Drift Protocol, a decentralized exchange (DEX), says the April 1 exploit was a highly coordinated operation that took roughly six months to execute. “The preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation,” the protocol said in an X post.
Drift traces the campaign to about October 2025, when individuals posing as a quantitative trading firm first approached contributors at a “major crypto conference,” expressing interest in integrating with the protocol. Over the following six months the group repeatedly engaged specific Drift contributors in person at multiple industry events, gaining trust through technically fluent, seemingly verifiable professional personas.
After building relationships and access, the attackers used shared malicious links and tooling to compromise contributors’ devices, carry out the exploit, and then erase signs of their presence. External estimates place losses from the breach at around $280 million. Drift warned the incident underscores the need for heightened skepticism during in-person interactions, since conferences can be targeted by sophisticated threat actors.
With “medium-high confidence,” Drift said the same actors were likely behind the October 2024 Radiant Capital hack. Radiant reported that malware sent via Telegram from an individual posing as an ex-contractor delivered a ZIP file that, when circulated among developers, ultimately enabled intrusion. Drift noted the in-person intermediaries it encountered were not North Korean nationals, and observed that DPRK-aligned operators frequently use third-party actors for face-to-face relationship-building.
Drift is working with law enforcement and industry partners to build a complete picture of the intrusion and its impacts. The protocol’s statement and related investigations aim to inform security practices across the crypto ecosystem.
