The Drift Protocol attack that drained roughly $280 million on April 1 was no simple exploit. According to the DEX’s preliminary investigation, it was a six-month-long, highly coordinated intelligence operation. The attackers had organizational backing, serious resources, and months of deliberate preparation.
How the Drift Protocol Attack Unfolded Over Six Months
It all started at a “major crypto conference” back in October 2025. A group posing as a quantitative trading firm approached Drift contributors. They claimed to want to integrate with the protocol. Over the next six months, they kept showing up at industry events, deliberately engaging specific Drift contributors in person.
Here’s the scary part: they were technically fluent. They had verifiable professional backgrounds. They knew exactly how Drift operated. After gaining trust and access, they used shared malicious links and tools to compromise contributors’ devices. Then, they executed the exploit and wiped their presence immediately after. Clean exit.
Link to Radiant Capital Hack – North Korea Fingerprints
Drift said with “medium-high confidence” that the Drift Protocol attack was carried out by the same actors behind the $58 million Radiant Capital hack in October 2024. In that incident, North Korea-aligned hackers sent malware via Telegram from someone posing as an ex-contractor.
Drift noted that the individuals who showed up in person “were not North Korean nationals.” But DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face relationship-building. So, the faces you meet may not be the real operators.
Drift is now working with law enforcement to build a complete picture. Meanwhile, the crypto industry gets another painful reminder: trust no one, not even in person.
My Thoughts
This changes how we think about DeFi security. Most hacks target smart contract bugs. This one targeted humans over half a year. The level of sophistication is alarming. Fake quant firms, in-person networking, months of relationship-building, that’s nation-state tradecraft. If North Korea is willing to spend six months to compromise one DEX, no protocol is safe. The Radiant Capital link confirms a pattern. The industry needs to rethink conference security, device hygiene, and social engineering defenses. For traders, this adds another layer of risk to Solana DeFi. Trust but verify? More like verify everything, trust nothing.
