Drift Protocol has shared new details about the $280 million exploit it suffered on April 1, revealing that the attack was not a one-off incident but the result of a carefully orchestrated operation that unfolded over several months.
In another post published on Saturday, the protocol revealed that the hack seems to be the result of a six-month-long intelligence operation initiated during crypto gatherings in autumn 2025, highlighting the growing patience and meticulousness associated with contemporary cyberattacks.
As per the findings of the probe, the hackers introduced themselves as a quantitative trading firm and presented themselves as such through their professional demeanor, allowing them to navigate through the crypto sphere with ease. Instead of launching an attack, they took the time to build rapport and gain legitimacy.
The alleged hacking organization attended several international crypto events, meeting Drift’s developers and contributors at the events. Through persistent attendance and participation in discussions within the crypto industry, the group managed to earn the trust of the members of the crypto sphere.
Attackers deposited $1 million to appear legitimate
One of the most important aspects of the cyber attack was the legitimacy that the attackers tried to create about themselves. Drift explained that the hackers put over $1 million of their own money in one of the Ecosystem Vaults related to the platform.
Such actions helped to increase their legitimacy and gave the impression that these were the real members of the community, rather than people looking to harm others. Cybersecurity experts suggest that such tactics indicate that cybercriminals are now taking different measures; they spend much more time and money upfront to penetrate their targets later.
Moreover, the platform also noted that there are some connections between the attack and the previous attacks that took place on the crypto platforms. Drift said that it had “medium-high” confidence that those who committed the current exploit were the same who attacked Radiant Capital in October 2024.
Drift probe reveals long-planned, coordinated attack
Drift collaborated with the cybersecurity team of SEAL 911 to study the breach and to determine how exactly the attack was performed. The results demonstrate that what the crypto industry deals with here is not an impulsive attempt to steal money but a very well-prepared and thought-out plan.
Starting with establishing contact at conferences all the way through performing the attack and ending up exploiting users, the perpetrators managed to put themselves into an upper-hand position over months.
It is essential to understand that, in general, the nature of cyber risks faced by the crypto industry is changing. In addition to the usual vulnerabilities, cybercriminals now apply high-tech approaches, such as social engineering and networking, to gain the necessary trust.
Thus, it should be said that Drift is a lesson for the whole industry since the most dangerous cyber attacks are not the ones when the code is breached, but when attackers are prepared to make big attempts for months.