Drift Protocol’s $285 Million Heist Started With A Handshake And 6 Months Of Trust

What Happened

Drift Protocol (DRIFT) published a detailed incident update on April 5, revealing that the $285 million exploit on April 1 was the result of a six-month intelligence operation attributed to North Korean state-backed actors.

“…the most dangerous hackers don’t look like hackers,” commented crypto developer Gautham.

The SEALS 911 team assessed with medium-high confidence that the same threat actors carried out the October 2024 Radiant Capital hack, which Mandiant attributed to UNC4736.

“Every team in crypto should use this as an opportunity to slow down and focus on security. If possible, dedicate an entire team to it… you can’t grow if you’re hacked,” said Ferrante.

Mandiant, which Drift has engaged for device forensics, has not yet formally attributed the exploit.

Market Context

The disclosure describes a level of social engineering that goes well beyond typical phishing or recruiter scams, involving in-person meetings, real capital deployment, and months of trust-building.

A Fake Trading Firm That Played the Long Game

According to Drift, a group posing as a quantitative trading firm first approached contributors at a major crypto conference in fall 2025.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million in capital, and participated in detailed product discussions.

Why It Matters

Even Web security experts find this concerning, with researcher Tay sharing that she initially expected a typical recruiter scam but found the operation’s depth far more alarming.

Drift identified three likely attack vectors:

Details

Over the following months, these individuals appeared at multiple events across several countries, held working sessions, and maintained ongoing Telegram conversations about vault integrations.

Follow us on X to get the latest news as it happens

By March, Drift contributors had met these individuals face-to-face on multiple occasions.

How the Devices Were Compromised

One contributor cloned a code repository the group shared for a vault frontend.

A second downloaded a TestFlight application presented as a wallet product.

For the repository vector, Drift pointed to a known VSCode and Cursor vulnerability that security researchers had been flagging since late 2025.

That flaw allowed arbitrary code to execute silently the moment a file or folder was opened in the editor, with no user interaction required.

After the April 1 drain, the attackers scrubbed all Telegram chats and malicious software. Drift has since frozen remaining protocol functions and removed compromised wallets from the multisig.

On-chain fund flows and operational overlaps between the two campaigns support that connection.

Industry Calls for a Security Reset

Armani Ferrante, a prominent Solana developer, called on every crypto team to pause growth efforts and audit their entire security stack.

Drift noted that the individuals who appeared in person were not North Korean nationals. DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face engagement.