Drift Protocol’s $285 Million Heist Started With a Handshake and 6 Months of Trust
Drift Protocol (DRIFT) revealed a detailed incident replace on April 5, revealing that the $285 million exploit on April 1 was the end result of a six-month intelligence operation attributed to North Korean state-backed actors.
The disclosure describes a degree of social engineering that goes effectively past typical phishing or recruiter scams, involving in-person conferences, actual capital deployment, and months of trust-building.
A Fake Trading Firm That Played the Long Game
According to Drift, a group posing as a quantitative buying and selling agency first approached contributors at a main crypto convention in fall 2025.
Over the next months, these people appeared at a number of occasions throughout a number of international locations, held working periods, and maintained ongoing Telegram conversations about vault integrations.
Follow us on X to get the most recent information because it occurs
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million in capital, and participated in detailed product discussions.
By March, Drift contributors had met these people face-to-face on a number of events.
“…probably the most harmful hackers don’t seem like hackers,” commented crypto developer Gautham.
Even Web safety specialists discover this regarding, with researcher Tay sharing that she initially anticipated a typical recruiter rip-off however discovered the operation’s depth much more alarming.
How the Devices Were Compromised
Drift recognized three probably assault vectors:
- One contributor cloned a code repository the group shared for a vault frontend.
- A second downloaded a TestFlight software offered as a pockets product.
- For the repository vector, Drift pointed to a identified VSCode and Cursor vulnerability that safety researchers had been flagging since late 2025.
That flaw allowed arbitrary code to execute silently the second a file or folder was opened within the editor, with no person interplay required.
After the April 1 drain, the attackers scrubbed all Telegram chats and malicious software program. Drift has since frozen remaining protocol features and eliminated compromised wallets from the multisig.
The SEALS 911 group assessed with medium-high confidence that the identical menace actors carried out the October 2024 Radiant Capital hack, which Mandiant attributed to UNC4736.
On-chain fund flows and operational overlaps between the 2 campaigns help that connection.
Industry Calls for a Security Reset
Armani Ferrante, a distinguished Solana developer, referred to as on each crypto group to pause progress efforts and audit their whole safety stack.
“Every group in crypto ought to use this as a chance to decelerate and concentrate on safety. If attainable, dedicate a whole group to it… you possibly can’t develop for those who’re hacked,” said Ferrante.
Drift famous that the people who appeared in individual weren’t North Korean nationals. DPRK menace actors at this degree are identified to deploy third-party intermediaries for face-to-face engagement.
Mandiant, which Drift has engaged for machine forensics, has not but formally attributed the exploit.
The disclosure serves as a warning to the broader ecosystem. Drift urged groups to audit entry controls, deal with each machine that touches a multisig as a potential goal, and contact SEAL 911 if they think comparable concentrating on.
The publish Drift Protocol’s $285 Million Heist Started With a Handshake and 6 Months of Trust appeared first on BeInCrypto.
