Drift Protocol $280M Breach: Months of Deliberate Preparation

Drift Protocol, the decentralized exchange, says its latest breach was not a random incident but a six-month, highly coordinated operation carried out by a structured network of threat actors. The firm’s preliminary assessment describes the attack as an intelligence-style campaign that required organizational backing, substantial resources, and months of deliberate preparation. External estimates put the losses at roughly $280 million.

Drift traced the plan to October 2025, when attackers posing as a quantitative trading firm approached Drift contributors at a major crypto conference and signaled an interest in integrating with the protocol. Over the next six months, the group engaged Drift contributors in person at multiple industry events. Drift described the approach as targeted: individuals from the group appeared technically fluent, held verifiable professional backgrounds, and were familiar with how Drift operated. The attackers leveraged in-person meetings to build trust, then used shared link-based payloads and tools to compromise contributors’ devices, enabling the exploit before wiping their tracks.

Key takeaways

• The Drift Protocol breach is described as a six-month, coordinated operation with an external loss estimate near $280 million.
• The investigation points to an in-person, conference-era recruitment drive, beginning around October 2025, aimed at Drift contributors.
• Attackers obtained access through compromised devices via malicious links and tools, then removed any trace of their activity after execution.
• Drift asserts a possible link to the October 2024 Radiant Capital hack, suggesting the same actors may be involved, though attribution remains nuanced.
• Radiant Capital described the 2024 incident as malware delivered via Telegram from a North Korea-aligned hacker posing as an ex-contractor; Drift cautions that the individuals seen in person were not North Korean nationals.
• The case underscores ongoing security risks at crypto conferences and the need for heightened diligence when engaging with external collaborators.

Unfolding timeline: from conference curiosity to exploit

Drift’s account indicates the attackers began their engagement at a prominent industry gathering, presenting themselves as potential integration partners rather than outright attackers. Over the following months, the group met Drift contributors at several events, carefully building relationships and demonstrating a credible technical understanding of Drift’s operations. This phase helped the attackers gain access to internal channels and trusted communications, which then became the conduit for the exploit itself.

According to Drift, the operation was deliberately structured, with organized backing and resources that allowed the attackers to maintain a long-running campaign. The attackers eventually deployed malicious tooling and links through the compromised devices of Drift contributors, enabling the breach. After the exploit, the intruders reportedly erased their digital footprints, complicating the incident response and forensic work for Drift and its partners.

The breach serves as a sobering reminder to participants in the crypto space: even face-to-face interactions at conferences—often seen as networking opportunities—can be leveraged as vectors for sophisticated, well-resourced threat actors. The dynamic underscores the importance of strict device hygiene, layered security practices, and cautious third-party collaboration in a sector where trust fabric is tightly woven with interoperability.

Radiant Capital link: a potential throughline, with important caveats

Drift said it has high to medium-high confidence that the same group behind the October 2024 Radiant Capital hack may be connected to the Drift incident. The Radiant Capital breach was disclosed in December 2024, with the firm describing the intrusion as malware delivered via Telegram by a North Korea-aligned actor posing as an ex-contractor. In that case, a ZIP file shared for feedback among developers allegedly delivered the malware that enabled the intrusion.

Drift emphasized that the individuals who appeared in person at conferences were not North Korean nationals. The company also noted that DPRK-linked threat actors are known to use third-party intermediaries to conduct face-to-face relationship-building, a pattern observed in other cases as well. The connection remains a matter of ongoing investigation, and attribution in complex cyber incidents often evolves as new evidence comes to light.

For context, Radiant Capital’s incident highlighted how social engineering and remote payloads can converge with in-person trust-building to breach even sophisticated systems. The convergence of these narratives—conference-based recruitment, malware delivered through compromised devices, and links to prior high-profile hacks—will be scrutinized by investigators as they piece together the full chain of events surrounding Drift’s breach.

Ongoing investigation and industry implications

Drift said it is cooperating with law enforcement and other industry participants to assemble a complete picture of what happened during the April 1 attack. The company’s disclosure underscores the continuing need for cross-industry collaboration in threat intelligence, incident response, and post-breach forensics. While Drift has not disclosed all technical specifics of the compromise, the emphasis on a prolonged, coordinated effort points to a level of sophistication that extends beyond opportunistic intrusions.

For investors and builders in the DeFi space, the Drift incident reinforces several practical takeaways. First, even long-standing contributors and trusted relationships are not immune to manipulation when attackers blend in-person tactics with technical exploits. Second, attribution in sophisticated campaigns can be ambiguous, requiring careful, evidence-based reviews rather than premature conclusions. Finally, the episode highlights the ongoing need for robust security architectures that can detect and contain multi-stage intrusions, including compromised credentials, device-level footholds, and post-exploitation traces.

As the investigation unfolds, readers should watch for any updates on the attackers’ methods, new indicators of compromise, and any programmatic shifts in how Drift and other protocols approach contributor onboarding, partner integrations, and incident response playbooks. The convergence of a multi-month, conference-based approach with a potential linkage to previous high-profile breaches emphasizes a broader risk landscape facing decentralized platforms as they scale and collaborate across the ecosystem.

What remains uncertain is the full extent of the breach’s impact on Drift’s users and liquidity, how rapidly the platform will recover operationally, and whether additional cases of attribution will reshape the understanding of threat actor patterns in the DeFi space. The coming weeks will be pivotal for both transparency and security posture in an industry that increasingly relies on open collaboration and cross-border partnerships to innovate.

Looking ahead, market participants will want to monitor updates from Drift and related security researchers for any new findings about actors, tooling, and the broader implications for DeFi governance, risk management, and conference-based collaboration practices.

This article was originally published as Drift Protocol $280M Breach: Months of Deliberate Preparation on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.