Drift Protocol, a decentralized derivatives exchange operating on Solana, suspended all activities on April 1, 2026, after uncovering a sophisticated attack orchestrated over several months. Forensic investigations have pointed to the involvement of a North Korean state-backed cyber group, marking one of the most structured infiltration efforts ever seen in decentralized finance. Established in 2021, Drift is known for providing leverage trading and innovative liquidity solutions, positioning it as a key player in the expanding Solana DeFi ecosystem.
A coordinated social engineering effort
The breach traces back to autumn 2025, when Drift contributors were initially contacted at a major international crypto event. The individuals presented themselves as representatives of a quantitative trading firm seeking collaboration for an institutional vault integration with Drift.
Team members reported that the attackers maintained a convincing and technically proficient presence, meeting contributors in person at a series of industry conferences across several countries over a six-month period.
Early on, a dedicated Telegram group was created to continue discussions on product features and integration strategies. Over the following months, the group consistently participated in remote working sessions and detailed conversations about trading infrastructure.
In December 2025, the attackers managed to onboard an Ecosystem Vault within Drift Protocol, depositing over $1 million in capital and deepening engagement with the core team. They continued to contribute input and resources throughout early 2026, heightening their perceived trustworthiness.
Drift’s internal review later revealed that the individuals responsible had constructed elaborate identities, complete with verifiable professional backgrounds, employment histories, and social media activity to reinforce their legitimacy.
Product discussions continued through March 2026, allowing the attackers to build credibility and routine contact with key contributors, which laid the groundwork for the exploit.
Technical attack vectors and attribution
After discovering the exploit on April 1, the team began collaboration with digital forensics firms, including Mandiant, to investigate device logs and digital traces. The review identified three primary attack vectors enabling unauthorized code execution on contributor devices.
One vector involved malicious code in a repository shared under the guise of vault frontend development, designed to silently execute arbitrary code immediately upon opening with editors such as VSCode or Cursor. Another vector centered on persuading a contributor to install a TestFlight app claimed to function as a custom wallet product.
Investigations revealed that no warning prompts, permissions, or visible indicators alerted users to the presence of malware during these attacks. The perpetrators deleted all related Telegram messages and software artifacts immediately after initiating the exploit.
The SEAL911 incident response team attributed the campaign, with medium-high confidence, to UNC4736—a North Korean state-affiliated cyber group also tracked under the names AppleJeus or Citrine Sleet, noted for prior DeFi and wallet infrastructure operations.
Connections have emerged between this campaign and past incidents, such as the October 2024 Radiant Capital breach. To obscure their involvement, threat actors reportedly engaged third-party intermediaries for in-person meetings with protocol contributors, rather than sending DPRK nationals directly.
Drift Protocol has urged other projects to reassess access controls, thoroughly vet all software dependencies, and remain vigilant against well-orchestrated social engineering attempts targeting the decentralized finance sector.
