Protocol Shares Latest Security Update On April 1 Exploit

Drift Protocol disclosed details about its April 1, 2026, exploit, outlining a coordinated attack built over six months. The decentralized exchange said the breach followed in-person meetings, technical engagement, and malicious software distribution. The incident, which occurred on April 1, involved compromised contributors and resulted in estimated losses near $280 million.

Drift Protocol Traces Long-Term Social Engineering

In an X article, Drift Protocol said the attack began around October 2025 at a major crypto conference. According to Drift Protocol, individuals posing as a quantitative trading firm approached contributors seeking integration.

However, the interaction did not stop there. The group continued engaging contributors across multiple global industry conferences over six months. They presented verified professional backgrounds and demonstrated technical fluency during repeated in-person meetings.

Also, they formed a Telegram group after initial contact. Over time, they discussed trading strategies and potential vault integrations with contributors. These discussions followed standard onboarding patterns for trading firms interacting with Drift Protocol.

From December 2025 through January 2026, the group onboarded an ecosystem vault. They submitted strategy details and deposited over $1 million into the protocol. Meanwhile, they conducted working sessions and asked detailed product questions.

Compromise Linked to Shared Tools and Device Access

As integration talks progressed into February and March 2026, trust deepened. Contributors met the group again at industry events, strengthening existing relationships. However, Drift Protocol later identified these interactions as the likely intrusion vector. 

According to Drift Protocol, attackers shared malicious repositories and applications during collaboration. This is a complete contrast to ZachXBT’s callout on Circle over the $280M exploit delay. One contributor reportedly cloned a code repository presented as a frontend deployment tool. 

Source: Arkham

Another contributor downloaded a TestFlight application described as a wallet product. These actions potentially exposed devices to compromise. For the repository vector, Drift Protocol pointed to a known vulnerability in VSCode and Cursor. 

During December 2025 through February 2026, opening files could lead to silent code execution without warnings. Following the exploit, Drift Protocol conducted forensic reviews across affected devices and accounts. Notably, attacker communication channels and malware were wiped immediately after execution.

Attribution and Ongoing Investigation Efforts

Drift Protocol said it froze all protocol functions after detecting the exploit. It also removed compromised wallets from its multisig structure and flagged attacker wallets across exchanges and bridges. The firm engaged Mandiant to support the investigation. Meanwhile, SEALs 911 contributed analysis pointing to a known threat group.

With medium-high confidence, the decentralized exchange linked the attack to actors behind the October 2024 Radiant Capital hack. That operation was previously attributed to UNC4736, also known as AppleJeus or Citrine Sleet.

Drift Protocol clarified that individuals involved in face-to-face meetings were not North Korean nationals. Instead, it noted that such operations often use third-party intermediaries for in-person engagement.

According to ZachXBT, the activity reflects known DPRK-linked cyber operations often grouped under the Lazarus umbrella. He explained that Lazarus refers to a cluster of hacking units, while DPRK indicates state affiliation behind those operations. He noted that such groups use layered identities, intermediaries, and long-term access building before executing attacks.

Source: ZachXBT

ZachXBT added that on-chain fund flows tied to the exploit show overlaps with wallets linked to previous DPRK-associated incidents, including Radiant Capital. He also highlighted operational similarities, including staged interactions, malware delivery through trusted channels, and rapid cleanup after execution.

Drift Protocol emphasized that all multi-sig signers used cold wallets during the incident. It continues working with law enforcement and forensic partners to complete the investigation.