The recent $285 million hack on the Solana-based Drift Protocol platform was no ordinary exploit.
Drift protocol He says In a new incident update that April 1 attack It was the result of six months of careful manipulation by North Korean-backed scammers.
“In or around the fall of 2025, Drift contributors were approached by a group of individuals at a major cryptocurrency conference who presented as a quantitative trading company looking to integrate into the protocol. It is now understood that this appears to be a targeted approach, as individuals from this group continued to intentionally seek out and engage specific Drift contributors, in person, at several major industry conferences in several countries over the next six months.
They were technically proficient, had verifiable professional backgrounds, and were familiar with how Drift worked. A Telegram group was created at the first meeting, and what followed were months of substantive conversations about trading strategies and potential treasury integrations. These interactions are typical of how businesses interact and interact with Drift.
The scammers joined Ecosystem Vault on Drift in December and January, engaging with multiple contributors in a number of different working sessions and depositing over $1 million of their own capital.
“Integration talks continued through February and March 2026. Many Drift contributors met individuals from this group again, face-to-face, at several major industry conferences. By this point, the relationship was nearly half a year old. These were not strangers, but rather people the Drift contributors had worked with and met in person.
Throughout all of this, they shared links to projects, tools and applications they claimed to be building, which was standard practice for commercial companies.
Drift Protocol says investigations have concluded with “moderate to high confidence” that the attack was orchestrated by the same North Korea-linked criminal group that Hacked DeFi Radiant Capital platform in 2024.
However, the project notes that none of the individuals they met in person in the lead-up to the attack were North Korean nationals.
“DPRK threat actors operating at this level are known to deploy external mediators to conduct face-to-face relationship building…
The investigation to date has shown that the profiles used in this third-party targeting operation contain fully constructed identities including employment history, public-facing credentials, and professional networks. The people Drift contributors have met in person appear to have spent months building profiles, both personal and professional, that can withstand scrutiny during a business or counterparty relationship.
Follow us on X, Facebook and cable
Never miss a beat – Subscribe Get email alerts delivered directly to your inbox
browse Hodel’s daily mix
 
Disclaimer: The opinions expressed in The Daily Hodl are not investment advice. Investors should conduct due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please note that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the purchase or sale of any assets including cryptocurrencies, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Generated image: mid-flight
