A detailed investigation has revealed that a North Korean state-affiliated group orchestrated a $270 million exploit of the Drift Protocol, following a six-month intelligence operation. The attackers, posing as a legitimate trading firm, engaged with Drift contributors across multiple countries before executing their plan on April 1, 2026.
The group first established contact in the fall of 2025 during a prominent cryptocurrency conference. Presenting themselves as a quantitative trading firm interested in integrating with Drift, they demonstrated technical fluency and provided verifiable professional backgrounds. This initial interaction led to the creation of a Telegram group, where discussions about trading strategies and vault integrations took place over several months.
Between December 2025 and January 2026, the attackers successfully onboarded an Ecosystem Vault on Drift, held numerous working sessions with contributors, and deposited over $1 million in capital. Their in-person engagements at major industry conferences continued through February and March, solidifying their presence within the ecosystem.
The exploit was executed through two primary vectors. The first involved the use of a TestFlight application, which allowed the group to bypass Apple’s App Store security. The second vector exploited a known vulnerability in widely used code editors, VSCode and Cursor, which had been flagged by the security community since late 2025. This vulnerability enabled the attackers to execute arbitrary code simply by opening a file or folder in the editor.
Once the attackers compromised the devices, they obtained the necessary approvals for two multisig transactions, facilitating what has been described as a durable nonce attack. These pre-signed transactions remained dormant for over a week before being executed, resulting in the swift draining of $270 million from Drift’s vaults.
Attribution for the attack has been linked to UNC4736, a North Korean state-affiliated group also known as AppleJeus or Citrine Sleet. This identification is based on on-chain fund flows that trace back to previous incidents involving Radiant Capital and operational similarities with known DPRK-linked entities. Notably, the individuals who interacted with Drift at conferences were not North Korean nationals, indicating a strategy of using third-party intermediaries with constructed identities to avoid detection.
In light of this incident, Drift has urged other protocols to reassess their access controls and treat any device interacting with a multisig wallet as a potential target. This incident raises significant concerns for the cryptocurrency industry, which heavily relies on multisig governance as a primary security measure. The question now looms: what security protocols can effectively counteract such sophisticated and prolonged infiltration efforts?
A North Korean state-affiliated group executed a $270 million exploit on Drift Protocol after a six-month operation posing as a legitimate trading firm. The incident underscores vulnerabilities in multisig governance models within the cryptocurrency industry.