Drift Protocol, a Solana-based decentralized exchange (DEX), said Friday it had opened onchain contact with wallets tied to funds stolen in the exploit that outside firms have estimated at roughly $280 million to $286 million.
Drift said on X that it had initiated onchain contact with wallets holding the stolen Ether (ETH), seeking to open a line of communication.
The team sent onchain messages from its Ethereum address (0x0934faC) to four wallets linked to the exploiter at the time of publication, urging the attacker to reach out via Blockscan chat. “We are ready to speak,” Drift said.
Onchain messaging has become a common tactic in exploit response, allowing protocols to communicate directly with attackers while preserving anonymity. In past cases, such as the Euler Finance hack, similar outreach led to the partial recovery of funds.
Drift’s onchain message to the Drift Exploiter on Friday. Source: Etherscan
Anonymous sender tries to pressure the attacker
Drift’s communication came hours after an unknown sender using the ENS name readnow.eth also reached out to wallets linked to the attacker on Thursday via onchain messages.
The sender claimed to know the identities behind the attack and demanded a payment of 1,000 ETH in exchange for withholding information.
The claims could not be independently verified and may represent an attempt to mislead or pressure the wallet holder. The incident highlights how, alongside official communications, unverified messages can circulate onchain after crypto exploits.
Solana fallout keeps spreading
According to SolanaFloor, Drift’s exploit has so far affected at least 20 Solana protocols, including the decentralized finance (DeFi) platform Gauntlet, which was estimated to be impacted to the scale of $6.4 million.
Blockchain security platform Cyvers said the impact was still expanding as of Friday morning, with no funds being recovered 48 hours past the attack.
Cyvers said that the attack was likely a “weeks-long, staged operation,” noting that the attacker set up durable nonces, a Solana feature allowing users to pre-sign transactions for future execution, days before the exploit.
Related: Crypto hackers steal $169M from 34 DeFi protocols in Q1: DefiLlama
“This closely mirrors the Bybit hack, different technique, same root issue: signers unknowingly approving malicious transactions,” Cyvers added.
Some industry observers, including Ledger chief technology officer Charles Guillemet, suggested the exploit may involve North Korea-linked actors, though details remain unconfirmed.
Magazine: Nobody knows if quantum secure cryptography will even work