North Korean Hackers Infiltrated Drift 6 Months Before $285M Hack

The Drift Protocol hack wasn't a smash-and-grab. It was a six-month long covert operation — and the $285 million Drift Protocol exploit carried out in early April 2026 is now being called one of the most methodical crypto heists ever documented. According to a detailed incident update posted by the Solana-based decentralized exchange on Sunday, the attackers didn't brute-force their way in. They showed up at conferences, built relationships, deposited their own capital, and then quietly poisoned the tools that developers trusted most.

How Did North Korean Hackers Pull Off the Drift Protocol Hack?

The short answer: patience. Drift said the operation began last fall at a major crypto industry conference, where the threat group approached contributors while posing as a quantitative trading firm looking to integrate with the protocol. Over the following months, they ran a textbook long-con — Telegram conversations, in-person follow-up meetings, and eventually the onboarding of an Ecosystem Vault on Drift itself.

They even made a $1 million deposit of their own capital. That's not a hacker move. That's tradecraft. And it worked. When the exploit finally hit, the attackers had already "completely scrubbed" chats and malware from the environment, leaving almost no trace.

Drift attributed the attack with "medium-high confidence" to UNC4736 North Korea, the group also tracked under the names AppleJeus and Citrine Sleet. The technical footprint involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that allowed silent code execution — no user interaction required.

Drift also clarified something important: the people who showed up at that conference were not North Korean nationals. DPRK-linked operations routinely use third-party intermediaries for face-to-face engagement, adding another layer of plausible deniability to an already elaborate operation.

Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat.

UNC4736 Has Been Here Before

This isn't UNC4736's first appearance in the DeFi incident log. Cybersecurity firm Mandiant previously linked this same group to the Radiant Capital hack in 2024 — an attack that drained approximately $50 million from the lending protocol across USDC, USDT, ARB, and multiple wrapped tokens. Radiant called it one of the most sophisticated hacks ever recorded in DeFi at the time.

The pattern is consistent: build trust, weaponize developer environments, exploit the gap between what signers see and what transactions actually do. Michael Pearl, VP of Strategy at blockchain security firm Cyvers, put it plainly — the Drift attack echoed Bybit in one critical way.

Onchain fund flows and overlapping personas linked the Drift exploit to DPRK-affiliated actors, according to incident responders at SEAL 911. Mandiant had not formally confirmed attribution pending forensics as of the protocol's Sunday update.

Security researcher @tayvano_, credited by Drift for her role in identifying the attackers, went further — suggesting the exposure extends well beyond this single incident. She alleged that DPRK IT workers helped build "protocols you know and love, all the way back to defi summer." That claim deserves scrutiny, but it lands harder when you're standing in the wreckage of a $285 million heist.

Drift and Bybit highlight the same pattern — signers were not directly compromised at the protocol level, they were tricked into approving malicious transactions. The core issue is not the number of signers, but the lack of understanding of transaction intent.

What the $285M Drift Exploit Means for DeFi Security

If you run a DeFi protocol — or contribute to one — this attack should make you rethink every tool in your stack. The Drift incident confirms what security researchers have been saying for two years: multisignature wallets are not a sufficient defense. They create a false sense of security, Pearl argued, because shared responsibility tends to lower individual scrutiny. One person assumes another person checked. Nobody actually checked.

The Drift Protocol hack attack surface here wasn't a smart contract vulnerability or a bridge exploit. It was IDEs, code repositories, a fake mobile app, and the signing environment itself. Once an attacker controls what the developer sees, they can manipulate any transaction before it reaches the blockchain.

Pearl's prescription: pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution — regardless of the interface presenting them. That's a structural shift, not a patch.

The assumption that needs to die, according to the experts Drift credited in its report, is that the endpoint is safe. It isn't. Not anymore.

If these foundational tools are vulnerable, anything shown to the user — including transactions — can be manipulated. This fundamentally breaks traditional security assumptions.

• Malicious code repository introduced by threat actors
• Fake TestFlight app used to compromise mobile signing environments
• VSCode/Cursor IDE vulnerability enabling silent code execution
• Telegram coordination and in-person conference meetings to build trust
• Third-party intermediaries used for face-to-face engagement — not North Korean nationals directly