Drift describes an April 2026 compromise that followed months of relationship-building by personas posing as a quantitative trading firm seeking protocol integration. The attackers allegedly engaged Drift contributors at conferences, created a Telegram group, onboarded an Ecosystem Vault, deposited over $1 million, and shared links to projects, tools, and apps during normal business interactions. Potential intrusion vectors included a cloned repository presented as a vault frontend and a TestFlight application presented as a wallet product, with one repository-based scenario involving silent code execution through a VSCode/Cursor issue. SEALS 911 assessed with medium-high confidence that the operation was carried out by actors linked to the Radiant Capital hack, which Mandiant attributed to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet; Mandiant had not formally attributed the Drift exploit at the time of the update. The case highlights long-duration social engineering against crypto teams, multisig access, contributor devices, and trusted business-development workflows.