The hack of the Solana-based decentralized finance (DeFi) platform could have been prevented if the Drift team had followed standard operational security procedures, which lawyer Ariel Givner said could constitute “civil negligence.”
“Simply put, civil negligence means they failed in their basic duty to protect the money they were managing” – Givner he said in response to the autopsy update provided by the Drift team and how it handled Wednesday’s $280 million exploit.
The Drift team failed to follow “basic” security procedures, including storing signing keys in separate, “sealed” systems that are never used for developer work, and failing to conduct due diligence on blockchain developers seen at industry conferences.
“Every serious project knows this. Drift didn’t implement it,” she said, adding: “They knew cryptocurrencies were full of hackers, especially North Korean state teams.” Givener continued:
“Yet their team spent months chatting on Telegram, meeting strangers at conferences, opening repositories of sketchy code, and downloading fake apps to devices linked to multi-signature control.”
Class action notices against Drift Protocol are already circulating, she he said. Cointelegraph reached out to the Drift team but had not received a response by the time of publication.
The incident is a reminder that social engineering and project infiltration by malicious actors are the main attack vectors for cryptocurrency developers, which can drain user funds and permanently erode customer trust in compromised platforms.
Related: Drift Explains $280M Exploit As Critics Question Circle Over USDC Freeze
Drift Protocol claims the attack took “months” to plan.
The Drift Protocol team posted an update on Saturday detailing how the exploit occurred and said the attackers planned the attack six months before executing it.
Threat actors first contacted the Drift team during the crypto industry’s “major” conference in October 2025, expressing interest in protocol integration and collaboration.
Over the next six months, the malicious actors continued to build relationships with the Drift development team, and once enough trust was built, they began sending the Drift team malicious links and embedding malware that compromised the developers’ machines.
According to the Drift team, those suspected of working for hackers linked to North Korea and physically contacting Drift’s creators were not North Korean citizens.
Leeway he saidwith “medium-high confidence” that the exploit was committed by the same people behind the October 2024 Radiant Capital hack.
In December 2024, Radiant Capital stated that the exploit was carried out using malware sent via Telegram from a North Korean hacker posing as a former contractor.
Warehouse: Meet the hackers who can assist you recover your cryptocurrency savings
