PANews reported on April 5th that Drift released an updated investigation into the attack, indicating that the operation was carried out by the same threat actors as the Radiant Capital hack in October 2024, with highly similar on-chain fund flows and operational methods. Mandiant attributed the Radiant Capital hack to UNC4736, an organization linked to the North Korean government.

Furthermore, this attack was meticulously planned over six months. Starting in the fall of 2025, a group posing as a "quantitative trading company" proactively contacted Drift contributors at multiple international crypto conferences. They established a Telegram group and engaged in in-depth business discussions and strategy exchanges for six months, even launching an Ecosystem Vault on Drift with $1 million in real funds. After multiple face-to-face meetings to build trust, they shared links and tools, ultimately seemingly completing the intrusion through a malicious code repository and a beta wallet app (TestFlight). Following the attack, all related chat logs and malware were thoroughly removed.

The investigation is ongoing, and these findings are preliminary. All remaining protocol functionality has been frozen, and the compromised wallet has been removed from multi-signature authentication. The attacker's wallet has been flagged by exchanges and cross-chain bridge operators.

Previous reports indicated that Drift suffered losses exceeding $285 million in the attack.