The $270 million exploit in Drift Protocol followed a six-month intelligence operation conducted by a North Korean state-affiliated group, according to a detailed incident update released by the team early Sunday.
The attackers first made contact around the fall of 2025 at a major cryptocurrency conference, positioning themselves as a quantitative trading firm looking to integrate with Drift.
They are skilled, have verifiable professional backgrounds and understand how the protocol works, Drift said. A Telegram group was formed, followed by months of substantive conversations about trading strategies and vault integrations, which are standard interactions for how trading firms use DeFi protocols.
Between December 2025 and January 2026, the organization established the Ecosystem Vault on Drift, held multiple working meetings with contributors, deposited more than $1 million of its own funds, and established an effective operating structure within the ecosystem.
In February and March, Drift contributors met face-to-face with individuals from the organization at multiple major industry conferences in multiple countries. By the time the attack was launched on April 1, the relationship between the two parties had been nearly six months old.
This compromise appears to be achieved in two ways.
The second person downloaded the TestFlight app, Apple’s platform for distributing pre-release apps that bypass App Store security reviews, and the group showcased it as their wallet product.
For the repository vector, Drift pointed to a known vulnerability in VSCode and Cursor, two of the most widely used code editors for software development, that the security community has been flagging since late 2025. Simply opening a file or folder in the editor is enough to silently execute arbitrary code without any prompts or warnings.
Once the device was compromised, the attackers obtained the information needed to obtain approval for two multi-signatures, enabling the persistent nonce attack that CoinDesk detailed earlier this week. The pre-signed deals had been dormant for more than a week before being executed on April 1, with $270 million drained from the protocol’s coffers in less than a minute.
The attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on on-chain fund flows traceable to Radiant Capital attackers and operational overlap with known North Korea-related figures.
However, those who attended the meeting in person were not North Korean nationals. Threat actors of North Korea’s caliber are known to deploy third-party intermediaries with identities, employment histories, and professional networks fully constructed to withstand due diligence.
Drift urges other protocols to review access controls and treat every device exposed to multisig as a potential target. For an industry that relies on multi-signature governance as its primary security model, the broader implications are troubling.
But if an attacker is willing to spend six months and a million dollars to establish a legitimate presence within the ecosystem, meet with the team in person, contribute real capital, and wait, then the question is what security model is designed to catch this scenario.
