The $280M Drift Heist: Six Months of Trust, 12 Minutes to Drain It

This one was crazy. This $280 million crypto theft was a six-month-long op. Drift experienced a structured intelligence operation that required organizational backing, significant resources, and months of deliberate prep. Contributors were approached in person at conferences, engaged across multiple countries, and worked with what appeared to be a legitimate trading firm that built trust over half a year.

They onboarded a vault, deposited over a million dollars of their own capital, and built a functioning operational presence inside the ecosystem. They felt like co-workers at this point. But when the hack happened - it should all look familiar. Malicious GitHub repos exploiting VS Code vulnerabilities, fake TestFlight wallet apps, and months of social engineering that made these actions feel completely normal.

On April 1st, in 12 minutes, $285 million. Boom. The attackers wiped chats, scrubbed evidence, and disappeared. The individuals they met in person were not North Korean nationals, but intermediaries used to build trust. This wasn’t someone you just met online. This was six months of real-world interaction before the rug was pulled.

Drift is sharing this publicly because other teams in the ecosystem deserve to understand what this attack actually looked like.

All remaining protocol functions have been frozen and the compromised wallets have been removed from the multisig. Attacker wallets have been flagged across exchanges and bridge operations. Mandiant has been engaged.

Timeline: Six Months of Building Trust

Fall 2025: Drift contributors were approached by a group of individuals at a major crypto conference, in person, who presented as a quant trading firm looking to initiate on the protocol.

It's now understood that this appears to have been a targeted approach where the individuals from this group continued to deliberately seek out and engage specific drift contributors in person at multiple major industry events, conferences in multiple countries over the following six months.

They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated.

A Telegram group was established upon the first meeting and what followed were months of substantive conversations around trading strategies and potential vault integrations.

December 2025 through 26: They onboarded an ecosystem vault on Drift which required filing out of a form with strategy details. They engaged multiple contributors through multiple working sessions, asked detailed and informed product questions and deposited over a million dollars of their own capital.

They built a functioning operational presence inside the Drift ecosystem deliberately and patiently. Integration conversations continued through February and March. Various Drift contributors met the individuals from this group face to face.

By this point, the relationship was nearly half a year old. These were not strangers, but people Drift contributors had worked with and met in person.

The Intrusion Vectors

After the exploit on April 1st happened, a thorough forensics review of the known affected devices, accounts, and communications histories was conducted.

Interactions with the trading group came into focus as the likely intrusion vector. Right as the exploit happened, their telegram chats and malicious software had been completely scrubbed.

There may have been three attack vectors. One contributor may have been compromised after cloning a code repo shared in the group. This is very similar to how they hack job interview type stuff, where they'll share some code in a code repo, you'll clone it and somewhere in that repo, it's actual malware. But this is after months and months and months of trust building. A second contributor was induced to download a test-flight app the group presented as their wallet product. This is basically side-loading in iOS with test flight.

For the repository based vector, one possibility is a known VS code and cursor vulnerability that the security community was actively flagging through December. Simply opening a file, folder or repo in the editor was sufficient to silently execute arbitrary code.

North Korea abusing VS Code hooks that run automatically in the background as you open a folder: Task.json, a fake font with malicious obfuscated JS code, runs immediately when you open the project in VS Code. It does not display the commands being read.

That's huge.

Not Who They Said They Were

With medium-high confidence supported by investigations done by SEAL's 911 team, this operation is assessed to have been carried out by the same threat actors responsible for the October 2024 Radiant Capital hack attributed to North Korea.

It's important to note that the individuals who appeared in person were not North Korean nationals. North Korean threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship building.

They basically have these mules that are paid actors to work with this group to build trust.

Months of in-person meetings from the fall to January across multiple countries: This quant firm met with people at Drift. They then tied their vault to Drift and deposited over a million dollars of their own money.

They're hopping on meetings, working together, giving them millions of dollars. They just feel like co-workers at this point. There's a ton of trust built up.

The Moment It All Collapsed

They start sharing GitHub links like “hey check out this tool that I built.” Apparently this is all super normal in this ecosystem.

But one of those GitHub repos actually takes advantage of a vulnerability in VS Code and cursor that executes code silently and immediately and compromises a contributor of the Drift protocol.

Another contributor downloaded a fake TestFlight app wallet onto their iOS device. They tested it out, were like “let's see if our access works here back in March.”

And then on April 1st, in 12 minutes, $285 million. Boom.

And then all the Telegram chats and all the stuff that they were building over those last couple months was erased. All the evidence was completely erased at the exact same time that they pulled off the heist.

The Uncomfortable Reality

To Drift's credit, they've been very transparent about this investigation and they're doing forensics as they go.

But I can't believe this. They met these people in real life.

A lot of the advice talks about how you don't trust these people that you just meet online and start doing whatever the hell they're doing.

No. They met these people for six months at conferences and meetings and they worked together until the rug was ready to be pulled.