Cryptocurrency derivatives platform Drift Protocol has released the initial findings of its investigation into a nearly $285 million hack that occurred on April 1, 2026. According to the company, the attack was not the result of a sudden security lapse, but rather a planned and professional infiltration operation that lasted approximately six months.
Drift stated that it is working with law enforcement, forensic teams, and ecosystem representatives to uncover all aspects of the incident.
The findings of the investigation show that the attackers systematically interacted with the Drift team starting in the fall of 2025, presenting themselves as a “quant trading” firm. They built trust by making face-to-face contact with team members at major crypto conferences in various countries, and over time, established a professional business partner profile. Communications conducted via Telegram covered topics such as strategy development and product integration in detail. It was also stated that the attackers invested over $1 million in capital to create an active presence on the platform and launched an “Ecosystem Vault.” This long-term interaction process revealed that the attackers conducted a highly sophisticated operation, not only technically but also in terms of social engineering.
Related News Michael Saylor: “Bitcoin Has Won; the Four-Year Cycle Is Over”
According to Drift’s analysis, the attack was carried out through multiple technical vectors. It is believed that one team member’s device may have been compromised after cloning a code repository shared by the attackers, ostensibly for frontend development. Another team member is thought to have infected their device by downloading a TestFlight application, presented by the attackers as a wallet application. Furthermore, the possibility that VSCode and cursor-based vulnerabilities, which are expected to be targeted between late 2025 and early 2026, may have been exploited is also being considered. The fact that all communication records and malware belonging to the attackers were immediately deleted at the time of the attack is a significant detail demonstrating the meticulous planning and professionalism of the operation.
In its assessment of the actors behind the attack, the company stated that the findings are linked to the Radiant Capital hack 2024, which occurred in 2024, with a medium-to-high confidence level. That attack is known to have been carried out by a group previously identified as UNC4736 and associated with North Korea. Drift noted that the individuals who conducted face-to-face meetings during the operation may not have been direct North Korean citizens, but such state-sponsored groups typically use third-party intermediaries to establish physical contact.
Following the attack, Drift Protocol announced that it had temporarily suspended all critical functions on the protocol and that the compromised wallets had been removed from the multisig architecture. It was stated that the attackers’ addresses had been flagged by exchanges and bridge operators, and that they were working with Mandiant for a technical analysis of the incident. The company announced that device-based forensic investigations were still ongoing and that new findings would be shared with the public as they become available.
*This is not investment advice.