Drift Protocol has just released preliminary findings from its investigation into the attack that caused over $285 million in damage, revealing a meticulously planned six-month hacking operation by a group believed to be linked to the North Korean government.
The fingerprints of the North Korean hacker group.
According to investigations, the Drift attack shares similar identifying characteristics with the Radiant Capital hack in October 2024, from on-chain flows to execution methods, with a high degree of similarity. Cybersecurity firm Mandiant previously attributed the Radiant Capital attack to the UNC4736 group, an organization identified as having direct links to the North Korean state apparatus.
What made this attack particularly dangerous was not just the scale of the damage, but the sophistication of the preparation. Starting in the fall of 2025, a group of people began approaching Drift collaborators at various international crypto conferences, posing as representatives of a quantitative trading firm.
After establishing initial contact, these individuals invited victims to a Telegram group and maintained in-depth discussions about trading strategies and financial operations for six months. To build credibility, the group even deployed an Ecosystem Vault with $1 million in real Capital on the Drift platform – a genuine investment to bolster their facade of legitimacy.
After numerous in-person meetings and a lengthy trust-building process, the attacker began Chia malicious links and tools. The suspect ultimately completed the intrusion through a code repository containing malware and a test version of a wallet application on TestFlight. All chat history and related malware were wiped clean after the attack was complete.
Response and handling steps
While the investigation is ongoing and current findings are preliminary, Drift has implemented a series of emergency measures: freezing all remaining protocol functionality, removing compromised wallets from the multisig mechanism, and flagging the attacker's wallets with exchanges and chain -chain bridge operators to prevent further withdrawals.
