Drift Protocol, the decentralized exchange (DEX) that lost an estimated $280 million in an exploit last week, claims the loss was the result of a six-month, highly coordinated attack.

“The preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation,” Drift said in an X post on Saturday.

Attack began at a “major crypto conference”

According to Drift, the attack can be traced back to around October 2025, when malicious actors posing as a quantitative trading firm first approached Drift contributors at a “major crypto conference,” claiming to be interested in integrating with the protocol.

The group continued to engage contributors in person at multiple industry events over a six-month period. “It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors,” Drift said.

“They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated,” Drift said.

After gaining trust and access to Drift Protocol over six months, they used shared malicious links and tools to compromise contributors’ devices, execute the exploit, and then wiped their presence immediately after the attack.

The incident serves as a reminder for crypto industry participants to remain cautious and skeptical, even during in-person interactions, as crypto conferences can be prime targets for sophisticated threat actors.

Drift flags a high probability of a Radiant Capital hack link

Drift said, with “medium-high confidence,” that the exploit was carried out by the same actors behind the October 2024 Radiant Capital hack.

In December 2024, Radiant Capital said the exploit was carried out through malware sent via Telegram from a North Korea-aligned hacker posing as an ex-contractor. 

“This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,” Radiant Capital said.

Drift said that the individuals who appeared in person “were not North Korean nationals.”

“DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building,” Drift said.

Drift said that it is working with law enforcement and others in the crypto industry to “build a complete picture of what happened during the April 1st attack.”