Drift Protocol Got Played for 6 Months — Inside the Most Sophisticated DeFi Hack of 2026

--

Press enter or click to view image in full size

There’s a moment in every security breach where the victim realizes the threat wasn’t some faceless hacker in a dark room — it was the person shaking their hand at a conference, buying them coffee, and asking smart questions about vault integrations.

That’s exactly what happened to Drift Protocol. And if you’re building, investing, or operating anywhere in DeFi, you need to understand what went down — because this playbook is coming for everyone.

What Happened: The Timeline

On April 1st, 2026, Drift Protocol — one of the largest perpetual DEXs on Solana — was exploited. The protocol froze all remaining functions, compromised wallets were removed from the multisig, and attacker wallets were flagged across exchanges and bridges.

But this wasn’t a flash loan attack. It wasn’t a smart contract bug someone found at 3 AM. This was a months-long intelligence operation.

Here’s how it unfolded:

Fall 2025: A group presenting themselves as a quantitative trading firm approached Drift contributors at a major crypto conference. They were technically fluent, had verifiable professional backgrounds, and knew how Drift worked inside and out. A Telegram group was created. Conversations began.

December 2025 — January 2026: The group onboarded an Ecosystem Vault on Drift, going through the standard process — filling out strategy forms, attending working sessions, asking detailed product questions. They deposited their own capital. They became a legitimate part of the Drift ecosystem.

February — March 2026: Integration conversations continued. Multiple Drift contributors met members of the group face-to-face at several major industry conferences across different countries. By this point, the relationship was nearly six months old. These weren’t strangers. These were collaborators.

Throughout this period: Links were shared for projects, tools, and apps the group claimed to be building — standard practice in trading firm relationships.

April 1st, 2026: The exploit hit. And the moment it did, the group’s Telegram chats and malicious software were completely scrubbed. Gone.

The Attack Vectors: How They Got In

Drift’s forensic review, conducted alongside Mandiant and SEALS 911, identified three likely intrusion points:

1. Malicious Code Repository: One contributor cloned a code repo shared by the group, supposedly a frontend for their vault. Opening it may have been enough.

2. Fake Wallet App via TestFlight: A second contributor was induced to download a TestFlight application presented as the group’s wallet product.

3. IDE Vulnerability Exploitation: For the repo-based vector, the investigation points to a known VSCode and Cursor vulnerability that the security community was flagging from December 2025 through February 2026. Simply opening a file, folder, or repository in the editor was enough to silently execute arbitrary code — no prompt, no permission dialog, no warning. Just opening a folder.

Let that sink in. You open a project folder in your code editor. That’s it. You’re compromised.

Who Did This?

With medium-high confidence, the SEALS 911 team assessed that this operation was carried out by the same threat actors behind the October 2024 Radiant Capital hack — attributed by Mandiant to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.

The connection is supported by both onchain evidence (fund flows used to stage and test this operation trace back to the Radiant attackers) and operational overlaps (personas deployed in this campaign match known DPRK-linked activity patterns).

Here’s the kicker: the individuals who showed up in person at conferences were not North Korean nationals. DPRK threat actors at this level deploy third-party intermediaries for face-to-face relationship-building. The people Drift contributors met had fully constructed identities — employment histories, public-facing credentials, professional networks — all built over months to withstand scrutiny.

This isn’t hacking. This is espionage.

What We Can Learn From This

Let’s be honest with ourselves: most of us in crypto think we’re too smart to get phished. We laugh at the Nigerian prince emails. We mock the “connect your wallet” scam links.

But this wasn’t that. This was a six-month, in-person, multi-continent social engineering campaign executed with state-level resources. And it worked against experienced, security-conscious protocol contributors.

So here’s what we all need to internalize:

1. Social Engineering Has Leveled Up Permanently

The old playbook of sending a sketchy Discord DM is amateur hour compared to what’s happening now. State-backed actors are building full identities, attending your conferences, depositing real capital, and waiting months before making a move. The threat model has changed. Your defenses need to change with it.

2. Your Code Editor Is an Attack Surface

The VSCode/Cursor vulnerability used here required zero clicks, zero permissions, zero user interaction beyond opening a folder. If you’re a developer in crypto — or anywhere — you need to treat every repository from an external party as potentially hostile. Use sandboxed environments. Use virtual machines. Keep your tools updated. And read the security advisories for the tools you use every single day.

3. Device Hygiene Around Multisigs Is Non-Negotiable

If a device touches your multisig, it needs to be treated like a high-security asset. Dedicated hardware. Minimal software. No random repos. No TestFlight apps from partners. No exceptions.

4. Trust, But Verify — Then Verify Again

Six months of relationship-building made these attackers feel like trusted partners. And that trust was the weapon. In high-stakes environments, counterparty verification needs to go deeper than LinkedIn profiles and conference handshakes. Background checks, independent verification of firm registration, and compartmentalized access are the minimum.

5. Have an Incident Response Plan Before You Need One

Drift’s response — freezing protocol functions, removing compromised wallets, engaging Mandiant, flagging attacker wallets, and publicly sharing findings to protect the ecosystem — is a model for how teams should handle breaches. But you can only respond this well if you’ve planned for it in advance.

How to Stay Secure: Practical Steps

Whether you’re a protocol team, a DAO contributor, or an individual holding bags, here’s your checklist:

- Audit access controls regularly. Who has keys? Who has signing authority? When was the last time you reviewed it?
- Treat every external tool, app, or repo as hostile until proven otherwise. Sandbox everything. Never open external code on a device that has access to wallets or sensitive infrastructure.
- Use hardware wallets and dedicated signing devices. Your hot wallet laptop should not be the same machine where you clone repos from new partners.
- Keep your development tools updated. The VSCode vulnerability exploited here was known and flagged for months before the attack.
- Implement multi-party verification for new integrations. No single contributor should have the ability to onboard a new partner and also have multisig access on the same device.
- If something feels off, report it. Drift specifically recommended reaching out to SEAL 911 if any team believes they’ve been targeted by a similar operation.

The Bigger Picture

This attack represents a new chapter in DeFi security threats. We’ve moved beyond smart contract exploits and flash loan attacks into full-spectrum intelligence operations backed by nation-states. North Korean threat actors aren’t going away — they’re getting better. They’re patient. They’re well-funded. And they’re studying how your team operates before they ever make contact.

Drift’s decision to share these details publicly — even while the investigation is ongoing — is the kind of transparency that makes the entire ecosystem stronger. Other teams now know what this looks like. And that knowledge is the first line of defense.

Stay sharp. Audit your access. Question everything. And never assume that because someone shook your hand at a conference, they’re who they say they are.

The game has changed. Play accordingly.

Follow Crafty on X 👉🏼 x.com/9bitCrafty

Check out these 5-Star AMAZON TOP NEW RELEASES!

The AI Prompt Playbook — Master AI Prompt Engineering with 140 Ready-to-Use Templates for ChatGPT, Claude, Gemini & Copilot

Prompt Engineering Mastery — Advanced Prompt Engineering for Business — The FORGED System with 147 Templates for ChatGPT, Claude, Gemini & Copilot

The Focus Protocol — The System for Deep Focus, Home Office Productivity, and Beating Burnout

Originally published at https://www.craftycrypto.gg on April 28, 2026.