What first appeared to be a standard DeFi exploit that drained $285 million was in fact a highly sophisticated, months-long intelligence operation. It required serious resources, patience, and state-level backing.
Their preliminary investigation shows the attackers began in Fall 2025 by approaching Drift contributors at major crypto conferences, posing as a legitimate quantitative trading firm. Over six months they built what felt like real professional relationships across multiple countries.
They created a Telegram group, discussed trading strategies, onboarded an Ecosystem Vault with over $1M in real capital, and held multiple working sessions.
The likely compromise came through two vectors: a contributor cloning a code repository that may have exploited a known VSCode/Cursor vulnerability, and another downloading a TestFlight app presented as their "wallet product."
Post-exploit forensics and on-chain analysis point with medium-high confidence to the same North Korean state-affiliated actors (UNC4736 / Citrine Sleet / AppleJeus) behind the Radiant Capital hack.
Drift has frozen remaining protocol functions, removed compromised wallets from the multisig, and flagged the attacker addresses. All multisig signers were on cold wallets, a reminder that even strong controls can be bypassed when the human layer is targeted.
Key lessons for every team in crypto and DeFi: nation-state actors are now running long-game HUMINT operations. Device and access compartmentalization must be absolute. Never clone external repos, install third-party apps, or open untrusted links on machines that touch production keys or multisigs.
Huge respect to the Drift team for this level of transparency while the investigation is still active. If your organization has been approached similarly, reach out to the SEALS 911 team or Mandiant (part of Google Cloud).
source: https://www.linkedin.com/feed/update/urn:li:activity:7446425992870412288/
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments