Drift’s $230M Hack Looks Like Bybit All Over Again: Ledger CTO

Charles Guillemet, Chief Know-how Officer at {hardware} pockets producer Ledger, has weighed in on the Drift Protocol exploit, calling it “yet one more wake-up name for the {industry}” and drawing a direct comparability to the $1.4 billion Bybit hack of 2025—extensively attributed to North Korea’s Lazarus Group.

Guillemet stated the total particulars of the assault are nonetheless unfolding, however based mostly on out there proof, the multisig controlling Drift Protocol was compromised—doubtlessly days and even weeks earlier than the $230 million in funds had been really drained.

“Both the attackers immediately stole sufficient personal keys to fulfill the multisig threshold, or, extra doubtless, they compromised a number of machines belonging to multisig signers and tricked the operators into approving a malicious transaction,” Guillemet stated. “The signers could have believed they had been signing a professional operation whereas unknowingly authorizing the drain.”

This assault vector — focusing on the human and operational layer fairly than the underlying good contracts — has turn out to be the defining sample of probably the most devastating crypto exploits in recent times. Guillemet known as it “affected person, subtle supply-chain-level compromise,” explicitly connecting it to the DPRK-linked playbook seen within the Bybit breach.

The Bybit Playbook: Human Layer, Not Code

The comparability to Bybit is pointed. In February 2025, attackers — later attributed by the FBI to North Korea’s Lazarus Group — compromised Bybit’s multisig infrastructure by focusing on the machines of particular person signers.

The signers believed they had been approving routine transactions; as an alternative, they approved transfers that drained roughly $1.4 billion from the trade’s chilly pockets. The assault didn’t exploit any good contract bug. It exploited belief, operational course of, and the hole between what signers noticed on display screen and what they really signed.

Guillemet is now warning that the identical blueprint is being repeated. Drift Protocol’s $230 million exploit follows an similar arc: multisig compromise, compromised signer machines, and malicious transaction approval disguised as a professional operation.

On-chain researchers have famous that the attacker’s handle was first funded with 1 SOL roughly every week earlier than the exploit, suggesting pre-positioning nicely forward of the particular drain.

Three Pillars: Detection, Key Administration, Clear Signing

Guillemet outlined three concrete steps the {industry} should undertake:

First, higher detection mechanisms on the community and endpoint stage to establish compromised environments earlier than they are often weaponized. In each the Bybit and Drift instances, the attacker had entry to signer machines for an prolonged interval earlier than executing the drain. Earlier detection of anomalous endpoint conduct might have interrupted the kill chain.

Second, safe key administration with correct governance — particularly, hardware-backed signing and operational procedures that assume particular person machines could be compromised. Multisig setups that depend on software program wallets operating on internet-connected machines are essentially weak to the kind of supply-chain compromise seen right here.

Third, and most critically, clear signing ensures that signers at all times have full, human-readable visibility into what they’re really approving. In each the Bybit and Drift exploits, the attackers’ benefit was that signers couldn’t distinguish a malicious transaction from a professional one on the level of approval.

“Safety is not only about code audits,” Guillemet stated. “It’s about giving operators and customers the correct info on the proper time, to allow them to make knowledgeable choices about what they signal.”

Drift Fallout

The exploit’s affect on Drift Protocol has been extreme. The platform’s whole worth locked collapsed from roughly $550 million to beneath $250 million, based on DefiLlama information. Drift’s native token, DRIFT, dropped practically 28%, buying and selling round $0.049—down greater than 98% from its November 2024 all-time excessive of $2.60.

Drift confirmed the assault on X, stating it had suspended deposits and withdrawals and was coordinating with safety corporations, bridges, and exchanges to include the incident. The attacker quickly swapped stolen belongings into USDC and bridged them from Solana to Ethereum, with on-chain investigator ZachXBT reporting that over $230 million in USDC was bridged by way of Circle’s CCTP throughout 100+ transactions over roughly six hours—with no intervention from Circle, drawing sharp criticism from the crypto community.

Publicly traded Solana treasury corporations Ahead Industries and DeFi Growth Corp confirmed their treasuries weren’t impacted, whereas pockets supplier Phantom applied person warnings.

As Guillemet stated, “Finally, safety is not only about code audits. It’s about giving operators and customers the correct info on the proper time.”

The $230 million query for the {industry} is whether or not it would deal with this as one other remoted incident—or because the sample it clearly is.

Additionally Learn: The First 24 Hours After a Crypto Hack: A Minute-by-Minute Breakdown

Disclaimer: The knowledge researched and reported by The Crypto Instances is for informational functions solely and isn’t an alternative to skilled monetary recommendation. Investing in crypto belongings entails vital threat as a result of market volatility. At all times Do Your Personal Analysis (DYOR) and seek the advice of with a professional Monetary Advisor earlier than making any funding choices.