Drift Protocol, a decentralized cryptocurrency exchange (DEX), says a recent exploit on the platform was a six-month-long, highly coordinated attack.
“The initial investigation shows that Drift experienced an organized intelligence operation requiring organizational support, significant resources and months of deliberate preparation” – Drift he said in post X on Saturday.
The decentralized exchange was exploited on Wednesday, with outside estimates showing losses of about $280 million.
It all started with a “big crypto conference”
According to Drift, the attack plan can be traced back to around October 2025, when malicious actors posing as a quantitative trading company first approached Drift authors at a “major crypto conference” claiming they were interested in integrating with the protocol.
Over the next six months, the group continued to engage colleagues in person at a number of industry events. “What we now know is that this appears to be a targeted approach, where individuals in this group continued to deliberately seek out and engage specific Drift authors,” Drift said.
“They were technically proficient, had verifiable work experience and knew how Drift operated,” Drift said.
After gaining trust and access to the Drift protocol, over the course of six months they used shared malicious links and tools to hack the authors’ devices, execute an exploit, and then removed their presence immediately after the attack.
The incident reminds crypto industry participants to remain cautious and skeptical, even during in-person interactions, as crypto conferences can be prime targets for sophisticated cybercriminals.
Drift signals a high probability of a Radiant Capital hack connection
Drift concluded with “moderate high confidence” that the exploit was carried out by the same people behind the October 2024 Radiant Capital hack.
In December 2024, Radiant Capital stated that the exploit was carried out using malware sent via Telegram from a North Korean hacker posing as a former contractor.
“This ZIP file, shared for feedback with other developers, ultimately delivered malware that facilitated the subsequent hack,” Radiant Capital said.
Drift said it was “important to note” that those who appeared in person “were not North Korean nationals.”
Related: Naoris launches post-quantum blockchain as quantum security threats draw attention
“DPRK threat actors operating at this level are known to use third-party intermediaries to build face-to-face relationships,” Drift said.
Drift said it is working with law enforcement and others in the crypto industry to “build a complete picture of what happened during the April 1 attack.”
Warehouse: Bitcoin Crash 85% ‘Over’ – CLARITY Act Speculation Growing: Hodler’s Digest, March 29-April 4
