Drift Links $280M Hack to Suspected North Korean Actors

The team behind Drift Protocol has shared new details about its recent $280 million exploit. The attack that took place on April 1. Now appears to be far more complex than first thought. According to the latest update, the incident was not sudden or random. But it was part of a long and carefully planned operation. 

🚨UPDATE: DRIFT'S $280M HACK WAS A SIX-MONTH LONG NORTH KOREAN SOCIAL ENGINEERING OPERATION

Drift Protocol (@DriftProtocol) has revealed the April 1 exploit that wiped $280 million from the Solana-based perpetuals exchange was not a random attack. It was the result of a… pic.twitter.com/aRqK1yagbH

— BSCN (@BSCNews) April 6, 2026

The team believes the attack may be linked to a group associated with North Korea. Investigators describe it as a “structured intelligence operation.” It likely took months of planning, coordination and execution.

A Six-Month Setup

The investigation shows that the attackers began their work as early as late 2025. During this time, they approached Drift Protocol contributors while posing as a trading firm. They met team members at major crypto events across different countries. Over time, they built trust through repeated meetings and technical discussions.

The group appeared professional and well-prepared. They shared ideas, discussed strategies and even deposited funds into the protocol. With this, they did not seem suspicious at first. Instead, they looked like normal partners joining the ecosystem.

How the Attack Unfolded?

Over several months, the attackers gained deeper access. They interacted with contributors through chats and shared tools. In some cases, they sent links to code repositories and apps. These appeared to be part of an ongoing collaboration.

But investigators now believe attackers may have used these tools to compromise devices. Once they gained access, the attackers prepared their next move. On April 1, they executed the plan quickly. These operations often use intermediaries to build trust. The attackers used pre-approved permissions to take control of key systems. They then removed safeguards and withdrew funds from the protocol. Within a short time, around $280 million was drained.

Links to Known Threat Groups

Early findings suggest a possible connection to a known North Korean linked group. This group has been linked to past crypto attacks. The connection comes from on-chain data and similar tactics used in earlier incidents. Investigators noted overlaps in behavior and fund movement patterns.

But the attribution is not fully confirmed yet. Ongoing forensic work is still in progress. It is also important to note that the people who interacted with the team in person were likely not direct members. These operations often use intermediaries to build trust.

What Happens Next?

Following the attack, Drift has taken several steps to contain the damage. The platform has frozen key functions and removed compromised access. While the Drift Protocol team is working with security experts and law enforcement. Their goal is to trace the stolen funds and understand the full scope of the breach.

This incident highlights a growing risk in crypto. Not all attacks target code. Some target people instead. In this case, trust was used as the entry point. The attackers spent months building relationships before acting. As a result, the event serves as a warning. Even experienced teams must stay alert. In today’s environment, security goes beyond technology. It also depends on human judgment and caution.