Drift Protocol Exploit Took ‘Months Of Deliberate Preparation’

Drift Protocol, a decentralized cryptocurrency exchange (DEX), says the recent exploit against the platform was a six-month-long, highly coordinated attack.

“The preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation,” Drift said in an X post on Saturday.

The decentralized exchange was exploited on Wednesday, with external estimates putting losses at around $280 million.

It all began at a “major crypto conference”

According to Drift, the attack plan can be traced back to around October 2025, when malicious actors posing as a quantitative trading firm first approached Drift contributors at a “major crypto conference,” claiming to be interested in integrating with the protocol.

The group continued to engage contributors in person at multiple industry events over the following six months. “It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors,” Drift said.

“They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated,” Drift said.

After gaining trust and access to Drift Protocol over six months, they used shared malicious links and tools to compromise contributors’ devices, execute the exploit, and then wiped their presence immediately after the attack.

The incident serves as a reminder for crypto industry participants to remain cautious and skeptical, even during in-person interactions, as crypto conferences can be prime targets for sophisticated threat actors.

Drift flags a high probability of a Radiant Capital hack link

Drift said, with “medium-high confidence,” that the exploit was carried out by the same actors behind the October 2024 Radiant Capital hack.

In December 2024, Radiant Capital said the exploit was carried out through malware sent via Telegram from a North Korea-aligned hacker posing as an ex-contractor. 

“This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,” Radiant Capital said.

Drift said it is “important to note” that the individuals who appeared in person “were not North Korean nationals.”

Related: Naoris launches post-quantum blockchain as quantum security risks gain attention

“DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building,” Drift said.

Drift said that it is working with law enforcement and others in the crypto industry to “build a complete picture of what happened during the April 1st attack.”

Magazine: Bitcoin 85% crashes ‘done,’ CLARITY Act speculation mounts: Hodler’s Digest, Mar. 29 – April 4