Drift Protocol: begins developing a recovery plan, participates in the STRIDE security program

Drift Protocol shared the latest updates on April 8 on the X platform, saying it is currently actively working with its partners to develop a coordinated and consistent recovery plan. At this stage, the focus is on stabilizing the situation and providing protocol-level assurance for all affected users and partner organizations. In addition, Drift Protocol announced that it will participate in the Solana Foundation’s security program STRIDE, and more details will be released later.

Recovery Plan Status: Stabilizing the Situation Is the Top Priority

Drift Protocol emphasized that the creation of the recovery plan involves multi-party coordination among partners, affected users, and ecosystem partners. The priority at present is “stabilizing the situation,” ensuring that affected users receive protection at the protocol level, and studying subsequent compensation and restoration measures.

Participation in the STRIDE program is an important component of Drift Protocol’s security hardening roadmap. STRIDE is led by Asymmetric Research and funded by the Solana Foundation. It provides independent security assessments, round-the-clock proactive threat monitoring (for protocols with TVL exceeding $10 million), and formal verification services (for protocols with TVL exceeding $100 million).

Attack Retrospective: A Detailed Breakdown of a Six-Month Intelligence Infiltration Campaign

This attack was not a traditional technical vulnerability exploit; it was a combined operation that blended social engineering with technical intrusion. The attackers posed as “quantitative trading companies interested in integration.” During a large industry conference last autumn, they proactively contacted the target personnel. They then gradually built trust through in-person meetings and communication on Telegram. Before carrying out the attack, the attackers even deposited $1 million of their own funds into the platform treasury to strengthen credibility, and after the operation was completed, they quickly disappeared without a trace.

Technical Pathways of the Attack Methods

Malicious code library injection: Embedding malicious code into the development environment through the supply-chain path to achieve silent execution

Forged applications: Luring contributors to download and execute malicious programs using tools that appear legitimate

Exploitation of development tool vulnerabilities: Achieving silent code execution effects by targeting weak points in the development process

Social engineering infiltration: Using third-party intermediaries to carry out in-person meetings and avoid the risk of direct nationality identification

Drift Protocol noted that the personnel conducting in-person contact were not citizens of North Korea. Actors with such national backgrounds typically carry out on-site infiltration missions through third-party intermediaries.

AppleJeus Attribution: Digital Attack Footprints of a North Korean Intelligence Organization

Drift Protocol attributed this attack with medium-to-high confidence to the threat organization AppleJeus (also known as Citrine Sleet). Previously, the cybersecurity company Mandiant had linked the organization to the 2024 hacking attack against Radiant Capital. Incident responders said that both on-chain analysis and identity overlap patterns point to the involvement of personnel related to North Korea, but Mandiant has not yet officially confirmed this attribution.

A strategy director at a blockchain security company said that the adversaries cryptocurrency teams face currently are more like “intelligence agencies” than traditional hackers. He added that the core security issue highlighted by this incident is not the number of transaction signers, but the “lack of fundamental understanding of transaction intent,” which causes signers to be tricked into approving malicious operations.

Industry Alert: DeFi Ecosystem May Have Been Broadly Infiltrated

A security researcher involved in this investigation said that the DeFi ecosystem may already have been broadly infiltrated by actors like this and speculated that related organizations have been involved in influencing multiple protocols for a long time. This claim suggests that Drift Protocol’s attack may not be an isolated incident, but rather part of a larger-scale ongoing infiltration campaign, putting fundamental reflection pressure on the security defense architecture of the entire decentralized finance ecosystem.

Frequently Asked Questions

What progress has been made on Drift Protocol’s recovery plan for the $285 million theft?

Drift Protocol said it is actively working with partners to develop a coordinated and consistent recovery plan. At this stage, the focus is on stabilizing the situation and providing protocol-level assurance for all affected users and partners. It also announced that it will participate in STRIDE, the security program under the Solana Foundation, and that further details will be released separately.

How was Drift Protocol attacked?

The attackers disguised themselves as a quantitative trading company. Over six months, they built trust through in-person meetings and social engineering infiltration. They also pre-injected $1 million in real funds to increase credibility. Ultimately, they carried out silent code execution through a malicious code library, a forged application, and exploitation of vulnerabilities in development tools, stealing approximately $285 million.

Has the connection between this attack and the North Korean intelligence organization been confirmed?

With medium-to-high confidence, Drift Protocol attributed the attack to the threat organization AppleJeus. On-chain analysis and identity overlap patterns point to North Korea-related personnel involvement. However, Mandiant, the cybersecurity company, has not yet officially confirmed this attribution.