BlockBeats message, April 5, according to official information, Drift said it is working with law enforcement agencies, evidence-gathering partners, and ecosystem teams to conduct a comprehensive investigation into the hacking incident that occurred on April 1, 2026. At present, all protocol functions have been paused, the affected wallets have been removed from the multisig, and the attacker addresses have also been flagged on the exchange platform and cross-chain bridges. Security firm Mandiant has stepped in to investigate. Preliminary results indicate that this attack was not a short-term action, but an intelligence infiltration operation that lasted for about 6 months, with an organized background and sufficient resources to support it. As early as the fall of 2025, a group of people who claimed to be from quantitative trading companies approached members of the Drift team at multiple international crypto conferences, and over the following months they continued to build relationships, carry out collaboration, and even injected more than $1 million into the platform to establish credibility.
The investigation found that these individuals had professional backgrounds and technical capabilities. Through Telegram groups, they communicated with the team over the long term about trading strategies and product integration, and they met multiple times in offline meetings with the core contributors. After the April 2026 attack occurred, the relevant chat logs and malware were quickly deleted. Drift believes that this intrusion may have been carried out through multiple paths, including inducing team members to clone a repository containing malicious code, or downloading a test application disguised as a wallet product. In addition, the attack may also have exploited VSCode and Cursor vulnerabilities that the security community had warned about at the time, executing malicious code without users’ awareness.
Based on analysis of on-chain fund flows and behavioral patterns, the security team initially believes that this operation is related to the threat organization behind the 2024 Radiant Capital attack incident, which has been attributed to a North Korea–backed hacking group (such as UNC4736 / AppleJeus). Notably, the individuals who made offline contact were not North Korean, but rather third-party intermediaries. Drift said the attackers built a complete and credible identity system, including professional work history and public backgrounds, to gain trust through long-term engagement. The investigation is still ongoing, and the team is calling on the industry to strengthen device security reviews and permission management.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
