Key Takeaways

• Drift Protocol attributes its $280M exploit to a highly coordinated “intelligence operation” that spanned half a year.

• Malicious actors successfully infiltrated the team by posing as quant traders at major crypto conferences.

• Security experts believe the attack is linked to the 2024 Radiant Capital hack, potentially involving North Korean intermediaries.

The decentralized finance (DeFi) sector is reeling after Drift Protocol revealed that its recent $280 million exploit was not a simple code bug, but the result of a meticulously planned six-month infiltration. In a world where we often worry about smart contract vulnerabilities, this incident serves as a chilling reminder that the human element remains the weakest link.

According to Drift contributors, the attackers demonstrated organizational backing and significant technical fluency, allowing them to bypass traditional security skepticism through face-to-face relationship building.

Attack began at a “major crypto conference”

The breach didn’t start behind a keyboard; it started at a crowded industry event in October 2025. Malicious actors, posing as representatives of a high-end quantitative trading firm, approached Drift developers under the guise of exploring protocol integration.

Over the following months, these individuals continued to seek out and engage specific contributors at multiple global conferences. By presenting verifiable professional backgrounds and a deep understanding of Drift’s internal operations, they successfully built a bridge of trust.

Once inside the inner circle, the group deployed shared malicious tools and links to compromise devices, executing the $280 million drain and instantly scrubbing their digital presence.

Drift flags a high probability of a Radiant Capital hack link

The investigation has uncovered striking similarities to the October 2024 Radiant Capital exploit. Drift investigators stated with “medium-high confidence” that the same threat actors are responsible for both attacks.

While the individuals seen in person were not North Korean nationals, Drift noted that the Democratic People’s Republic of Korea (DPRK) frequently utilizes third-party intermediaries for face-to-face operations. The use of malware-laden files shared for “feedback” mirrors the tactics used against Radiant Capital via Telegram.

Drift is currently collaborating with international law enforcement to piece together the full scope of the April 1st attack and track the movement of the stolen funds.

Final Thoughts

This exploit underscores a new era of “structured intelligence operations” in crypto. Technical audits are no longer enough; teams must now treat every in-person handshake with the same scrutiny as a new line of code.

Frequently Asked Questions

How much was stolen from Drift Protocol?
Approximately $280 million was lost in the coordinated exploit.

Who is responsible for the hack?
Drift believes the attack was carried out by the same group behind the 2024 Radiant Capital breach, potentially linked to the DPRK.

How did the hackers get access?
They used six months of in-person social engineering at conferences to compromise contributor devices with malware.