protocol says.
The threat actor continued to communicate with their targets via Telegram, discussing trading strategies and potential vault integrations. They were technically proficient and demonstrated familiarity with how Drift worked, with interactions resembling typical onboarding exchanges between trading firms and the platform.
According to Drift, the Telegram goup used for engaging contributors was deleted immediately after the theft occurred.
The platform has not determined with certainty the attack vector, but believes that two contributors were compromised in the following ways:
A malicious code repository shared with a contributor, possibly exploiting a VSCode/Cursor vulnerability that allowed silent code execution
A malicious TestFlight application presented as a wallet product
... continue reading