{ "id": 68181, "date": "2026-04-06T08:44:13", "date_gmt": "2026-04-06T01:44:13", "guid": { "rendered": "https:\/\/hbbgroup.net\/drift-protocol-says-280m-exploit-took-months-of-deliberate-preparation\/" }, "modified": "2026-04-06T08:44:13", "modified_gmt": "2026-04-06T01:44:13", "slug": "drift-protocol-says-280m-exploit-took-months-of-deliberate-preparation", "status": "publish", "type": "post", "link": "https:\/\/hbbgroup.net\/en_us\/drift-protocol-says-280m-exploit-took-months-of-deliberate-preparation\/", "title": { "rendered": "Drift Protocol says $280M exploit took ‘months of deliberate preparation’" }, "content": { "rendered": "
\n

Drift Protocol, the decentralized exchange (DEX) that lost an estimated $280 million in an exploit last week, claims the loss was the result of a six-month, highly coordinated attack.<\/p>\n

\u201cThe preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation,\u201d Drift said<\/a> in an X post on Saturday.<\/p>\n

Attack began at a \u201cmajor crypto conference\u201d<\/h2>\n

According to Drift, the attack can be traced back to around October 2025, when malicious actors posing as a quantitative trading firm first approached Drift contributors at a \u201cmajor crypto conference,\u201d claiming to be interested in integrating with the protocol.<\/p>\n

Source: <\/em>Drift Protocol<\/em><\/a><\/figcaption><\/figure>\n

The group continued to engage contributors in person at multiple industry events over a six-month period. \u201cIt is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors,\u201d Drift said.<\/p>\n

\u201cThey were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated,\u201d Drift said.<\/p>\n

After gaining trust and access to Drift Protocol over six months, they used shared malicious links and tools to compromise contributors\u2019 devices, execute the exploit, and then wiped their presence immediately after the attack.<\/p>\n

The incident serves as a reminder for crypto industry participants to remain cautious and skeptical, even during in-person interactions, as crypto conferences can be prime targets for sophisticated threat actors.<\/p>\n

Drift flags a high probability of a Radiant Capital hack link<\/h2>\n

Drift said, with \u201cmedium-high confidence,\u201d that the exploit was carried out by the same actors behind the October 2024 Radiant Capital hack.<\/p>\n

In December 2024, Radiant Capital said the exploit<\/a> was carried out through malware sent via Telegram from a North Korea-aligned hacker posing as an ex-contractor.\u00a0<\/p>\n

Source: <\/em>Dith<\/em><\/a><\/figcaption><\/figure>\n

\u201cThis ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,\u201d Radiant Capital said.<\/p>\n

Drift said that the individuals who appeared in person \u201cwere not North Korean nationals.\u201d<\/p>\n

Related: <\/strong><\/em>Naoris launches post-quantum blockchain as quantum security risks gain attention<\/strong><\/em><\/a><\/p>\n

\u201cDPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building,\u201d Drift said.<\/p>\n

Drift said that it is working with law enforcement and others in the crypto industry to \u201cbuild a complete picture of what happened during the April 1st attack.\u201d<\/p>\n

Magazine: <\/strong><\/em>Bitcoin 85% crashes \u2018done,\u2019 CLARITY Act speculation mounts: Hodler\u2019s Digest, Mar. 29 \u2013 April 4<\/strong><\/em><\/a><\/p>\n