A six-month intelligence operation preceded the $270 million Drift Protocol exploitation and was carried out by a group affiliated with the North Korean state, according to a detailed incident update released by the team earlier Sunday.
The attackers first made contact around fall 2025 at a major crypto conference, posing as a quant trading company looking to integrate with Drift.
They were technically proficient, had verifiable work histories and understood how the protocol worked, Drift said. A Telegram group was created and what followed were months of in-depth conversations about trading strategies and vault integrations, interactions that are standard for how trading companies integrate with DeFi protocols.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, held several working sessions with contributors, deposited over $1 million of its own capital, and built a functioning operational presence within the ecosystem.
Drift contributors met with group members face-to-face at several major industry conferences in several countries in February and March. By the time the attack was launched on April 1, the relationship was almost six months old.
The compromise appears to be the result of two vectors.
A second downloaded a TestFlight app, Apple’s platform for distributing pre-release apps that bypasses App Store security review, which the group presented as its portfolio product.
For the repository vector, Drift highlighted a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, that the security community had been reporting since late 2025, where simply opening a file or folder in the editor was enough to silently execute arbitrary code without prompts or warnings of any kind.
Once the devices were compromised, the attackers had what they needed to obtain the two multisig approvals that enabled the sustainable one-off attack CoinDesk detailed earlier this week. These pre-signed transactions sat dormant for over a week before being executed on April 1, draining $270 million from the protocol’s coffers in less than a minute.
The attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to Radiant Capital attackers and operational overlap with known figures linked to the DPRK.
The people who appeared in person at the conferences, however, were not North Korean nationals. DPRK threat actors at this level are known to deploy third-party intermediaries with entirely constructed identities, professional backgrounds, and professional networks designed to resist due diligence.
Drift urged other protocols to audit access controls and treat every device touching a multisig as a potential target. This broader implication is uncomfortable for an industry that relies on multisig governance as its primary security model.
But if attackers are willing to spend six months and a million dollars to establish a legitimate presence within an ecosystem, meet with teams in person, bring in real capital, and wait, the question becomes what security model is designed to detect that.
