How a Fake Trading Firm Fooled Drift Protocol for Six Months

 Drift Protocol reveals a state-linked intelligence operation behind the $285M April 1 hack, involving fake identities and months of in-person infiltration.

Drift Protocol did not get hacked on April 1st. It got played for six months straight.

The team posted a full incident background update on X, walking the community through what investigators now believe was a structured intelligence operation. Not a smash-and-grab. A slow, deliberate infiltration that started at a crypto conference in fall 2025 and ended with $285 million gone.

According to @DriftProtocol on X, a group presenting as a quantitative trading firm made first contact with Drift contributors at a major industry event. What followed was not suspicious. It was textbook onboarding.

The Six Months Nobody Noticed

They were technical. They knew the protocol. A Telegram group was set up on day one.

From there, the group spent months in substantive conversations about trading strategies and vault integrations. They met Drift contributors in person at multiple conferences across multiple countries. By December 2025, they had onboarded an Ecosystem Vault, deposited over $1 million of their own capital, and held multiple working sessions with the team.

These were not strangers by February 2026. Drift contributors had met them face to face, worked through sessions with them, and built what felt like a real business relationship nearly half a year old.

Then on April 1st, everything changed. Their Telegram chats disappeared. Malicious software was scrubbed clean. The attack went live.

The Attack Vectors Investigators Found

Drift’s post outlined three potential entry points. One contributor may have cloned a code repository shared by the group under the premise of deploying a frontend for their vault. A second was persuaded to download a TestFlight app the group presented as a wallet product.

The repository vector likely exploited a known VSCode and Cursor vulnerability that the security community had been flagging from December 2025 through February 2026. Opening a file or folder was enough. No prompts. No warnings. Arbitrary code executed silently.

Full forensic analysis of affected hardware is still ongoing, Drift said.

North Korea’s Fingerprints on the Chain

The attribution is where things get serious. With medium-high confidence, and supported by work from the SEALS 911 team, the operation is assessed to be the same group behind the October 2024 Radiant Capital hack. Mandiant attributed that breach to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.

The connection is both onchain and operational. Fund flows used to stage and test the Drift attack trace back to the Radiant attackers. Personas used in the campaign show identifiable overlaps with known DPRK-linked activity.

Drift was clear on one point. The individuals who showed up in person were not North Korean nationals. State actors operating at this level deploy third-party intermediaries for the face-to-face work.

Mandiant has not formally attributed the Drift exploit yet. Device forensics are still underway.

This pattern is not new. North Korean-linked hackers have been escalating attacks on crypto targets with increasing sophistication, using social engineering at the core of nearly every major breach.

Drift’s Current Status and Industry Warning

All remaining protocol functions are frozen. Compromised wallets have been removed from the multisig. Attacker wallets have been flagged with exchanges and bridge operators. Mandiant has been formally engaged.

Drift thanked @tayvano_, @tanuki42_, @pcaversaccio, and @bax1337 for their expertise and time in identifying the malicious actors.

Security researcher @armaniferrante on X responded directly to Drift’s disclosure. He urged every team in crypto to use this moment to pause and run a full security audit. “You can’t grow if you’re hacked,” he wrote, calling on teams to audit custody, risk, access control and dependencies, regardless of growth pressure from investors or token holders.

The Drift Protocol hack marked one of the most complex social engineering operations seen in DeFi. Drift encouraged any team that believes it may have been targeted by the same group to contact @SEAL911 immediately.

More details will be shared as the investigation develops.

The post How a Fake Trading Firm Fooled Drift Protocol for Six Months appeared first on Live Bitcoin News.