The decentralized exchange Drift Protocol reported that a sophisticated six-month-long intelligence operation resulted in a recent exploit, with external estimates pointing to losses of approximately $280 million. The platform stated “the preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation.” Drift said it is working with medium-high confidence to link the attack to the same group behind the October 2024 hack of Radiant Capital.
Drift Protocol reported a highly coordinated attack against its platform was the result of a six-month intelligence operation. The exploit on Wednesday resulted in estimated losses of around $280 million according to external analyses.
The decentralized exchange stated the attack plan originated around October 2025 at a major crypto conference. Malicious actors posing as a quantitative trading firm approached Drift contributors there, claiming interest in integration.
The group engaged contributors in person at multiple industry events over the following months. Drift said “It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors.”
After gaining trust and access over six months, the attackers used malicious links and tools to compromise devices. They executed the exploit and wiped their presence immediately after the attack concluded.
Drift said, with medium-high confidence, the exploit was executed by the same actors behind the October 2024 Radiant Capital hack. In that incident, malware was delivered via Telegram from a hacker posing as an ex-contractor.
Radiant Capital had stated a shared ZIP file ultimately delivered malware facilitating the intrusion. Drift noted the individuals who appeared in person were not North Korean nationals.
The platform said “DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.” Drift is now working with law enforcement and industry partners to investigate the April 1st attack.
