Key Highlights
- Ledger CTO Charles Guillemet says the $230 million Drift Protocol hack likely resulted from a compromised multisig, where attackers either stole enough private keys or tricked signers into approving a malicious transaction.
- Guillemet compared the attack pattern directly to the Bybit hack, widely attributed to DPRK-linked actors.
- He called for an industry-wide security reset, advocating for better detection mechanisms, hardware-backed key management, and clear signing standards.
Charles Guillemet, Chief Technology Officer at hardware wallet manufacturer Ledger, has weighed in on the Drift Protocol exploit, calling it “yet another wake-up call for the industry” and drawing a direct comparison to the $1.4 billion Bybit hack of 2025—widely attributed to North Korea’s Lazarus Group.
@media only screen and (min-width: 0px) and (min-height: 0px) {
div[id^=”wrapper-sevio-e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941″] {
width: 320px;
height: 100px;
}
}
@media only screen and (min-width: 1650px) and (min-height: 0px) {
div[id^=”wrapper-sevio-e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941″] {
width: 728px;
height: 90px;
}
}
window.sevioads = window.sevioads || [];
var sevioads_preferences = [];
sevioads_preferences[0] = {};
sevioads_preferences[0].zone = “e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941”;
sevioads_preferences[0].adType = “banner”;
sevioads_preferences[0].inventoryId = “502576df-3ba9-44d6-aa0c-8d4d40954bc3”;
sevioads_preferences[0].accountId = “265767db-939a-4138-8819-ebf4e3d5d360”;
sevioads.push(sevioads_preferences);
Guillemet said the full details of the attack are still unfolding, but based on available evidence, the multisig controlling Drift Protocol was compromised—potentially days or even weeks before the $230 million in funds were actually drained.
“Either the attackers directly stole enough private keys to meet the multisig threshold, or, more likely, they compromised several machines belonging to multisig signers and tricked the operators into approving a malicious transaction,” Guillemet said. “The signers may have believed they were signing a legitimate operation while unknowingly authorizing the drain.”
This attack vector — targeting the human and operational layer rather than the underlying smart contracts — has become the defining pattern of the most devastating crypto exploits in recent years. Guillemet called it “patient, sophisticated supply-chain-level compromise,” explicitly connecting it to the DPRK-linked playbook seen in the Bybit breach.
@media only screen and (min-width: 0px) and (min-height: 0px) {
div[id^=”wrapper-sevio-bf4b3de1-2d49-4069-adb2-b7d50bdcc555″] {
width: 320px;
height: 100px;
}
}
@media only screen and (min-width: 1650px) and (min-height: 0px) {
div[id^=”wrapper-sevio-bf4b3de1-2d49-4069-adb2-b7d50bdcc555″] {
width: 728px;
height: 90px;
}
}
window.sevioads = window.sevioads || [];
var sevioads_preferences = [];
sevioads_preferences[0] = {};
sevioads_preferences[0].zone = “bf4b3de1-2d49-4069-adb2-b7d50bdcc555”;
sevioads_preferences[0].adType = “banner”;
sevioads_preferences[0].inventoryId = “502576df-3ba9-44d6-aa0c-8d4d40954bc3”;
sevioads_preferences[0].accountId = “265767db-939a-4138-8819-ebf4e3d5d360”;
sevioads.push(sevioads_preferences);
The Bybit playbook: Human layer, not code
The comparison to Bybit is pointed. In February 2025, attackers — later attributed by the FBI to North Korea’s Lazarus Group — compromised Bybit’s multisig infrastructure by targeting the machines of individual signers.
The signers believed they were approving routine transactions; instead, they authorized transfers that drained approximately $1.4 billion from the exchange’s cold wallet. The attack did not exploit any smart contract bug. It exploited trust, operational process, and the gap between what signers saw on screen and what they actually signed.
Guillemet is now warning that the same blueprint is being repeated.
Drift Protocol’s $230 million exploit follows an identical arc: multisig compromise, compromised signer machines, and malicious transaction approval disguised as a legitimate operation.
On-chain researchers have noted that the attacker’s address was first funded with 1 SOL approximately a week before the exploit, suggesting pre-positioning well ahead of the actual drain.
Three pillars: Detection, Key Management, Clear Signing
Guillemet outlined three concrete steps the industry must adopt:
First, better detection mechanisms at the network and endpoint level to identify compromised environments before they can be weaponized. In both the Bybit and Drift cases, the attacker had access to signer machines for an extended period before executing the drain. Earlier detection of anomalous endpoint behavior could have interrupted the kill chain.
Second, secure key management with proper governance — specifically, hardware-backed signing and operational procedures that assume individual machines can be compromised. Multisig setups that rely on software wallets running on internet-connected machines are fundamentally vulnerable to the type of supply-chain compromise seen here.
Third, and most critical, clear signing ensures that signers always have full, human-readable visibility into what they are actually approving. In both the Bybit and Drift exploits, the attackers’ advantage was that signers could not distinguish a malicious transaction from a legitimate one at the point of approval.
“Security is not just about code audits,” Guillemet said. “It’s about giving operators and users the right information at the right time, so they can make informed decisions about what they sign.”
Drift fallout
The exploit’s impact on Drift Protocol has been severe. The platform’s total value locked (TVL) collapsed from approximately $550 million to under $250 million, according to DeFiLlama data. Drift’s native token, DRIFT, dropped nearly 28%, trading around $0.049—down more than 98% from its November 2024 all-time high of $2.60.
Drift confirmed the attack on X, stating it had suspended deposits and withdrawals and was coordinating with security firms, bridges, and exchanges to contain the incident. The attacker rapidly swapped stolen assets into USDC and bridged them from Solana to Ethereum, with on-chain investigator ZachXBT reporting that over $230 million in USDC was bridged via Circle’s CCTP across 100+ transactions over approximately six hours—with no intervention from Circle, drawing sharp criticism from the crypto community.
Publicly traded Solana treasury firms Forward Industries and DeFi Development Corp confirmed their treasuries were not impacted, while wallet provider Phantom implemented user warnings.
As Guillemet said, “Ultimately, security is not just about code audits. It’s about giving operators and users the right information at the right time.”
The $230 million question for the industry is whether it will treat this as another isolated incident—or as the pattern it clearly is.
Also Read: The First 24 Hours After a Crypto Hack: A Minute-by-Minute Breakdown
