Drift Protocol (DRIFT) published a detailed update on the incident on April 5, revealing that the $285 million exploit on April 1 was the result of a six-month-long intelligence operation attributed to state-backed actors in North Korea.
The disclosure describes a level of social engineering that goes far beyond phishing or recruiter scams, including in-person meetings, deploying real capital and months of trust-building.
A fake trading company played the long game
According to Drift, a group posing as a quantitative trading company first reached out to shareholders at a major cryptocurrency conference in the fall of 2025.
Over the following months, these individuals appeared at multiple events in several countries, held work sessions, and remained persistent Telegram conversations About vault integrals.
Follow us on XTo get the latest news as it happens
Between December 2025 and January 2026, the group joined Ecosystem Vault on Drift, deposited over $1 million in capital, and engaged in detailed product discussions.
By March, Drift contributors had met these individuals face-to-face on multiple occasions.
“…the most dangerous hackers don’t look like hackers,” Comment Gotham Crypto Developer.
Even web security experts find this troubling, with researcher Tai saying she initially expected a typical recruiter scam but found the depth of the operation even more troubling.
How were the devices hacked?
Drift identified three possible attack vectors:
- One contributor cloned the code repository shared by the group on the vault front-end.
- Another person downloaded the TestFlight app offered as a portfolio product.
- As for the repository vector, Drift pointed out a known vulnerability in VSCode and Cursor that security researchers have been pointing to since late 2025.
This flaw allowed arbitrary code to be executed silently the moment a file or folder was opened in the editor, without requiring user intervention.
after April 1 drainThe attackers scanned all Telegram chats and malware. Drift has since frozen the protocol’s remaining functionality and removed the compromised wallets from multisig.
The SEALS 911 team assessed with moderate to high confidence that the same threat actors carried out the Radiant Capital hack in October 2024, which Mandiant attributed to UNC4736.
Cross-chain fund flows and operational overlaps between the two campaigns support this connection.
The industry is calling for a safety reset
Armani Ferrante, one of Solana’s leading developers, called on every cryptocurrency team to pause growth efforts and review their entire security stack.
“Every crypto team should use this as an opportunity to slow down and focus on security. If possible, dedicate an entire team to it… You can’t grow if you get hacked.” QAIdentification card Ferrante.
Drift noted that the individuals who appeared in person were not North Korean citizens. Actors threatening the DPRK at this level are known to deploy external intermediaries for face-to-face engagement.
Mandiant, which Drift used to do device forensics, has not yet officially attributed the exploit.
The revelation is a warning to the broader ecosystem. Drift urged teams to audit access controls, treat every device that touches a multisig as a potential target, and call SEAL 911 if they suspect similar targeting.
this post The $285 million heist from Drift Protocol started with a handshake and 6 months of trust appeared first on BeInCrypto.
