Drift Protocol, a Solana-based decentralized exchange (DEX), said on Friday that it had made onchain contact with wallets associated with funds stolen in the exploit, which third-party firms estimated at approximately $280 million to $286 million.
Leeway he said on X that he had made onchain contact with wallets containing stolen Ether (ETH) in an attempt to open a communication line.
The team sent onchain messages from their Ethereum address (0x0934faC) to the four wallets associated with the exploit at the time of publication, prompting the attacker to contact them via Blockscan chat. “We are ready to talk,” Drift said.
Onchain messaging has become a common exploit response tactic, allowing protocols to communicate directly with attackers while maintaining anonymity. In previous cases, such as the Euler Finance hack, similar actions led to partial recovery of funds.
The anonymous sender is trying to put pressure on the attacker
Drift’s message came hours after an unknown sender using the ENS name readnow.eth also contacted wallets associated with the attacker via onchain messages on Thursday.
The sender claimed to know the identity behind the attack and demanded payment of 1,000 ETH in exchange for withholding the information.
The claims have not been independently verified and may constitute an attempt to mislead or coerce the wallet holder. The incident shows that unverified messages can circulate on the Internet alongside official communications following cryptographic exploits.
Solana’s fallout continues to spread
According to to SolanaFloor, the Drift exploit has impacted at least 20 Solana protocols to date, including decentralized finance (DeFi) platform Gauntlet, which was estimated to have an impact of $6.4 million.
Blockchain Cyvers security platform he said as of Friday morning, the impact continued to mount, and no funds had been recovered 48 hours after the attack.
Cyvers said the attack was likely a “week-long, phased operation,” noting that the attacker set up persistent one-time transactions, a Solana feature that allows users to pre-sign transactions for future execution, days before the exploit.
Related: Crypto Hackers Steal $169M from 34 DeFi Protocols in Q1: DefiLlama
“This closely mirrors the Bybit hack, different technique, same core problem: signers unknowingly endorsing malicious transactions,” Cyvers added.
Some industry observers, including Ledger chief technology officer Charles Guillemet, suggested North Korean-linked entities may be involved in the exploit, although details remain unconfirmed.
Warehouse: No one knows if quantum-secure cryptography will even work
