North Korea-linked group carried out a six-month operation enabling Drift Protocol's $285 million exploit, Drift says

Drift Protocol said on Sunday that an attack that drained roughly $285 million from the platform was a structured six-month intelligence operation carried out by a North Korean state-affiliated threat group. In a detailed incident update, Drift said the attackers used fabricated professional identities, in-person conference meetings, and malicious developer tools to compromise contributors before executing the drain.

Six-month operation built through trust and access

Drift said the group first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm seeking to integrate with the protocol. Over months, the attackers built trust through in-person meetings, Telegram coordination, onboarded an Ecosystem Vault on Drift, and made a $1 million vault deposit of their own capital. Drift said the group then vanished, and that chats and malware were “completely scrubbed” when the exploit was triggered.

How the intrusion may have worked

Drift said the compromise may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that enabled silent code execution without user interaction. The platform said the attack was carried out after compromising contributors, rather than through direct protocol-level signer compromise.

Attribution and related incidents

Drift attributed the attack with “medium-high confidence” to UNC4736, also tracked as AppleJeus or Citrine Sleet. Drift said the same North Korean state-affiliated group has been linked by cybersecurity firm Mandiant to the 2024 Radiant Capital hack.

Drift also said the individuals who met contributors in person were not North Korean nationals, noting that DPRK-linked actors often use third-party intermediaries for face-to-face engagement. Onchain fund flows and overlapping personas were cited by incident responders SEAL 911 as pointing to DPRK-linked actors, while Mandiant has not yet confirmed attribution pending forensics, Drift said.

Security experts warn the exposure may be broader

Security researcher @tayvano_, an expert Drift credited for assistance in identifying the malicious actors, suggested the exposure could extend beyond the single incident. In a tweet, the researcher listed dozens of DeFi protocols, alleging that “DPRK IT workers built the protocols you know and love, all the way back to defi summer.”

Industry impact: signers tricked into approving transactions

Michael Pearl, VP of Strategy at blockchain security firm Cyvers, said Drift and Bybit reflect the same pattern: signers were not directly compromised at the protocol level; instead, they were tricked into approving malicious transactions. Pearl said the core issue is not the number of signers, but the lack of understanding of transaction intent.

He argued that multisignature wallets, while an improvement over single-key control, can create a false sense of security by distributing responsibility across signers, reducing scrutiny. Pearl said security needs to shift toward pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution. He added that once attackers can control what users see, the only effective defense is validating what a transaction actually does, regardless of the interface.

Developer tools as an increasingly common entry point

Lavid, quoted in the report, said the assumption about attack surfaces must change from the ground up. “You have to assume the endpoint is compromised,” he said, pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points. Lavid said that if foundational tools are vulnerable, anything shown to the user—including transactions—can be manipulated, “fundamentally” breaking traditional security assumptions and leaving teams unable to trust the interface, the device, or even the signing flow.