Drift Protocol reveals a state-linked intelligence operation behind the $285M April 1 hack, involving pretend identities and months of in-person infiltration.
Drift Protocol didn’t get hacked on April 1st. It bought performed for six months straight.
The staff posted a full incident background replace on X, strolling the neighborhood by means of what investigators now imagine was a structured intelligence operation. Not a smash-and-grab. A gradual, deliberate infiltration that began at a crypto convention in fall 2025 and ended with $285 million gone.
In response to @DriftProtocol on X, a bunch presenting as a quantitative buying and selling agency made first contact with Drift contributors at a serious trade occasion. What adopted was not suspicious. It was textbook onboarding.
The Six Months No one Seen
They have been technical. They knew the protocol. A Telegram group was arrange on day one.
From there, the group spent months in substantive conversations about buying and selling methods and vault integrations. They met Drift contributors in particular person at a number of conferences throughout a number of international locations. By December 2025, they’d onboarded an Ecosystem Vault, deposited over $1 million of their very own capital, and held a number of working periods with the staff.
These weren’t strangers by February 2026. Drift contributors had met them nose to nose, labored by means of periods with them, and constructed what felt like an actual enterprise relationship practically half a yr outdated.
Then on April 1st, every part modified. Their Telegram chats disappeared. Malicious software program was scrubbed clear. The assault went stay.
The Assault Vectors Investigators Discovered
Drift’s publish outlined three potential entry factors. One contributor could have cloned a code repository shared by the group below the premise of deploying a frontend for his or her vault. A second was persuaded to obtain a TestFlight app the group offered as a pockets product.
The repository vector probably exploited a identified VSCode and Cursor vulnerability that the safety neighborhood had been flagging from December 2025 by means of February 2026. Opening a file or folder was sufficient. No prompts. No warnings. Arbitrary code executed silently.
Full forensic evaluation of affected {hardware} remains to be ongoing, Drift stated.
North Korea’s Fingerprints on the Chain
The attribution is the place issues get severe. With medium-high confidence, and supported by work from the SEALS 911 staff, the operation is assessed to be the identical group behind the October 2024 Radiant Capital hack. Mandiant attributed that breach to UNC4736, a North Korean state-affiliated group additionally tracked as AppleJeus or Citrine Sleet.
The connection is each onchain and operational. Fund flows used to stage and check the Drift assault hint again to the Radiant attackers. Personas used within the marketing campaign present identifiable overlaps with identified DPRK-linked exercise.
Drift was clear on one level. The people who confirmed up in particular person weren’t North Korean nationals. State actors working at this stage deploy third-party intermediaries for the face-to-face work.
Mandiant has not formally attributed the Drift exploit but. Machine forensics are nonetheless underway.
This sample isn’t new. North Korean-linked hackers have been escalating assaults on crypto targets with growing sophistication, utilizing social engineering on the core of practically each main breach.
Drift’s Present Standing and Trade Warning
All remaining protocol capabilities are frozen. Compromised wallets have been faraway from the multisig. Attacker wallets have been flagged with exchanges and bridge operators. Mandiant has been formally engaged.
Drift thanked @tayvano_, @tanuki42_, @pcaversaccio, and @bax1337 for his or her experience and time in figuring out the malicious actors.
Safety researcher @armaniferrante on X responded on to Drift’s disclosure. He urged each staff in crypto to make use of this second to pause and run a full safety audit. “You possibly can’t develop when you’re hacked,” he wrote, calling on groups to audit custody, danger, entry management and dependencies, no matter development strain from traders or token holders.
The Drift Protocol hack marked one of the vital advanced social engineering operations seen in DeFi. Drift inspired any staff that believes it might have been focused by the identical group to contact @SEAL911 instantly.
Extra particulars will likely be shared because the investigation develops.