Drift Protocol, a decentralized exchange built on Solana, has disclosed that approximately $285 million was drained from its platform in what it describes as a structured six-month intelligence operation. The exchange attributed the attack with medium-high confidence to UNC4736, a North Korean state-affiliated threat group also tracked as AppleJeus or Citrine Sleet. The same group was previously linked by cybersecurity firm Mandiant to the 2024 hack of Radiant Capital. Incident responders SEAL 911 also pointed to North Korean-linked actors based on onchain fund flows and overlapping personas, though Mandiant has not yet confirmed attribution pending forensic analysis.
According to Drift’s detailed incident update, the attackers first made contact with protocol contributors at a major crypto conference last fall, presenting themselves as representatives of a quantitative trading firm seeking integration with the platform. Over the following months, the group cultivated trust through in-person meetings and coordination via Telegram. They went so far as to onboard an Ecosystem Vault on Drift and deposit $1 million of their own capital to appear legitimate. When the exploit was finally executed, the group vanished entirely, with chat histories and malware described as completely scrubbed.
Drift noted that the individuals who met contributors face-to-face were not North Korean nationals. The exchange explained that actors linked to the DPRK frequently use third-party intermediaries to conduct in-person engagement, allowing the core group to remain at a distance. The technical intrusion is believed to have involved a malicious code repository, a fake TestFlight app, and a vulnerability in VSCode or Cursor that allowed silent code execution without any user interaction.
Security researcher known as @tayvano_, credited by Drift for helping identify the malicious actors, suggested the exposure extends well beyond this single incident. In a public post, the researcher alleged that DPRK-linked developers had contributed to numerous decentralized finance protocols dating back to the early days of the DeFi boom. The claim implies that the infiltration of crypto infrastructure by state-affiliated actors may be far more widespread than previously understood.
Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt that crypto teams are now facing adversaries that function more like intelligence units than conventional hackers, and that most organizations are not structurally prepared for that level of threat. He drew a parallel between the Drift incident and the earlier Bybit hack, noting that in both cases signers were not compromised at the protocol level but were instead manipulated into approving malicious transactions. Pearl argued that the core problem is not the number of signers involved but a lack of understanding of what transactions actually do.
Pearl also cautioned that multisignature wallets, while an improvement over single-key control, now create a false sense of security. He described a paradox in which shared responsibility among signers reduces individual scrutiny, potentially making the overall system more vulnerable. His recommended solution is pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution, regardless of what the user interface displays.
Another expert, identified as Lavid, told Decrypt that the fundamental assumption about endpoint security must change. He pointed to integrated development environments, code repositories, mobile applications, and signer environments as increasingly common attack surfaces. If these foundational tools are compromised, he warned, anything presented to a user — including transaction details — can be manipulated, which fundamentally undermines traditional security models and leaves teams unable to trust the interface, the device, or even the signing process itself.
Originally reported by Decrypt.
