Drift Protocol reveals that a North Korean state-linked group spent six months posing as a trading firm to execute a $285 million hack. Read about how the attackers managed to compromise the protocol without raising suspicion.
When Drift Protocol was drained of $285 million (approximately £225 million) on 1 April 2026, many assumed it was a sudden technical glitch. However, new details from the firm show the attack was actually a meticulously planned operation that began with a simple handshake around six months back.
Building a Six-Month Fake Friendship
The breach prep, reportedly, started in late 2025 when a group of individuals approached Drift staff at a “major crypto conference,” presenting themselves as a professional “quantitative trading firm” looking to work together, Drift’s investigation revealed. These were not anonymous hackers hiding behind screens; they met Drift team members face-to-face at conferences in several different countries.
To build trust, the group went so far as to deposit $1 million of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. This level of effort is rare, but it allowed the attackers to be seen as legitimate business partners rather than a threat.
The Infiltration Methods
While maintaining this professional relationship, the group quietly used social engineering to trick staff into compromising their own security. As per Drift’s official update on X.com, the hackers gained access likely through three specific attack vectors:
First, one staff member was persuaded to download a mobile app via TestFlight, which is Apple’s platform for testing new software, under the impression it was a new digital wallet product. In another instance, a contributor was induced to clone a malicious code repository (a collection of files) presented as a tool for building a website for the group’s vault. Or, the hackers exploited a known vulnerability within VSCode and Cursor, which are common tools developers use to write code.
Between late 2025 and early 2026, simply opening a folder provided by the group was enough to let the hackers silently execute arbitrary code and hijack a computer without any warning or prompt. After compromising these devices, the attackers gathered the multisig approvals needed to control the protocol. On April 1st, they used a method known as a durable nonce attack to bypass security and empty the vaults in under a minute.
The Link to North Korea
While the individuals met in person were likely third-party intermediaries, security experts at Mandiant and the SEALS 911 team have linked the attack to the North Korean hacking group UNC4736 (aka AppleJeus or Citrine Sleet). According to their research, the fund flows used to stage this operation were traced back to a previous hack of Radiant Capital in October 2024.
Drift has since frozen all protocol functions and removed the compromised wallets from the system. The team thanked experts like @tayvano_, @tanuki42_, @pcaversaccio, and @bax1337 for their help in identifying the attackers. This incident is shocking because it shows that nowadays, even a face-to-face partnership cannot be trusted.
Drift’s full response:
The latest cyberattack attributed to North Korean hackers came just days after another North Korean-linked group, UNC1069, was named in a large-scale campaign using fake LinkedIn and Slack profiles to target Node.js maintainers.
The increasing activity of North Korean government-backed hackers shows a well-planned and sophisticated strategy targeting the crypto, blockchain, and software development sectors. Therefore, companies need to train their employees not only to recognize phishing attempts but also to identify social engineering scams.
