4 hours ago
19
Drift Protocol (DRIFT) published a detailed incident update on April 5, revealing that the $285 million exploit on April 1 was the result of a six-month intelligence operation attributed to North Korean state-backed actors.
The disclosure describes a level of social engineering that goes well beyond typical phishing or recruiter scams, involving in-person meetings, real capital deployment, and months of trust-building.
A Fake Trading Firm That Played the Long Game
According to Drift, a group posing as a quantitative trading firm first approached contributors at a major crypto conference in fall 2025.
Over the following months, these individuals appeared at multiple events across several countries, held working sessions, and maintained ongoing Telegram conversations about vault integrations.
Follow us on X to get the latest news as it happens
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million in capital, and participated in detailed product discussions.
By March, Drift contributors had met these individuals face-to-face on multiple occasions.
“…the most dangerous hackers don’t look like hackers,” commented crypto developer Gautham.
Even Web security experts find this concerning, with researcher Tay sharing that she initially expected a typical recruiter scam but found the operation’s depth far more alarming.
How the Devices Were Compromised
Drift identified three likely attack vectors:
- One contributor cloned a code repository the group shared for a vault frontend.
- A second downloaded a TestFlight application presented as a wallet product.
- For the repository vector, Drift pointed to a known VSCode and Cursor vulnerability that security researchers had been flagging since late 2025.
That flaw allowed arbitrary code to execute silently the moment a file or folder was opened in the editor, with no user interaction required.
After the April 1 drain, the attackers scrubbed all Telegram chats and malicious software. Drift has since frozen remaining protocol functions and removed compromised wallets from the multisig.
The SEALS 911 team assessed with medium-high confidence that the same threat actors carried out the October 2024 Radiant Capital hack, which Mandiant attributed to UNC4736.
On-chain fund flows and operational overlaps between the two campaigns support that connection.
Industry Calls for a Security Reset
Armani Ferrante, a prominent Solana developer, called on every crypto team to pause growth efforts and audit their entire security stack.
“Every team in crypto should use this as an opportunity to slow down and focus on security. If possible, dedicate an entire team to it… you can’t grow if you’re hacked,” said Ferrante.
Drift noted that the individuals who appeared in person were not North Korean nationals. DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face engagement.
Mandiant, which Drift has engaged for device forensics, has not yet formally attributed the exploit.
The disclosure serves as a warning to the broader ecosystem. Drift urged teams to audit access controls, treat every device that touches a multisig as a potential target, and contact SEAL 911 if they suspect similar targeting.
The post Drift Protocol’s $285 Million Heist Started With a Handshake and 6 Months of Trust appeared first on BeInCrypto.
English (US) ·