Drift is actively working with law enforcement, forensic partners, and ecosystem teams to build a complete picture of what happened during the April 1st attack.
As the investigation of the attack occurring on April 1st 2026 continues alongside forensics partners, more details can now be shared about the attack vector and how this operation was staged. Drift is sharing this publicly because other teams in the ecosystem deserve to understand what this attack actually looked like, and to protect themselves accordingly. Some details remain high-level to protect the integrity of the active investigation.
Current Status
All remaining protocol functions have been frozen and the compromised wallets have been removed from the multisig. Attacker wallets have been flagged across exchanges and bridge operators.
Mandiant has been engaged for the investigation.
An Attack 6 Months in the Making
The preliminary investigation shows that Drift experienced a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation.
In or about Fall 2025, Drift contributors were approached by a group of individuals at a major crypto conference who presented as a quantitative trading firm looking to integrate on the protocol. It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months.
They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. A Telegram group was established upon the first meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations. These interactions are typical of how trading firms interact and onboard with Drift.
From December 2025 through January 2026, they onboarded an Ecosystem Vault on Drift which required filling out a form with strategy details. They engaged multiple contributors through multiple working sessions, asked detailed and informed product questions, and deposited over $1M of their own capital. They built a functioning operational presence inside the Drift ecosystem deliberately and patiently.
Integration conversations continued through February and March 2026. Various Drift contributors met individuals from this group again, face-to-face, at multiple major industry conferences. By this point, the relationship was nearly half a year old. These were not strangers; they were people Drift contributors had worked with and met in person.
Throughout all of this, links were shared for projects, tools, and apps they claimed to be building, which was standard practice for trading firms.
After the exploit on April 1 happened, a thorough forensic review of known affected devices, accounts, and communication histories was conducted. Interactions with this trading group came into focus as the likely intrusion vector. Right as the exploit happened, their Telegram chats and malicious software had been completely scrubbed.
The investigation is ongoing and these findings are preliminary, but in the interest of providing the community with the best available information.
The Potential Mechanics of the Infiltration
We believe that there may have been three attack vectors:
-
One contributor may have been compromised after cloning a code repository shared by the group under the guise of deploying a frontend for their vault.
-
A second contributor was induced to download a TestFlight application the group presented as their wallet product.
-
For the repository-based vector, one possibility is a known VSCode and Cursor vulnerability that the security community was actively flagging throughout December 2025 through February 2026. Simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt or indication to the user, clicks, permissions dialog or warning of any kind. The full technical disclosure can be found here.
Full forensic analysis of affected hardware is ongoing, and more details will be shared.
Attribution
With medium-high confidence supported by investigations done by the SEALS 911 team, this operation is assessed to have been carried out by the same threat actors responsible for the October 2024 Radiant Capital hack attributed by Mandiant to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. The basis for this connection is both onchain (fund flows used to stage and test this operation trace back to the Radiant attackers) and operational (personas deployed across this campaign have identifiable overlaps with known DPRK-linked activity).
It is important to note that the individuals who appeared in person were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.
Mandiant has not formally attributed this Drift exploit. That determination requires completed device forensics, which are still underway.
Conclusion
The investigation has shown so far that the profiles used in this third party targeted operation had fully constructed identities including employment histories, public-facing credentials and professional networks. The people Drift contributors met in person appeared to have spent months building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship.
Drift is still working through investigations. This update is being shared in an effort to help the ecosystem mitigate risks. Please check in on your teams, audit who has access to what, and treat every device that touches your multisig as a potential target.
Drift has been fortunate to have the support of some of the best experts in the industry working through this together. Enormous thanks to @tayvano_, @tanuki42_, @pcaversaccio and @bax1337 for their expertise and generosity with their time and knowhow in identifying these malicious actors.
If your team believes it may have been targeted by the same group or a similar operation, please reach out to @SEAL911 immediately. They are best equipped to triage active threats and compromised infrastructure.
More will be shared as the investigation develops.
