Drift Protocol, a decentralized cryptocurrency exchange, has described a recent exploit against its platform as a highly coordinated intelligence operation that unfolded over approximately six months. The exchange stated in a post on X that the attack required organizational backing, significant resources, and months of deliberate preparation. External estimates place losses from the exploit, which occurred on April 1, at around $280 million. Drift says a preliminary investigation has shed light on the full scope of the operation.
According to Drift, the attack can be traced to around October 2025, when malicious actors posing as a quantitative trading firm first approached Drift contributors at a major crypto conference. The group claimed to be interested in integrating with the protocol, establishing an initial foothold of trust. Over the following six months, members of the group continued to engage contributors in person at multiple industry events. Drift described this as a targeted approach in which specific contributors were deliberately sought out and engaged on repeated occasions.
The individuals involved were described as technically fluent, possessing verifiable professional backgrounds, and demonstrating familiarity with how Drift operated. This level of preparation allowed them to build credibility over an extended period before executing the attack. After gaining sufficient trust and access, the actors used shared malicious links and tools to compromise contributors’ devices. Once the exploit was carried out, they wiped evidence of their presence immediately afterward.
Drift stated with medium-high confidence that the same actors were responsible for the Radiant Capital hack in October 2024. In December 2024, Radiant Capital attributed its own exploit to malware delivered via Telegram by a North Korea-aligned hacker posing as a former contractor. That attack involved a ZIP file shared among developers for feedback, which ultimately delivered malware that enabled the subsequent intrusion. The similarities between the two incidents informed Drift’s assessment of the likely perpetrators.
Drift was careful to note that the individuals who appeared in person during the six-month engagement were not North Korean nationals. The exchange explained that threat actors operating at this level, linked to the DPRK, are known to deploy third-party intermediaries to conduct face-to-face relationship-building on their behalf. This approach allows state-aligned groups to maintain distance while still executing sophisticated social engineering campaigns. The use of intermediaries makes attribution and detection considerably more difficult for targeted organizations.
The incident highlights the risks that crypto industry participants face even during in-person interactions at conferences and professional events. Drift noted that such gatherings can serve as prime targets for sophisticated threat actors seeking to build trust before launching technical attacks. The exchange said it is currently working with law enforcement and others across the crypto industry to construct a complete picture of what took place during the April 1 attack. Drift has not yet disclosed a timeline for further updates or potential recovery of funds.
Originally reported by CoinTelegraph.
