Attorney flags possible negligence in Drift’s $280M Solana hack

Attorney Ariel Givner argues the $280 million exploit of Solana-based Drift Protocol may amount to civil negligence, pointing to operational security lapses. Drift, in an update posted Saturday, reported that the attackers spent six months social-engineering its developers before executing the theft on Wednesday.

Responding to the project’s post-mortem, Givner contends the platform did not follow basic safeguards intended to protect user funds and sensitive systems. In her words: “In plain terms, civil negligence means they failed their basic duty to protect the money they were managing.” She added: “Every serious project knows this. Drift didn’t follow it.”

Her critique focuses on keeping signing keys on separate, air-gapped machines that are never used for developer work, and on tighter due diligence for outside coders first met at conferences. Givner also pointed to advertisements for potential class action lawsuits against the project that are already circulating.

Drift’s update outlines a months-long social engineering campaign that began at a major crypto conference in October 2025, where threat actors approached team members about integrations and collaboration. Over the next six months, the individuals built trust and sent links that embedded malware, leading to compromises of developer machines used in the project’s workflow.

According to the team, the malware delivered through those relationships enabled access later used in the $280 million exploit. The update did not identify specific devices or tools that were compromised.

ZachXBT criticized Circle after about $232 million in stolen USDC was moved from Solana to Ethereum through Circle’s CCTP following the $285 million Drift Protocol hack. He argued Circle had hours to freeze the funds, while Circle said it only blocks assets when legally required by sanctions, court orders, or law enforcement.

Drift reported it holds medium-high confidence the same group carried out the October 2024 Radiant Capital hack. Radiant later reported that the incident originated from malware sent via Telegram by a North Korea-aligned actor posing as a former contractor. Drift’s account states the people who met its developers in person were not North Korean nationals but are suspected of working with a state-affiliated group.

Givner’s assessment centers on operational hygiene, asserting that segregating sensitive keys from day-to-day development environments and more rigorous vetting of external collaborators could have reduced exposure.