Drift Hack Incident Preliminary Investigation: Suspected North Korea-Linked Group Orchestrated Six-Month Penetration Operation

BlockBeats News, April 5th, According to official sources, Drift has stated that it is collaborating with law enforcement agencies, forensic partners, and the ecosystem team to conduct a comprehensive investigation into the hacker attack incident that occurred on April 1, 2026. Currently, all protocol functions have been suspended, affected wallets have been removed from multisig, and the attacker's address has been flagged on the trading platform and cross-chain bridge. Security firm Mandiant has been involved in the investigation. Preliminary results indicate that this attack was not a short-term action but a long-term intelligence penetration operation lasting about 6 months with an organized background and sufficient resource support. As early as the fall of 2025, a group of individuals claiming to be a quantitative trading company contacted Drift team members at multiple international crypto conferences and continued to build relationships and collaborate over the following months, even investing over $1 million in the platform to establish credibility.

The investigation found that these individuals had a professional background and technical capabilities, communicated long-term trading strategies and product integration with the team through Telegram groups, and met with core contributors at offline meetings multiple times. After the April 2026 attack, relevant chat records and malware were promptly deleted. Drift believes that this intrusion may have been carried out through multiple paths, including inducing team members to clone repositories with malicious code or download test apps disguised as wallet products. Furthermore, the attack may have exploited the VSCode and Cursor vulnerabilities that were already warned by the security community at the time to execute malicious code without user awareness.

Based on on-chain fund flows and behavioral pattern analysis, the security team has preliminarily linked this action to the threat organization behind the 2024 Radiant Capital attack, attributed to a North Korean-backed hacker group (such as UNC4736 / AppleJeus). It is worth noting that the individuals who had offline contact were not of North Korean nationality but third-party intermediaries. Drift stated that the attackers had constructed a complete and credible identity system, including professional resumes and public backgrounds, to gain trust through long-term contact. The investigation is still ongoing, and the team urges the industry to enhance device security reviews and permission management.