Drift says $270M heist was a six‑month North Korean intelligence operation
Drift Protocol says the $270 million drain of its vaults on April 1 was the culmination of a six‑month intelligence operation by a North Korea–linked group, according to a detailed incident update published by the team. The report lays out a slow, deliberate campaign of relationship‑building, in‑person meetings, technical infiltration and ultimately the theft of pre‑signed multisig transactions.
What happened — timeline at a glance
- Fall 2025: Attackers first made contact at a major crypto conference, posing as a quantitative trading firm looking to integrate with Drift. They presented verifiable professional backgrounds, technical fluency and a clear understanding of the protocol.
- Fall 2025–Spring 2026: A Telegram group and months of standard onboarding conversations followed, including discussions of trading strategies and vault integrations.
- Dec 2025–Jan 2026: The group onboarded an Ecosystem Vault, held multiple working sessions with Drift contributors, deposited more than $1 million of their own capital and established an operational presence inside the ecosystem.
- Feb–Mar 2026: Drift contributors met members of the group face‑to‑face at several industry conferences across different countries.
- April 1, 2026: Dormant, pre‑signed multisig transactions were executed, enabling a durable‑nonce style exploit that drained $270 million in under a minute.
How they breached defenses
Drift says the compromise used two main vectors:
1) A TestFlight app the attackers presented as a wallet product. TestFlight distributes pre‑release iOS apps and bypasses App Store review, making it an attractive channel for a convincing malicious client.
2) A repository compromise rooted in a widely‑flagged vulnerability in popular code editors (VSCode and Cursor). The flaw allowed silent arbitrary code execution merely by opening a file or folder in the editor — no prompts, warnings, or user action required.
Once devices used by trusted contributors were compromised, attackers were able to obtain the multisig approvals needed to execute the stored transactions. Those pre‑signed transactions had been sitting dormant for more than a week before the April 1 execution that emptied the vaults.
Attribution: UNC4736 (AppleJeus / Citrine Sleet)
Drift attributes the operation to UNC4736 — a group tracked under names such as AppleJeus and Citrine Sleet — based on on‑chain fund flows that trace back to the Radiant Capital attackers and operational overlaps with known DPRK‑linked personas. Drift notes the people who met contributors in person were not North Korean nationals; high‑level DPRK actors are known to use third‑party intermediaries with fully constructed identities and employment histories to pass due diligence.
Why this matters for DeFi security
Drift’s update raises uncomfortable questions for an industry that relies heavily on multisig governance:
- The attackers invested months and more than $1 million to build trust, meet teams in person, contribute real capital and sit dormant until execution — a model specifically designed to defeat superficial due diligence.
- The vector through everyday developer tools and a TestFlight app shows how small user vectors — device compromise, developer IDEs, pre‑release apps — can cascade into catastrophic protocol losses.
- Drift urges protocols to audit access controls, treat every device that can sign multisig approvals as a potential target, and re‑examine assumptions about what onboarding and on‑chain signals of legitimacy actually mean.
In short: if adversaries are willing to run costly, patient intelligence campaigns that blend real capital, in‑person contact and deep technical subterfuge, DeFi teams must assume trusted access equals a threat vector and harden both human and technical attack surfaces accordingly.
Read more AI-generated news on: undefined/news
