North Korean Hackers Spent Six Months Infiltrating Drift Before $285M Exploit

Solana-based decentralized exchange Drift Protocol said on Sunday the attack that drained roughly $285 million from the platform was a structured six-month intelligence operation by a North Korean state-affiliated threat group.

The attackers used fabricated professional identities, in-person conference meetings, and malicious developer tools to compromise contributors before executing the drain, the protocol said in a detailed incident update.

“Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat,” Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt.

Drift said the group first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm seeking to integrate with the protocol.

Over months, the group built trust through in-person meetings, Telegram coordination, onboarded an Ecosystem Vault on Drift, and made a $1 million vault deposit of their own capital, only to vanish, with chats and malware “completely scrubbed” when the exploit hit.

The DEX said the intrusion may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that enabled silent code execution without user interaction.

Drift attributed the attack with “medium-high confidence” to UNC4736, also tracked as AppleJeus or Citrine Sleet—the same North Korean state-affiliated group that cybersecurity firm Mandiant linked to 2024’s Radiant Capital hack.

Drift said the individuals who met contributors in person were not North Korean nationals, noting that DPRK-linked actors often rely on third-party intermediaries for “face-to-face engagement.”

Onchain fund flows and overlapping personas point to DPRK-linked actors, according to incident responders SEAL 911, though Mandiant has yet to confirm attribution pending forensics, the platform noted.

Security researcher @tayvano_, one of the experts whom Drift credited for assistance in identifying the malicious actors, suggested the exposure extend well beyond this incident.

In a tweet, the expert listed dozens of DeFi protocols, alleging that “DPRK IT workers built the protocols you know and love, all the way back to defi summer.”

Industry implications

“Drift and Bybit highlight the same pattern — signers were not directly compromised at the protocol level, they were tricked into approving malicious transactions,” Pearl noted. “The core issue is not the number of signers, but the lack of understanding of transaction intent.”

He said that multisignature wallets, while an improvement over single-key control, now create a false sense of security, introducing “a paradox” where shared responsibility lowers scrutiny across signers.

“Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution,” Pearl said, adding that once attackers control what users see, the only effective defense is validating what a transaction actually does, regardless of the interface.

On developer tools as an attack surface, Lavid said the assumption has to change from the ground up.

“You have to assume the endpoint is compromised,” he told Decrypt, pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points.

“If these foundational tools are vulnerable, anything shown to the user—including transactions—can be manipulated,” the expert said, noting this “fundamentally breaks traditional security assumptions,” leaving teams unable to trust “the interface, the device, or even the signing flow.”