•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Drift Protocol has disclosed details of a $280 million exploit on April 1, 2026, describing a sophisticated, long-running cyberattack tied to North Korean state-sponsored hackers. The decentralized exchange said the breach involved months of calculated social engineering, malicious software distribution, and trust-building tactics before any funds were moved.
The scheme reportedly began in October 2025 at a major crypto industry conference, where threat actors posing as a legitimate quantitative trading firm made initial contact with Drift contributors. Rather than launching an immediate breach, the group engaged in a prolonged campaign, interacting with contributors across multiple global events over roughly six months and presenting credentials and technical knowledge intended to appear credible.
According to Drift Protocol, the attackers set up a Telegram group to sustain communication. Discussions included trading strategies and vault integrations that the protocol said mirrored standard onboarding practices in the industry.
Between December 2025 and January 2026, the attackers reportedly deposited more than $1 million into the protocol. Drift Protocol said this was used to build credibility and deepen trust within the ecosystem.
The intrusion was carried out through malicious tools shared during collaboration sessions. Drift Protocol said one contributor cloned a compromised code repository disguised as a frontend deployment tool, while another downloaded a tampered TestFlight application marketed as a wallet product.
These actions exploited a known vulnerability in VSCode and Cursor, enabling silent code execution on affected devices between December 2025 and February 2026. Drift Protocol also said the attackers wiped communication channels and removed the malware immediately after executing the exploit.
Forensic analysis supported by Mandiant and SEALs 911 linked the attack with medium-high confidence to UNC4736, also known as Citrine Sleet or AppleJeus. Drift Protocol said the same threat group was behind the October 2024 Radiant Capital hack.
The protocol added that on-chain fund flows further corroborated connections to prior DPRK-affiliated operations.
Drift Protocol said it has frozen protocol functions, restructured multisig wallet access, and is actively cooperating with law enforcement to pursue those responsible.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
