07.04.2026 06:20

A covert operation that unfolded over six months has been exposed as the force behind a $270 million theft from Drift Protocol. The theft, revealed by Drift, was not a sudden exploit but the culmination of a long‑term, meticulously planned infiltration attributed to actors linked to North Korea.

Rather than exploiting a single vulnerability, the attackers adopted a slow‑buildup strategy that deceived both technical systems and human judgment. They posed as a legitimate quantitative‑trading firm, integrating themselves into the ecosystem through every imaginable touchpoint: publishing research, contributing code, and participating in community discussions. Their agenda went beyond cyber‑deception, extending to real‑world interactions. They met with contributors at crypto conferences, built personal rapport, and forged credentials that appeared genuine to every observer.

The campaign’s first overt encounter took place at a major crypto conference in the fall of 2025. The group presented themselves as highly competent professionals, complete with verifiable resumes and a command of DeFi terminology. Their deep familiarity with Drift Protocol’s architecture and trading mechanics made them appear seamlessly integrated into the community. After the conference, the dialogue migrated to Telegram, where conversations continued for several months. The pace and content of these chats mirrored those of authentic collaborative efforts, with detailed technical discussions and strategic proposals that helped cement the attackers’ credibility.

By January 2026, the infiltrators had moved from mere observers to active participants. They had introduced an Ecosystem Vault, joined joint working sessions with dedicated Drift contributors, and most notably, injected more than a million dollars of their own capital into the protocol. This act of financial commitment was a powerful testament to their supposed dedication and an effective tactic for nullifying legitimate doubts about their motives. In the end, the attack was a blend of patience, elaborate deception, and deliberate integration that exploited both technological and social safeguards within the DeFi realm.