The Drift Protocol team published a detailed account of the incident, attributing the loss of about $280 million to a months-long campaign.

Timeline and preparation

According to the report, adversaries prepared the attack for roughly six months before exploiting the protocol and withdrawing funds.

During the preparation phase, the attackers posed as a trading firm, established contacts at conferences, and engaged with team members over messaging platforms.

Social engineering and initial compromise

The attackers aimed to build credibility by investing more than $1 million in on-chain activity and demonstrating operational behavior to the Drift team.

Once trust was established, they supplied a repository containing malicious files; merely opening a supplied file triggered the exploit chain.

The compromise leveraged vulnerabilities in popular development tools, specifically in VSCode and Cursor, enabling the payload to execute on developer machines.

Exfiltration and cleanup

Following the successful compromise, the attackers moved approximately $280 million out of the protocol and removed chat logs and other traces of their actions.

Attribution

The investigation states that, with high probability, the operation is linked to a group associated with North Korea, based on technical indicators and behavioral patterns.

Response and implications

Drift Protocol published the findings to inform the community and to guide mitigations against similar social engineering and toolchain risks.