Drift Protocol said the April 1 attack on its platform followed months of planning and social engineering.
Summary
- Drift said attackers spent six months building trust before using malicious tools to breach contributor devices.
- The exchange linked the exploit with medium-high confidence to actors behind Radiant Capital’s October 2024 hack.
- Drift said repeated in-person contact at crypto events helped attackers study contributors and gain access.
The decentralized exchange linked the case to a group that spent time building trust with contributors before sending malicious tools and links. External estimates put the loss at about $280 million.
Drift Protocol said its early review found a long and organized campaign against the platform. The team said the attackers showed “organizational backing, resources, and months of deliberate preparation” during the operation.
The exchange said the contact began around October 2025. According to Drift, people posing as members of a quantitative trading firm approached contributors at a major crypto conference and claimed they wanted to integrate with the protocol.
Drift said the group kept meeting contributors at several industry events over the next six months. The team said the people involved were technically skilled, knew how Drift worked, and appeared to have real professional backgrounds.
That steady contact helped the group gain trust. Drift said the attackers later used malicious links and tools shared with contributors to compromise devices, carry out the exploit, and remove traces of their activity after the breach.
In addition, Drift said it has “medium-high confidence” that the same actors behind the October 2024 Radiant Capital hack carried out this exploit. That earlier attack caused losses of about $58 million and also involved malware used to gain access to internal systems.
Radiant Capital said in December 2024 that a North Korea-aligned hacker posed as a former contractor and sent malware through Telegram. Radiant said “this ZIP file” later spread among developers for feedback and opened the way for the intrusion.
Drift warns conferences can become attack targets
Drift said the people who met contributors in person “were not North Korean nationals.” At the same time, the team said DPRK-linked threat actors often use third-party intermediaries for face-to-face contact and relationship building.
The exchange said it is now working with law enforcement and other crypto industry participants to build a full record of the April 1 attack.
The case has also added a fresh warning for crypto firms, as conferences and in-person meetings can give threat groups a chance to study teams, build trust, and prepare later attacks.
