Drift Protocol Reveals $270M Exploit Was Orchestrated by North Korean Intelligence Operation

Drift Protocol has revealed that the $270 million exploit that occurred on April 1 was the result of a six-month intelligence operation conducted by a North Korean state-affiliated group. The attackers, identified as UNC4736 (also known as AppleJeus or Citrine Sleet), infiltrated the protocol through a combination of social engineering and technical exploits. The group initially presented themselves as a legitimate quantitative trading firm at a major crypto conference in the fall of 2025, establishing a Telegram group to engage in months of discussions about trading strategies and vault integrations. Over the following months, the group built a credible presence within the Drift ecosystem, depositing over $1 million of their own capital and participating in working sessions with protocol contributors. Face-to-face meetings at industry conferences further solidified their legitimacy. The breach occurred through two vectors: a TestFlight application presented as a wallet product and a known vulnerability in VSCode and Cursor code editors. These exploits allowed the attackers to gain access to the necessary multisig approvals, enabling the execution of pre-signed transactions that drained $270 million from the protocol's vaults in under a minute. Drift has attributed the attack to UNC4736 based on on-chain fund flows and operational overlaps with known DPRK-linked personas. While the individuals who met with Drift contributors were not North Korean nationals, the group is known to use intermediaries with fabricated identities and professional networks. Drift has urged other protocols to audit access controls and treat every device touching a multisig as a potential target. The incident highlights the vulnerabilities in the DeFi industry's reliance on multisig governance models, as attackers demonstrated the ability to spend six months building a legitimate presence within an ecosystem. The attack has raised concerns about the security of DeFi protocols and the potential for state-sponsored cyber operations to target the crypto industry. The broader implications for the industry include the need for enhanced security measures and a reevaluation of current governance models to prevent similar breaches in the future.