Drift Says $280M Exploit Followed Months-Long Social Engineering Campaign

• Drift said the $280 million exploit was tied to a six-month social engineering operation.
• The protocol said the suspected attackers first approached contributors in fall 2025 while posing as a quant trading firm.

Drift is now painting a clearer picture of how its $280 million exploit took shape, and it was not a quick smash-and-grab.

According to the protocol’s latest update, the breach was linked to a long-running social engineering campaign that allegedly began around fall 2025. Drift said the individuals behind the operation presented themselves as a quant trading firm and first approached contributors at a major crypto conference, where they expressed interest in building on or integrating with the protocol.

A slow-burn setup through conferences and Telegram

That first contact did not end with a handshake. Drift said a Telegram group was created soon after the meeting, giving the supposed counterparties a direct line to contributors. From there, the relationship appears to have deepened over time.

The protocol said the same individuals continued meeting Drift contributors in person at industry events across multiple countries over the following months. In other words, this was not just wallet phishing dressed up in a new format. It looked more like a slow trust-building op, one that leaned on the kind of real-world networking crypto teams do all the time.

That detail lands differently in this market. Crypto has seen plenty of exploits tied to compromised keys, malicious links or front-end attacks. This one, at least by Drift’s account, seems to have started with social access.

Suspected North Korean link raises the stakes

Drift said it believes the operation was run by suspected North Korean actors, adding a more serious geopolitical edge to what is already one of the larger exploit stories in crypto this year.

The update suggests the exploit was not only technical in nature but also deeply human. The attackers apparently spent months building credibility before the breach surfaced. For teams across the space, especially those active on the conference circuit, that is likely the part that hits hardest.