Months-Long Social Engineering Campaign Led to $280M Drift Protocol Breach
According to Drift Protocol, there's a 'medium-high confidence' level that the perpetrators behind this recent breach are the same group who executed the Radiant Capital attack worth $58 million back in October 2024.
According to Drift Protocol, a decentralized cryptocurrency exchange (DEX), the latest security breach targeting their platform represents a carefully orchestrated attack campaign spanning half a year.
"Based on our preliminary investigation, what Drift experienced was a sophisticated intelligence operation that would have required organizational support, substantial resources, and months of deliberate preparation," the platform stated via X on Saturday.
The breach occurred on Wednesday at the decentralized exchange, with third-party assessments indicating approximately $280 million in losses.
Origins traced to a "major crypto conference"
Drift's investigation reveals that the attack originated approximately in October 2025, when threat actors masquerading as representatives of a quantitative trading firm initially contacted Drift contributors during a "major crypto conference," expressing interest in protocol integration.
Throughout the subsequent six-month period, this group maintained engagement with contributors through face-to-face meetings at various industry events. "Our current understanding indicates this was a deliberate targeting strategy, where members of this group systematically sought out and built relationships with specific Drift contributors," the platform explained.
"These individuals demonstrated technical expertise, possessed verifiable professional credentials, and exhibited detailed knowledge of Drift's operations," Drift noted.
Following six months of establishing trust and obtaining access to Drift Protocol, the attackers deployed malicious links and specialized tools to infiltrate contributors' systems, carried out the exploit, and immediately erased all traces of their digital footprint following the breach.
This attack highlights the critical need for cryptocurrency industry professionals to maintain vigilance and a healthy level of skepticism, particularly during face-to-face encounters, as crypto conferences represent attractive venues for advanced threat actors to execute sophisticated operations.
Strong indicators point to connection with Radiant Capital breach
According to Drift, there exists "medium-high confidence" that this exploit was perpetrated by the identical threat actors responsible for the Radiant Capital hack in October 2024.
Radiant Capital revealed in December 2024 that their exploit resulted from malware delivered through Telegram by a North Korea-affiliated hacker impersonating a former contractor.
"When this ZIP file was circulated among developers for review, it ultimately installed malware that enabled the subsequent system intrusion," Radiant Capital explained.
Drift emphasized that it is "important to note" that the individuals who conducted in-person meetings "were not North Korean nationals."
"Threat actors from the DPRK operating at this sophisticated level are recognized for utilizing third-party intermediaries to perform face-to-face relationship cultivation," Drift stated.
The platform confirmed it is collaborating with law enforcement agencies and various stakeholders across the crypto industry to "develop a comprehensive understanding of the events surrounding the April 1st attack."