A recent intelligence update reveals that a sophisticated $270 million exploit of the Drift Protocol was executed by a North Korean state-affiliated group, following a complex six-month intelligence operation. The attack was meticulously planned, beginning with the group’s initial contact at a significant crypto conference in the fall of 2025, where they posed as a quantitative trading firm interested in integrating with Drift.
The attackers displayed considerable technical expertise, showcasing verifiable professional backgrounds while engaging in lengthy discussions about trading strategies and vault integrations—conversations typical of legitimate trading firm engagements with decentralized finance (DeFi) protocols. As the relationship developed, a Telegram group was set up for ongoing communications. Between December 2025 and January 2026, the group successfully onboarded an Ecosystem Vault within Drift, participated in several working sessions with contributors, and even invested over $1 million of their own capital, establishing a credible operational presence within the ecosystem.
The subterfuge allowed the attackers to build substantial rapport, meeting Drift contributors face-to-face at various high-profile industry conferences throughout February and March. This groundwork laid a convincing foundation that facilitated their ultimate attack on April 1, nearly six months after they had first made contact.
The compromise occurred via two primary vectors. The first involved the group’s use of a TestFlight application, which is Apple’s mechanism for distributing pre-release software and bypassing standard App Store security protocols. They presented this application as their wallet product. The second vector exploited a known vulnerability in widely-used code editors—VSCode and Cursor—allowing the execution of arbitrary code simply by opening a file or folder. This vulnerability had been flagged by the security community since late 2025.
Once the attackers compromised the relevant devices, they gained unauthorized access to secure multisig approvals necessary for executing a durable nonce attack. These pre-signed transactions, which remained dormant for over a week, were executed on April 1, resulting in the rapid draining of $270 million from Drift’s vaults in less than a minute.
Attribution for the attack points to UNC4736, a North Korean state-affiliated group also known as AppleJeus or Citrine Sleet. This assessment is supported by on-chain fund flow patterns linking the exploit back to previous attacks associated with Radiant Capital, along with operational similarities to other known DPRK-linked individuals. Interestingly, the perpetrators who interacted with Drift at the conferences were not nationals of North Korea; they are believed to be high-level DPRK operatives using third-party intermediaries with well-crafted identities and professional histories designed to withstand scrutiny.
In the aftermath, Drift has called upon other protocols to reassess their access controls, emphasizing that any device interacting with a multisig setup constitutes a potential vulnerability. This alarming incident raises significant concerns regarding the security framework relied upon by the DeFi ecosystem, particularly given that attackers are now willing to invest considerable time and resources—six months and a million dollars—to craft a façade of legitimacy, fostering relationships and penetrating systems before executing large-scale fraud. The central question now lingers: what security model can deter such sophisticated and multifaceted threats in the future?
