On April 5, official sources reported that Drift is collaborating with law enforcement agencies, forensic partners, and ecosystem teams to conduct a comprehensive investigation into the hacking incident that occurred on April 1, 2026. Currently, all protocol functions have been suspended, affected wallets have been removed from multi-signature accounts, and the attackers' addresses have been flagged on trading platforms and cross-chain bridges. Security firm Mandiant has intervened in the investigation. Preliminary results indicate that this attack was not a short-term action but rather an intelligence infiltration operation that lasted approximately six months, characterized by an organized background and ample resource support. As early as the fall of 2025, a group claiming to be from a quantitative trading company began engaging with Drift team members at various international cryptocurrency conferences, and over the following months, they continued to build relationships and collaborate, even investing over $1 million in the platform to establish credibility. The investigation revealed that these individuals possessed professional backgrounds and technical capabilities, communicating long-term trading strategies and product integration through Telegram groups, and meeting with core contributors at offline meetings multiple times. Following the attack in April 2026, relevant chat records and malware were swiftly deleted. Drift believes that the intrusion may have been implemented through multiple pathways, including inducing team members to clone repositories with malicious code or downloading test applications disguised as wallet products. Additionally, the attack may have exploited vulnerabilities in VSCode and Cursor, which had already been warned about by the security community, executing malicious code without user awareness. Based on on-chain fund flows and behavioral pattern analysis, the security team preliminarily assesses that this operation is related to the threat organization behind the 2024 Radiant Capital attack, which has been attributed to North Korean hacker groups (such as UNC4736 / AppleJeus). Notably, the individuals involved in offline contacts were not of North Korean nationality but rather third-party intermediaries. Drift stated that the attackers constructed a complete and credible identity system, including professional resumes and public backgrounds, to gain trust through long-term interactions. The investigation is still ongoing, and the team urges the industry to strengthen device security reviews and access management.