Cryptocurrency derivatives platform Drift Protocol has released the first results of its investigation into a nearly $285 million hack that occurred on April 1, 2026. According to the company, the attack was not the result of a sudden security breach, but rather a planned and professional undercover operation that lasted approximately six months.
Drift said she is working with law enforcement, forensic teams and ecosystem representatives to uncover all aspects of the incident.
The investigation results show that the attackers systematically interacted with the Drift team starting in the fall of 2025, presenting themselves as a “quant trading” company. They built trust by establishing face-to-face contact with team members at major crypto conferences in various countries and, over time, established a profile as a professional business partner. Communications conducted via Telegram covered topics such as strategy development and product integration in detail. It was also stated that the attackers invested over $1 million in capital to create an active presence on the platform and launched an “Ecosystem Vault”. This long-term interaction process revealed that the attackers carried out a very sophisticated operation, not only technically but also in terms of social engineering.
Related news Michael Saylor: “Bitcoin won; the four-year cycle is over »
According to Drift’s analysis, the attack was carried out through several technical vectors. It is believed that a team member’s device may have been compromised after cloning a code repository shared by the attackers, apparently for front-end development. Another team member allegedly infected his device by downloading a TestFlight app, presented by the attackers as a wallet app. Additionally, the possibility that the VSCode and cursor-based vulnerabilities, which are expected to be targeted between late 2025 and early 2026, have been exploited is also being considered. The fact that all communication records and malware belonging to the attackers were immediately deleted at the time of the attack is a significant detail demonstrating the meticulous planning and professionalism of the operation.
In its assessment of the actors behind the attack, the company said the findings are linked to the Radiant Capital 2024 hack, which occurred in 2024, with a medium to high confidence level. This attack is known to have been carried out by a group previously identified as UNC4736 and associated with North Korea. Drift noted that the people who conducted face-to-face meetings during the operation may not have been direct North Korean citizens, but that these state-sponsored groups typically use third-party intermediaries to establish physical contact.
Following the attack, Drift Protocol announced that it had temporarily suspended all critical functions of the protocol and that the compromised wallets had been removed from the multisig architecture. It was stated that the attackers’ addresses were reported by exchanges and bridge operators and that they were working with Mandiant for a technical analysis of the incident. The company announced that forensic investigations based on the devices are still ongoing and that new findings will be shared with the public as soon as they become available.
*This does not constitute investment advice.
