Drift’s $285 million hack linked to North Korean state group
Last Updated on 5 April 2026 by CryptoTips.eu
The hack on Drift Protocol turns out to be no opportunistic attack, but a carefully staged operation six months in the making. On April 1, 2026, $285 million disappears from the vaults of the Solana-based protocol. Drift now shares the first forensic findings, and they are deeply unsettling.
Six months undercover as a trading partner
Everything begins in fall 2025, when a group of individuals presents itself at a major crypto conference as employees of a quantitative trading firm. They approach Drift contributors in a targeted, personal way, making contact at multiple international conferences and building a credible business relationship over months. Through Telegram, they hold substantive conversations about trading strategies and vault integrations. Between December 2025 and January 2026, they even open an Ecosystem Vault on the platform and deposit over $1 million of their own capital, purely to build trust.
What makes the attack particularly dangerous is the use of everyday work tools as the attack vector. The attackers share links to supposed project repositories and applications. One contributor is compromised after cloning a repository the group shares for a frontend deployment. A known vulnerability in VSCode and Cursor allows arbitrary code to execute simply by opening a file, with no warning or confirmation prompt of any kind. A second contributor downloads a malicious TestFlight app the group presents as their own wallet product. At the moment of the exploit, all Telegram chats and malicious software are completely wiped.
North Korean trail points to known threat group
With “medium-high confidence,” Drift links the attack to UNC4736, a North Korean state-affiliated hacking group also tracked as AppleJeus or Citrine Sleet. The same group is responsible for the Radiant Capital hack in October 2024. The connection is traceable both onchain through fund flows and operationally through overlapping actor profiles. Notably, the individuals who appeared in person at conferences were not North Korean nationals. DPRK groups operating at this level are known to deploy third-party intermediaries for face-to-face contact.
Drift urges all teams in the DeFi ecosystem to audit access rights and treat every device that touches a multisig as a potential target. All protocol functions are frozen and the compromised wallets are removed from the multisig. For teams that believe they may be targeted, Drift advises reaching out to SEAL 911 immediately. The security of all multisig signers’ cold wallets remained intact throughout the attack.
