Drift Protocol, a Solana-based decentralized exchange, has initiated onchain contact with wallets holding an estimated $280 million to $286 million stolen in a recent exploit. The team sent messages urging the attacker to communicate, a tactic used in past recoveries. The outreach follows an anonymous party claiming to know the attacker’s identity and demanding a $3.1 million payment, though the claim is unverified. The exploit’s fallout is spreading, affecting at least 20 Solana protocols, with security firm Cyvers noting the operation was likely staged over weeks and no funds have been recovered.
Drift Protocol has opened onchain contact with wallets tied to funds stolen in a major exploit. The Solana-based decentralized exchange sent messages from its Ethereum address to four wallets linked to the attacker, “We are ready to speak.”
Onchain messaging is a common tactic in exploit response, preserving anonymity while enabling dialogue. This method led to partial fund recovery in past cases like the Euler Finance hack.
Drift’s communication followed an anonymous sender using the ENS name readnow.eth. That sender claimed to know the attacker’s identities and demanded 1,000 ETH, worth approximately $3.1 million, for withholding information.
The claims could not be independently verified and may be an attempt to mislead. The incident highlights how unverified messages can circulate onchain after crypto exploits.
According to SolanaFloor, the exploit has affected at least 20 Solana protocols. The decentralized finance platform Gauntlet was impacted by an estimated $6.4 million.
Blockchain security platform Cyvers said the impact was still expanding as of Friday morning. No funds had been recovered 48 hours after the attack.
Cyvers stated the attack was likely a “weeks-long, staged operation.” The attacker reportedly set up durable nonces, a Solana feature, days before the exploit.
“This closely mirrors the Bybit hack, different technique, same root issue: signers unknowingly approving malicious transactions,” Cyvers added. Some industry observers suggested the exploit may involve North Korea-linked actors, though details remain unconfirmed.
