Drift Protocol Slid Into the Exploiter's DMs With 'We Should Talk' (Cringe or Genius? Rival Extortionist Already Demanding 1,000 ETH)

So here's a sentence nobody had on their 2024 bingo card: Drift Protocol, the Solana DEX that got absolutely rekt for up to $286 million, slid into the exploiter's onchain DMs like a guy who just got dumped sliding into his ex's Instagram DMs at 2am. On Friday, the team fired off a message from their Ethereum address (0x0934faC) to four wallets connected to whoever pulled this off, dropping a simple but bold "We are ready to speak" on X. Corporate speak for "please don't spend all of it on RGB pixel art, we just want our money back."

If this feels familiar, it's because protocols have been doing the whole "DM your attacker" thing for a while now. Euler Finance basically wrote the playbook after their $197 million oopsie—same vibe, slide into their chain, keep it mysterious, pray for a miracle. Spoiler: it worked out okay for Euler. Drift's probably hoping lightning strikes twice.

But wait, there's more. Turns out somebody got there first. Hours before Drift went full negotiator mode, some mysterious degens with the ENS name readnow.eth were already lurking in the exploiter's wallets, dropping a not-so-subtle "I know who you are, pay me 1,000 ETH or I start talking." Bold strategy, Cotton. Either this person has actual intel, or they're just another grifter trying to get rich off someone else's crime scene. Onchain is wild like that—nobody's verified anything, and honestly, we might never know if this was a genuine tip or just someone fishing for ETH in a river of chaos. The drama is almost better than the hack itself.

Now for the damage report. According to SolanaFloor, Drift's little adventure has now splash-damaged at least 20 other Solana protocols. Gauntlet is out here crying with a cool $6.4 million hole in its pocket. Cyvers, the blockchain security firm that definitely didn't enjoy their weekend, flagged that we're still in expansion mode—it's been 48 hours and zero funds recovered. Their take? This wasn't a rushed job. The attacker apparently set up shop weeks ago using Solana's durable nonces (basically pre-signing transactions to use later), which means this was a patient, methodical operation. "Like the Bybit hack, different technique, same root issue: signers thinking they approved something boring when they actually signed away the farm," Cyvers helpfully pointed out.

Oh, and in case you were wondering if this smells like our old friends in North Korea, Ledger CTO Charles Guillemet and some other smart cookies are definitely wondering the same thing. Nothing confirmed, but the playbook does look suspiciously familiar. Someone's always got to ruin the vibes, and in crypto, there's a non-zero chance it's always the same people. Stay skeptical out there, degens.