‘Six Months in the Making’: Drift Protocol Says $285,000,000+ Hack Involved North Korean-Backed Impostors at Multiple Crypto Conferences
The recent $285 million hack on the Solana-based DeFi platform Drift Protocol wasn’t any run-of-the-mill exploit. Drift Protocol says in a new incident update that the April 1st attack was the result of six months of careful manipulation from North Korean-backed impostors. “In or about Fall 2025, Drift contributors were approached by a group of […] The post ‘Six Months in the Making’: Drift Protocol Says $285,000,000+ Hack Involved North Korean-Backed Impostors at Multiple Crypto Conferences appeared first on The Daily Hodl .
The recent $285 million hack on the Solana-based DeFi platform Drift Protocol was not a typical exploit. Drift Protocol has revealed in a new incident update that the April 1st attack was the result of six months of meticulous manipulation by North Korean-backed impostors. The group had approached Drift contributors in the fall of 2025 at a major crypto conference, posing as a quantitative trading firm interested in integrating with the protocol.
The impostors were well-prepared, with technical expertise, verifiable professional backgrounds, and knowledge of how Drift operated. They established a Telegram group during their initial meeting and proceeded to engage in months of detailed discussions about trading strategies and potential vault integrations. These interactions were consistent with the standard process by which trading firms interact with and onboard to Drift.
Over the following six months, the impostors deliberately sought out and engaged specific Drift contributors at multiple major industry conferences in various countries. They onboarded an Ecosystem Vault on Drift in December and January, participating in numerous working sessions and depositing over $1 million of their own capital. Integration conversations continued through February and March 2026, with the impostors meeting Drift contributors face-to-face at multiple conferences.
By this point, the relationship between the impostors and Drift contributors had lasted nearly six months. The individuals involved were not strangers; they were people Drift contributors had worked with and met in person. Throughout the process, the impostors shared links to projects, tools, and apps they claimed to be developing, which was standard practice for trading firms.
Drift Protocol's investigation has concluded with "medium-high confidence" that the attack was orchestrated by North Korean-backed actors. The sophisticated approach used by the impostors highlights the growing sophistication of cyber threats in the crypto space and the need for increased vigilance and security measures among platforms and participants.
This incident underscores the importance of due diligence and verification processes in the crypto industry, particularly when dealing with new partners or entities. As the space continues to grow, it is crucial for platforms to implement robust security protocols and stay vigilant against such targeted attacks. The Drift Protocol hack serves as a stark reminder of the potential risks involved in the rapidly evolving world of decentralized finance.
