Drift Protocol says the April 1 exploit was a highly coordinated campaign that required organizational backing, significant resources, and roughly six months of deliberate preparation, according to a post on X. The protocol’s preliminary investigation describes a structured intelligence-style operation rather than a simple opportunistic hack.
Drift traces the campaign to about October 2025, when individuals claiming to represent a quantitative trading firm first approached contributors at a major crypto conference and expressed interest in integrating with the protocol. Over the next six months the group repeatedly sought out specific Drift contributors at multiple industry events, cultivating trust through technically fluent, seemingly verifiable professional personas.
After building relationships and access, the attackers deployed malicious links and tooling to compromise contributors’ devices, carried out the exploit, and removed signs of their presence. External estimates put losses from the breach at roughly $280 million. Drift cautioned that sophisticated threat actors can use in-person conferences as attack vectors and urged greater skepticism during face-to-face interactions.
With “medium-high confidence,” Drift says the same actors were likely behind the October 2024 Radiant Capital hack, in which malware delivered via Telegram by someone posing as an ex-contractor arrived as a ZIP file that, when circulated among developers, enabled intrusion. Drift also noted the in-person intermediaries it encountered were not North Korean nationals and observed that DPRK-aligned operators frequently use third-party actors for direct relationship-building.
Drift is working with law enforcement and industry partners to complete the investigation, assess impacts, and share findings to strengthen security practices across the crypto ecosystem.