"Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat,” Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt.
Drift said the group first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm seeking to integrate with the protocol.
Over months, the group built trust through in-person meetings, Telegram coordination, onboarded an Ecosystem Vault on Drift, and made a $1 million vault deposit of their own capital, only to vanish, with chats and malware “completely scrubbed” when the exploit hit.
The DEX said the intrusion may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that enabled silent code execution without user interaction.
Drift said the individuals who met contributors in person were not North Korean nationals, noting that DPRK-linked actors often rely on third-party intermediaries for “face-to-face engagement.”
Onchain fund flows and overlapping personas point to DPRK-linked actors, according to incident responders SEAL 911, though Mandiant has yet to confirm attribution pending forensics, the platform noted.
Security researcher @tayvano_, one of the experts whom Drift credited for assistance in identifying the malicious actors, suggested the exposure extend well beyond this incident.
Industry implications"Drift and Bybit highlight the same pattern — signers were not directly compromised at the protocol level, they were tricked into approving malicious transactions," Pearl noted. "The core issue is not the number of signers, but the lack of understanding of transaction intent."
“Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution,” Pearl said, adding that once attackers control what users see, the only effective defense is validating what a transaction actually does, regardless of the interface.
On developer tools as an attack surface, Lavid said the assumption has to change from the ground up.
"You have to assume the endpoint is compromised," he told Decrypt, pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points.
“If these foundational tools are vulnerable, anything shown to the user—including transactions—can be manipulated,” the expert said, noting this “fundamentally breaks traditional security assumptions,” leaving teams unable to trust “the interface, the device, or even the signing flow.”
