Drift Protocol has established on-chain links to wallets associated with the $280 million exploit, with an unknown sender pressuring the attacker.

After the $280 million theft incident, Drift Protocol is taking active steps by reaching out through on-chain contact with the related wallets involved in the exploit, while an unknown sender is also trying to pressure the attacker.

Latest developments in the follow-up of the exploit by Drift Protocol:

Last Friday, Solana-based decentralized exchange (DEX) Drift Protocol announced that it has begun communications with the wallets associated with the stolen funds from this exploit incident through on-chain contact. External security firms estimate that the losses from this attack are approximately $280 million to $286 million.

On the social media platform X, Drift said it has established contact with the wallets holding the stolen Ether (ETH) via on-chain messages and is attempting to open a dialogue. The Drift team sent on-chain messages to four wallets associated with the attacker as of now, using an Ethereum address (0x0934faC), urging them to make contact via Blockscan Chat. Drift said: “We’re ready to talk.”

On-chain messages have become a common way to respond to exploits, allowing the protocol to communicate directly with attackers while maintaining anonymity. In some past incidents, such as the Euler Finance hack, similar on-chain communications helped recover part of the stolen funds.

On-chain messages sent by Drift:

The on-chain message sent by Drift to the exploiters, as shown in the figure, is working to address this crisis. Source: Etherscan.

Pressure from an anonymous sender:

Hours after Drift’s efforts, a previously unknown sender named readnow.eth also contacted wallets associated with the attacker via on-chain messages. The sender claimed to know the real identity behind the attack and demanded a payment of 1,000 Ether (ETH) in exchange, promising not to disclose this information again.

These messages cannot currently be independently verified and may be an attempt by the attacker to mislead wallet holders with false information or to put pressure on them. The incident also shows that, after a cryptocurrency exploit, besides official statements, unverified messages can spread on the blockchain and cause unnecessary confusion.

Solana ecosystem aftershocks spread:

According to a report by SolanaFloor, the Drift Protocol exploit has so far affected at least 20 Solana protocols, including the decentralized finance (DeFi) platform Gauntlet, with the estimated size of the affected funds reaching $6.4 million.

Cyvers, a blockchain security platform, said that as of Friday morning, the impact was still expanding, and 48 hours after the attack, no stolen funds had been recovered. Cyvers further noted that the attack might be a “multi-week, phased operation,” and that the attacker had set up Solana’s durable nonces feature days before the exploit occurred—this feature allows users to pre-sign transactions that will be executed in the future.

Cyvers added: “This is very similar to the attack pattern in the Bybit hack. Although the methods are different, the fundamental reason is the same: the signer approved a malicious transaction without knowing.”

Industry observers, including Ledger Chief Technology Officer Charles Guillemet, believe that this exploit may involve actors associated with North Korea, but these speculations have not yet been confirmed.