North Korean Hackers Spent Six Months Infiltrating Drift Protocol Before $270 Million Heist

TLDR

• A North Korean state-linked group posed as a trading firm and spent six months building trust inside Drift Protocol before stealing $270 million on April 1.
• Attackers met Drift contributors in person at conferences across multiple countries and deposited over $1 million of real capital.
• Devices were compromised via a fake TestFlight app and a known VSCode/Cursor vulnerability.
• The attack is attributed to UNC4736, also known as AppleJeus or Citrine Sleet, linked to North Korea.
• A crypto attorney says the incident may constitute civil negligence, and class action ads are already circulating.

Drift Protocol was hacked for $270 million on April 1 after a North Korean state-affiliated group spent roughly six months quietly working its way inside the platform.

The attackers first made contact at a major crypto conference in fall 2025. They posed as a quantitative trading firm and came prepared — technically fluent, with verifiable professional backgrounds and a clear understanding of how Drift worked.

A Telegram group was set up, and months of conversations followed. The topics were standard for any trading firm looking to work with a DeFi protocol: vault integrations, trading strategies, and operational details.

Between December 2025 and January 2026, the group formally onboarded an Ecosystem Vault on Drift. They held multiple working sessions with contributors and deposited over $1 million of their own capital to appear legitimate.

Drift team members met individuals from the group face to face at conferences in several countries through February and March 2026. By April 1, the relationship was nearly six months old.

How the Devices Were Compromised

The attack came through two entry points. First, one team member downloaded a TestFlight app — Apple’s pre-release distribution platform, which bypasses App Store security review — that the group presented as their wallet product.

Second, the attackers exploited a known vulnerability in VSCode and Cursor, two widely used code editors. Simply opening a file in either editor was enough to silently run malicious code on the device, with no warning shown to the user.

Once they had access to compromised devices, the attackers gathered what they needed to obtain two multisig approvals. Those pre-signed transactions sat dormant for more than a week before being triggered on April 1, draining $270 million in under a minute.

The attack has been attributed to UNC4736, also tracked as AppleJeus or Citrine Sleet. On-chain fund flows tied back to the Radiant Capital hack of October 2024, which was also linked to North Korea. The individuals who physically appeared at conferences were not North Korean nationals — DPRK-linked groups are known to use third-party intermediaries with fully constructed identities.

Legal Fallout and Security Criticism

Crypto attorney Ariel Givner said the incident may qualify as civil negligence. She said basic security procedures — such as keeping signing keys on air-gapped systems and doing due diligence on developers met at conferences — were not followed.

Drift said it has “medium-high confidence” the same actors carried out the October 2024 Radiant Capital hack, where malware was delivered via Telegram from someone posing as an ex-contractor.

The post North Korean Hackers Spent Six Months Infiltrating Drift Protocol Before $270 Million Heist appeared first on CoinCentral.