Drift Protocol $280M Exploit: 6-Month Social Engineering Op
Drift Protocol says last week's $280 million exploit was a six-month coordinated attack by actors posing as a quant firm, likely the same DPRK-linked group behind the October 2024 Radiant Capital hack. They used in-person meetings to gain trust before deploying malware.
Quick Take
$280M stolen from Drift Protocol in April 1 exploit.
Attackers posed as quant firm over six months of in-person meetings.
Medium-high confidence link to DPRK and Radiant Capital hack.
Drift warns crypto conferences are prime for sophisticated social engineering.
Market Impact Analysis
BearishLarge DeFi exploit damages trust and may lead to outflows from the protocol and related platforms.
Speculation Analysis
Key Takeaways
- $280 million stolen from Drift Protocol in a six-month social engineering operation.
- Attackers posed as a quant firm at crypto conferences to compromise devices with malware.
- Medium-high confidence of DPRK involvement, same group behind $58M Radiant Capital hack.
- Drift warns crypto conferences are prime targets for sophisticated in-person social engineering.
What Happened
Drift Protocol disclosed that last week's $280 million exploit was not a momentary breach but a meticulously planned, six-month social engineering operation. Beginning around October 2025, attackers posed as a quantitative trading firm and repeatedly approached Drift contributors at major crypto conferences. Over several in-person meetings, they built credibility through verifiable professional backgrounds and technical fluency. Eventually, they gained enough trust to share malicious links and tools, compromising devices with malware. On April 1, the exploit was executed, and the attackers immediately erased their digital footprint. Drift is now collaborating with law enforcement and industry partners to piece together the full scope of the attack.
The Numbers
The attack drained $280 million from the protocol, making it one of the largest DeFi exploits in recent memory. The social engineering campaign spanned six months, from October 2025 to the April 2026 attack date. Drift says with "medium-high confidence" that the same DPRK-linked group responsible for the $58 million Radiant Capital hack in October 2024 carried out this operation. No funds have been recovered, and the investigation remains ongoing. The breach underscores how patient, resource-intensive social engineering can bypass even sophisticated security setups.
Why It Happened
The attack succeeded through a gradual trust-building process that exploited the human element of security. By posing as a legitimate quant firm and attending industry events, the attackers circumvented typical online phishing defenses. Drift said the individuals had strong professional backgrounds and deep protocol knowledge, which lowered suspicion among contributors. Once trust was cemented, they introduced malware via shared files—a technique identical to the Radiant Capital hack, where DPRK hackers used Telegram to deliver malware. This incident highlights how in-person social engineering is becoming a preferred vector for state-sponsored crypto theft.
Broader Impact
The breach raises alarm bells for the entire crypto conference ecosystem. Face-to-face interactions, long considered safer than digital communications, are now a high-risk attack surface. Protocols may accelerate adoption of hardware wallets, air-gapped devices, and rigorous operational security for event attendees. The industry could see a shift toward stricter vetting of individuals seeking in-person meetings, potentially chilling the open-collaboration culture of crypto events.
What to Watch Next
- Law enforcement actions: Any arrests or asset freezing attempts, particularly involving international cooperation.
- Drift recovery plan: Whether funds can be traced on-chain and if a bounty or recovery effort emerges.
- Conference security protocols: Potential industry-wide changes to vetting and security at crypto events.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
