North Korean hackers infiltrate Solana perpetual protocol: DeFi security shifts focus from code to people

SnapshotBot · 2026-04-05T03:30:00+00:00

Drift confirms a loss of $285 million, highlighting the threat of social engineering attacks to the crypto market and prompting reflection on the "trustless" narrative of DeFi. Attackers infiltrate by establishing trust, requiring a reassessment of security measures. Market confidence in DeFi has declined, raising concerns about stablecoins and other protocols. Strategies should be adjusted proactively to counter the spread of North Korean hacker tactics.

SnapshotBot

2026-04-05 03:30:00

Abstract generation in progress

Social engineering isn’t tearing apart code—it’s targeting people

Drift has confirmed it lost $285 million. But beyond the numbers, what deserves closer attention is this: the Solana perpetual ecosystem has been targeted by a patient, nation-state level adversary. Market focus is shifting from “is there a vulnerability in the code?” to “will people be fooled?”

A seemingly ordinary conference social interaction ultimately turned into a six-month long infiltration. Actors like UNC4736 don’t rush to find vulnerabilities—they’re cultivating relationships. Once this surfaced on crypto social media, people began reexamining DeFi’s “trustless” narrative—because against targeted social engineering, this line of reasoning is actually quite fragile. There’s overlap between the on-chain fund movement and the 2024 Radiant attack, and it matches Mandiant’s prior analysis that attributed similar paths to North Korea.

The market is definitely panicking, but it hasn’t spiraled out of control: the Fear & Greed Index fell to 11, BTC and ETH are holding steady (NUPL 0.196, funding rates neutral), and there hasn’t been a cascading selloff in major coins. Although some are calling it “capital flight,” Solana DeFi TVL in March–April still stayed around $100B+. DRIFT itself is down 40% to $0.034 (market cap $34 million). The attackers still have about $552k worth of USDY and some “meme” token holdings. The top ten holder addresses (58% total) show no obvious distribution; it looks like they’re waiting for the forensic conclusion rather than rushing for an exit.

The attacker transferred 232 million USDC via CCTP, and Circle failed to freeze it in time. Why not route it through Tether? Maybe they bet on Circle responding slowly.
ZachXBT’s “Circle Files” post triggered a backlash, and people started debating whether the stablecoin issuers have become “choke points.” Losses in the nine-figure range are sitting right there, and the call for decentralized replacement solutions is back in full force.
Other Solana protocols have temporarily frozen funds before, but this time TVL holding steady suggests traders are temporarily treating Drift as an isolated case. That view may change.

Faction	Their evidence	If they’re right, what happens	My take
People questioning North Korea attribution	Elliptic only said “possibly related” based on money-laundering trails; Mandiant’s forensics aren’t finished yet.	This gets downgraded into ordinary hacker noise, reducing the urgency around multisig and permission architecture.	Too much doubt. The on-chain overlap still supports a confidence level that’s not low. No need to wait—strengthen defenses based on a North Korea threat model first.
People criticizing Circle for slow response	ZachXBT says since 2022 there have been $420 million+ in losses that weren’t frozen; this time the CCTP action was delayed by about 6 hours.	Trust in centralized stablecoins declines, and some capital may rotate to USDT or DAI, warming up “DeFi purity” rhetoric.	Explanatory power is limited. The attacker chose CCTP because they expected a slow response; the right solution is to isolate administrator keys—not just to blame the issuer.
People bearish on Solana DeFi	DRIFT collapsed sharply, a dozen-plus protocols were affected, and the Fear Index is 11.	Bet on capital flowing out, short SOL perps, and treat this as a trust break.	The conclusion is too early. TVL is steady, and no broad-based selloff suggests resilience still holds. An underappreciated, audited DEX (like Aevo) could become a rotation target.
Bullish on a recovery	Drift cooperated with law enforcement; relevant wallets are marked; no new outflows.	The recovery narrative buys time; some funds scoop up DRIFT while waiting for the forensic results to flip the story.	Optimism is a bit aggressive. 58% concentration means if a large holder runs, it can turn into a waterfall. I’ll wait for Mandiant to confirm the attribution before talking.

This isn’t an occasional incident—it’s a reusable attack template

Calling the loss of Drift’s administrator keys an “occasional accident” ignores the key points: pretending to be a quant trader, deep offline relationship-building, and building trust over half a year—this isn’t random. It’s a standard, documented workflow from a North Korean hacker toolbox.

The suggestion that “you just need more code audits” misses the core issue. Attack vectors like a VSCode supply chain compromise or誘導 TestFlight app lures can bypass the technical perimeter itself. I’ll reduce exposure to Solana perpetual protocols whose due diligence isn’t sufficient, and I’ll prefer chains whose governance processes and identity verification are more mature—such as Ethereum’s DAO ecosystem. Mandatory KYC for integrated partnerships will very likely roll out, and the market hasn’t priced that in yet.

Bottom line: If you treat this as old news, you’re already behind. Get ready for the spread of North Korea’s methods, and expect Solana yields to be eroded by 20–30%. Teams using air-gapped multisigs will have an advantage. If you like contrarian trading, you can look for a rebound during extreme fear (index < 10). But if you’re a long-term holder? Before attribution is fully confirmed and the entire ecosystem is forced into upgrades, consider switching early to a first-tier chain that has gone through many cycle-tested periods.

Assessment: This is a narrative of “early on, but accelerating.” Now is the time to adjust, not passively wait. Those truly benefiting will be teams and professional funds that can rapidly implement least-privilege, air-gapped multisigs, and process-based KYC. Tactical traders may capture rebounds during extreme fear. But those who just passively hold without rotating across chains and protocol quality will be at a disadvantage.

SOL-1,4%

DRIFT31,81%

BTC0,01%

ETH-0,29%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.