After the $285M Drift hack, new Solana scare shows crypto’s next security risk may already be inside

The Drift exploit and Stabble’s precautionary warning point to a difficult crypto security problem: the next major breach may begin long before funds move on-chain. That is what makes these incidents more than isolated alarms. They suggest that some protocols may still be looking for smart contract flaws, while the real exposure lies in hiring, access, governance, and trusted relationships. On Apr. 1, Drift suspended deposits and withdrawals and told users it was under an active attack. By Apr. 5, the team said with medium-high confidence that the same threat actors behind the October 2024 Radiant Capital hack had executed the operation. TRM Labs estimated the drain at approximately $285 million, and the Drift post-mortem described a complex scheme in which individuals used $1 million of their own capital and met in person with Drift team members to infiltrate the protocol's structure. On the technical side, TRM identified the critical weakness as social engineering of multisig signers combined with a zero-timelock Security Council migration. This governance design enabled attackers to execute privileged actions without the delays intended to catch unauthorized changes. Why this matters This shifts the risk from code alone to the people and permissions around it. For users and markets, that means a protocol can appear operational until a hidden access failure triggers a live funds event, forced withdrawals, or a sudden loss of trust. Elliptic said the laundering patterns and network indicators matched those of prior DPRK-attributed operations and pointed to a probable compromise of administrator keys that enabled privileged withdrawals and administrative control. Related Reading Hackers sneak crypto wallet-stealing code into a popular AI tool that runs every time Compromised LiteLLM versions 1.82.7 and 1.82.8 stole SSH keys, cloud creds, Kubernetes secrets, env vars, and crypto wallet material. Mar 26, 2026 · Gino Matos Attackers earned enough trust to convert ordinary access into a 12-minute, $285 million drain. A timeline shows the Drift exploit unfolded across months of social engineering before a 12-minute, $285 million drain on Apr. 1. On Apr. 7, the Solana -based liquidity protocol Stabble told its liquidity providers to withdraw funds as a precaution. The new team that recently acquired the protocol said it had discovered that a former CTO appeared to be the same person ZachXBT had publicly flagged as a North Korean IT worker. The protocol promised new audits before resuming operations. What Stabble demonstrated was that alleged insider exposure now moves users fast enough to constitute a live funds event on its own. Related Reading Circle under fire as $230M in stolen USDC flows unblocked days after freezing legitimate accounts The Drift exploit exposes a growing contradiction in how stablecoin issuers enforce control during crises. Apr 3, 2026 · Oluwapelumi Adejumo The operating manual already exists Treasury's Mar. 12 sanctions release put numbers on the problem: DPRK IT-worker fraud schemes generated nearly $800 million in 2024, using fraudulent documents, stolen identities, and fabricated personas. The Department of Justice separately said North Korean operatives obtained employment at more than 100 US companies using fake and stolen identities. In one Atlanta blockchain R&D case, workers stole more than $900,000 in virtual currency. These were workforce infiltrations sustained across multiple firms over extended periods. Flare and IBM X-Force published their operational breakdown on Mar. 18. The research describes a tiered structure of recruiters, facilitators, IT workers, and collaborators who assist with identity verification and onboarding. Once embedded, operatives use remote access tools, VPN and proxy services, and internal communication channels, leaving detectable but often-missed traces in device logs. Flare and IBM frame this as a shared problem owned jointly by security teams and HR, requiring coordination across hiring, onboarding, access controls, and offboarding disciplines. Stage Who is involved What happens What the warning sign looks like Why crypto teams miss it Recruitment / identity fabrication Recruiters, facilitators, fake applicants, collaborators Operatives build false personas using fraudulent documents, stolen identities, and fabricated employment histories to get through screening Inconsistent biographical details, thin digital footprint, identity mismatches, suspicious references Teams optimize for speed and technical talent, not adversarial hiring review Hiring / onboarding HR, hiring managers, collaborators / brokers, IT workers Collaborators help candidates pass identity verification, background checks, and onboarding steps Unusual help during onboarding, documentation anomalies, device / location inconsistencies Hiring and security often operate separately, so no single team sees the whole pattern Embedding inside teams IT workers, managers, coworkers, contractor