Drift Protocol Hack: How a North Korean Group Spent Six Months Infiltrating a DeFi Protocol

Drift Protocol suffered a major exploit on April 1, 2026, triggering a full protocol freeze. The incident has since been described as the result of a structured, months-long intelligence operation rather than a sudden, opportunistic attack.

A Six-Month Social Engineering Campaign

The attack did not begin on the day it occurred. According to the investigation, the activity traces back to Fall 2025, when individuals posing as a quantitative trading firm approached Drift contributors at a major crypto conference.

The group presented themselves as technically fluent and carried verifiable professional backgrounds. Over subsequent months, they continued meeting contributors in person at multiple industry conferences across several countries.

From the first meeting, the group established a Telegram group and engaged in months of detailed conversations focused on trading strategies and vault integrations.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on the protocol. They deposited over $1 million of their own capital and participated in multiple working sessions.

By February and March 2026, Drift said the participants were not strangers, noting that “these were not strangers; they were people Drift contributors had worked with and met in person.” During this period, links to projects, tools, and applications were routinely shared.

The investigation later stated that “the profiles used in this operation had fully constructed identities including employment histories, public-facing credentials and professional networks.” Contributors engaged with the group through detailed product discussions, allowing the operation to build a credible presence inside the Drift ecosystem over time.

Three Attack Vectors and North Korean Attribution

After the April 1 exploit, forensic review of affected devices and communications identified the trading group as the likely intrusion vector. The group’s Telegram chats and malicious software were reportedly wiped immediately after the attack.

Three potential attack vectors have been identified as part of the ongoing investigation:

• One contributor may have cloned a code repository shared by the group. It was presented as a frontend deployment for their vault.

• Another contributor was induced to download a TestFlight application framed as the group’s wallet product.

• A repository-based vector reportedly involved a silent code execution flaw in VSCode and Cursor editors. The investigation said that “simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt or indication to the user, clicks, permissions dialog or warning of any kind.”

Investigation Status and Impact

Full forensic analysis of affected hardware is still ongoing. Drift has urged the broader ecosystem to “check in on your teams, audit who has access to what, and treat every device that touches your multisig as a potential target.”

Forensic partners, including Mandiant, are assisting law enforcement in investigating the breach. Preliminary findings point to a North Korean state-affiliated threat group as the likely perpetrators.

SEAL911 Assessment and Links to Prior Attacks

With medium-high confidence, the SEAL911 team assessed the operation as the work of UNC4736, a North Korean state-affiliated actor tracked as AppleJeus or Citrine Sleet.

On-chain fund flows and overlapping personas connect this campaign to the October 2024 Radiant Capital hack. The individuals who appeared in person were not North Korean nationals, as DPRK threat actors are described as using third-party intermediaries for direct contact.

The incident is characterized as one of the most deliberate social engineering campaigns documented in decentralized finance to date.