North Korean hackers infiltrate Solana perpetual protocol: DeFi security shifts focus from code to people

Social engineering isn’t tearing through code—it’s tearing through people

Drift has confirmed it lost $285 million. But beyond the numbers, what’s more worth关注ing is that Solana’s perpetual ecosystem has been targeted by a patient, nation-state-level adversary. Market attention is shifting from “whether the code has bugs” to “whether people will be fooled.”

A seemingly routine meeting-based social engagement ultimately turned into a six-month-long infiltration. Actors like UNC4736 don’t rush to find vulnerabilities—they’re cultivating relationships. After this story spread across crypto social media, people began reexamining DeFi’s “trustless” narrative—because when it comes to targeted social engineering, that storyline is actually fragile. There’s overlap between on-chain fund movement and the 2024 Radiant attack, and it matches Mandiant’s earlier analysis that attributed a similar path to North Korea.

The market is indeed panicking, but it hasn’t spun out of control: the Fear and Greed Index has dropped to 11, and BTC and ETH are basically holding steady (NUPL 0.196, funding rates neutral), with no cascade of major coins. Even though some are calling for “capital flight,” from March to April Solana DeFi TVL still stayed near $100B+. DRIFT itself is down 40% to $0.034 (market cap $34 million). The attackers still have about $552k in USDY and some meme coins. The top ten holder addresses (together 58%) show no obvious signs of distribution; they look like they’re waiting for forensic conclusions rather than rushing to run.

• The attackers moved 232 million USDC out via CCTP, and Circle couldn’t freeze it in time. Why not route through Tether? Maybe they’re betting that Circle will respond slowly.
• A “Circle Files” post from ZachXBT triggered a backlash. People started discussing whether the stablecoin issuer has become a “choke point.” The loss in the nine figures is right there, and calls for decentralized alternatives have grown louder again.
• Other Solana protocols have also temporarily frozen funds before, but this time TVL holding steady suggests traders are temporarily treating Drift as an exception. That view may change.

This isn’t an occasional incident—it’s a reusable attack playbook

Calling the takeover of Drift’s admin keys an “isolated incident” misses the key points: disguising as a quantitative trader, deep offline socializing, and building trust for half a year. This isn’t a random event—it’s a standard, documented process from the North Korean hackers’ toolkit.

The “just audit the code more rounds” advice misses the point. Attack vectors like a VSCode supply chain and TestFlight app诱导 can completely bypass the technical defenses themselves. I’ll reduce exposure to Solana perpetual protocols that haven’t done sufficient due diligence, and I’ll favor chains that are more mature in governance processes and identity verification—like the Ethereum DAO ecosystem. Mandatory KYC for integrated partnerships will almost certainly be rolled out, and the market hasn’t priced that in yet.

Bottom line: If you treat this as old news, you’re already behind. Get ready for the spread of North Korea methods and expect Solana yields to be eroded by 20–30%. Teams using multisig with air-gapped setups will gain an edge. If you like contrarian trading, you can look for a rebound during extreme fear (index < 10). But if you’re a long-term holder? Before attribution is fully nailed down and the whole ecosystem is forced to upgrade, consider switching early to a leading L1 chain that’s survived many cycles.

Verdgment: This is an “early but accelerating” narrative. Adjustments now beat passive waiting. The real beneficiaries are teams and professional funds that can quickly implement permission minimization, air-gapped multisig, and process-driven KYC; tactical traders can capture rebounds amid extreme fear; but those who passively hold long-term without rotating based on on-chain and protocol quality will be at a disadvantage.