What to know:
- A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing a $270 million exploit on April 1.
- The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault, then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals.
- Investigators attributed the attack to UNC4736, also known as AppleJeus or Citrine Sleet, and Drift warned that such long-con, identity-rich operations expose deep weaknesses in multisig-based security models across DeFi.
Drift Protocol lost $270 million in a recent hack, but investigators have linked the attack to a North Korean state-sponsored group. The team revealed that this group spent six months planning and carrying out the exploit, as detailed in an update released Sunday.
The attackers initially connected with the team around fall 2025 at a large cryptocurrency conference, claiming to be a trading company interested in working with Drift.
As someone researching this, I found the team was clearly skilled with the technology, had solid professional credentials we could verify, and demonstrated a good understanding of how our protocol worked. We set up a Telegram group, and over the following months, we had in-depth discussions about trading strategies and integrating with our vaults – exactly the kind of interactions we typically see when onboarding new trading firms in the DeFi space.
From December 2025 to January 2026, the team established a secure fund (an Ecosystem Vault) on Drift. They collaborated with other members through several workshops, contributed over $1 million of their own funds, and successfully began operating within the platform’s environment.
Throughout February and March, the people who worked on Drift had the chance to meet members of the targeted group in person at several large industry events held in different countries. By the time the attack happened on April 1st, they had been building a relationship for almost six months.
The compromise appears to have come through two vectors.
Someone downloaded a TestFlight app – Apple’s system for sharing early versions of apps before they’re officially released and without going through the usual App Store checks – and showed it off as what they believed was their digital wallet.
Drift discovered a security flaw in VSCode and Cursor, popular code editors, that had been known to security experts since late 2025. This vulnerability allowed malicious code to run automatically just by opening a file or folder, without any warning or user interaction.
After gaining access to the system, the attackers were able to get the necessary approvals to carry out the complex attack CoinDesk recently explained. These pre-authorized transactions remained inactive for over a week, but were then used on April 1st to steal $270 million from the protocol’s funds in less than a minute.
Security researchers believe a North Korean hacking group, known as UNC4736, AppleJeus, or Citrine Sleet, is responsible. This conclusion is based on the movement of stolen funds – which can be traced back to the attackers of Radiant Capital – and similarities in how this group operates compared to other known North Korean hackers.
Those who attended the conferences in person were not citizens of North Korea. North Korean cyber operatives at this sophisticated level typically use outside individuals – people with complete, fabricated backgrounds, including jobs and professional connections – to avoid detection during background checks.
As a researcher, I’ve been following the recent recommendations from Drift, who is strongly advising all multisig protocols to thoroughly review their access controls. Their key point is that *any* device interacting with a multisig wallet should be considered a potential vulnerability. Honestly, this is a bit concerning because so much of the crypto space relies on multisig as a core security feature, and this highlights a potentially widespread weakness we need to address.
If attackers are patient and resourceful enough to invest six months and a million dollars into establishing a genuine foothold within a system – building relationships, contributing funds, and waiting for the right moment – it becomes incredibly difficult for any security system to detect them. The real challenge is designing security that can withstand that level of dedication.
Ant Group’s blockchain arm unveils platform for AI agents to transact on crypto rails
30 minutes ago
Bitcoin holds steady as sentiment hits worst levels since Iran war began
36 minutes ago
Bitcoin’s $1.3 trillion security race: Key initiatives aimed at quantum-proofing the world’s largest blockchain
8 hours ago
Bitcoin tends to outperform gold and stocks after global shocks, Mercado Bitcoin finds
17 hours ago
Ex-UK Chancellor backs bitcoin as alternative to failing systems
19 hours ago
Digital asset treasuries must now earn their keep
20 hours ago
Traders are the big winners as 24/7 stocks will finally end the after-hours price ‘manipulation’
22 hours ago
Here’s what ‘cracking’ bitcoin in 9 minutes by quantum computers actually means
Apr 4, 2026
Solana’s quantum-threat readiness reveals harsh tradeoff: security vs speed
Apr 4, 2026
Schwab plans spot bitcoin, ether trading launch in first half of 2026
Apr 3, 2026
Circle under fire after $285 million Drift hack over inaction to freeze stolen USDC
Apr 3, 2026
Judge continues Nevada ban on Kalshi sports markets
Apr 4, 2026
Read More
- Brent Oil Forecast
- Gold Rate Forecast
- Silver Rate Forecast
- USD RUB PREDICTION
- USD COP PREDICTION
- EUR THB PREDICTION
- EUR AED PREDICTION
- Stablecoins: The Sky Isn’t Falling, But Banks Might Be Whining
- Crypto Conundrum: Bitcoin’s Boom Fails to Boost Trading Volume 🤔
- 🤑 Bitcoin’s Fate: DXY or M2? The Drama Unfolds! 🤑
2026-04-05 15:27