Drift: $270M heist was a six-month North Korean intelligence operation
Drift Protocol says the $270 million exploit that emptied its vaults on April 1 was not a quick hack but the culmination of a deliberate six-month intelligence operation tied to a North Korean state-affiliated group.
How the operation unfolded
- Initial contact: The attackers first approached Drift around fall 2025 at a major crypto conference, posing as a quantitative trading firm seeking integration. They presented polished, verifiable professional profiles, demonstrated deep technical knowledge of the protocol, and entered a Telegram group for ongoing discussions—behavior that mirrored legitimate trading firms onboarding to DeFi ecosystems.
- Building trust: Between December 2025 and January 2026 the group formally onboarded an Ecosystem Vault on Drift, ran multiple working sessions with contributors, deposited over $1 million of their own capital, and established an operational presence inside the community. Drift contributors met members of the group in person at several industry conferences across multiple countries through February and March. By April 1 the relationship had lasted nearly six months.
- The compromise: Drift says the attackers used two main vectors to compromise devices. One was a TestFlight application the group distributed as a wallet product; TestFlight bypasses Apple's App Store security review for pre-release apps. The other exploited a known vulnerability in widely used code editors—VSCode and Cursor—flagged by the security community since late 2025. That vulnerability allowed arbitrary code execution simply by opening a file or folder, with no prompts or warnings.
- From compromise to heist: Once devices were infected, the attackers obtained the two multisig approvals needed to carry out a "durable nonce" attack previously detailed by CoinDesk. The attackers had pre-signed transactions that sat dormant for more than a week before they were executed on April 1, draining $270 million from Drift’s vaults in under a minute.
Attribution and operational tradecraft
Drift attributes the operation to UNC4736—a group also tracked as AppleJeus or Citrine Sleet—based on on-chain fund flows that trace back to the Radiant Capital attackers and operational overlaps with DPRK-linked personas. Notably, the individuals who met Drift teams in person were not North Korean nationals; Drift warns this aligns with DPRK tradecraft, which commonly uses third-party intermediaries with fully constructed identities, employment histories, and professional networks designed to pass diligence.
Implications for DeFi security
Drift urged other protocols to immediately audit access controls and to treat every device that touches a multisig as a potential attack surface. The incident highlights a stark problem for an industry that relies heavily on multisig governance: attackers can spend months and real capital to build legitimacy, meet teams face-to-face, and patiently wait for the right moment. If adversaries are willing to mount sustained, well-funded intelligence operations, DeFi projects must rethink trust models and harden device-level security and operational controls around signers and contributors.
What to watch next
Expect increased scrutiny of multisig workflows, tighter device hygiene requirements for signers, and renewed interest in defenses against supply-chain and editor-based code execution vulnerabilities. Protocols will also likely revisit onboarding and in-person diligence practices, balancing openness to legitimate partners with protections against sophisticated, long-term threat actors.
Read more AI-generated news on: undefined/news
