Emerging details shed light on the significant cyber breach targeting Drift Protocol, culminating in losses estimated at $270 million. Recent disclosures by the protocol’s development team reveal that a nefarious group, suspected of connections to North Korea, meticulously executed the attack over a period of six months, employing advanced methods to breach security systems.
How Did the Attackers Infiltrate the System?
The group’s initial entry into the system took place at a renowned cryptocurrency conference in late 2025. Disguised as representatives from a quantitative trading firm, they exhibited technical proficiency and seemingly credible backgrounds. This facilitated their gradual acceptance within the Drift network, where they showcased their intricate knowledge of operational protocols.
Which Vulnerabilities Were Exploited?
Beginning in October, the infiltrators extended their reach by engaging directly with the Drift community through Telegram. By offering typical DeFi trading strategies, they gained trust among critical stakeholders. To further solidify their position, they injected over $1 million into the protocol between December 2025 and January 2026, cultivating a sense of trust with core team members.
The subsequent months saw their relationships with Drift contributors deepen, reinforced by in-person meetings at global industry events. This trust was pivotal in enabling the eventual breach.
The technical investigation revealed two primary methods of attack. One method involved a member of the group introducing a wallet app via Apple’s TestFlight platform, which effectively bypassed security protocols by masquerading as a legitimate tool.
The use of popular code editors like VSCode and Cursor posed another opportunity for exploitation, as these contained vulnerabilities allowing remote control of devices upon opening malicious files.
By leveraging these vulnerabilities, the group circumvented security protocols and secured multisig privileges necessary to execute the attack. Prepared detrimental transactions sat in waiting for over a week before being activated on April 1, facilitating a rapid and complete withdrawal of funds from Drift Protocol.
Significant evidence indicates the involvement of UNC4736, a group allegedly working on behalf of North Korea. Known as AppleJeus and Citrine Sleet, this group has been connected to multiple recent cyberattacks within the cryptocurrency industry.
It appears that those who attended conferences may not be North Korean nationals, instead relying on sophisticated forged identities and professional connections to infiltrate these types of organizations, adding layers of complexity to direct attribution.
In response, Drift’s team urged other firms to conduct rigorous audits of multisig access and device security. They emphasized the necessity of reevaluating multisig management’s efficacy as a security model in decentralized finance, given the increasing sophistication of cyber threats.
“This incident underscores the urgent need for enhanced vigilance across the industry,” emphasized a Drift representative.
