TLDR
- North Korean state-sponsored hackers impersonated a quantitative trading company and cultivated relationships within Drift Protocol for half a year before executing a $270 million theft on April 1.
- The perpetrators attended industry conferences in multiple nations, meeting team members face-to-face and investing more than $1 million in actual funds to establish legitimacy.
- Security breaches occurred through a malicious TestFlight application and exploitation of a documented VSCode/Cursor security flaw.
- Security researchers trace the operation to UNC4736, alternatively identified as AppleJeus or Citrine Sleet, with connections to North Korean state activities.
- Legal experts suggest potential civil liability, while class action lawsuit advertisements have emerged targeting the protocol.
On April 1, Drift Protocol suffered a devastating $270 million security breach following an elaborate six-month infiltration campaign orchestrated by hackers with ties to North Korea.
The operation began during the fall of 2025 at a prominent cryptocurrency industry event. The threat actors presented themselves as representatives of a quantitative trading operation, arriving well-prepared with strong technical expertise, verifiable professional credentials, and comprehensive knowledge of Drift’s infrastructure.
Communication channels were established via Telegram, initiating months of ongoing dialogue. Discussions centered on typical collaboration topics between trading entities and decentralized finance platforms: vault integration protocols, trading methodologies, and operational frameworks.
During the December 2025 to January 2026 period, the organization officially established an Ecosystem Vault within Drift. They conducted numerous collaborative sessions with platform contributors and transferred over $1 million of authentic capital to demonstrate their credibility.
Drift contributors encountered representatives from this organization in person at industry gatherings across several jurisdictions throughout February and March 2026. When the attack occurred on April 1, the professional relationship had spanned nearly half a year.
How the Devices Were Compromised
The security breach utilized two distinct attack vectors. Initially, a team member installed a TestFlight application — Apple’s beta testing distribution system, which operates outside standard App Store security protocols — that the attackers promoted as their proprietary wallet solution.
Additionally, the threat actors leveraged a documented security weakness in VSCode and Cursor, both popular development environments used by programmers. The vulnerability allowed malicious code execution simply by opening a file within these editors, with no alerts or notifications displayed to users.
After successfully compromising target devices, the attackers collected necessary credentials to secure two multisignature authorizations. These pre-authorized transactions remained inactive for over a week before activation on April 1, resulting in the extraction of $270 million within approximately sixty seconds.
Cybersecurity analysts have linked the incident to UNC4736, also designated as AppleJeus or Citrine Sleet. Blockchain transaction analysis connected the stolen funds to the Radiant Capital security incident from October 2024, which authorities also attributed to North Korean operatives. The individuals who attended conferences in person were not North Korean citizens — intelligence indicates DPRK-affiliated organizations frequently employ third-party representatives with carefully constructed false identities.
Legal Fallout and Security Criticism
Cryptocurrency legal specialist Ariel Givner indicated the breach may represent actionable civil negligence. She noted that fundamental security measures — including maintaining signing credentials on offline air-gapped hardware and conducting thorough background verification of developers encountered at industry events — were apparently not implemented.
“Every serious project knows this. Drift didn’t follow it,” Givner said. Advertisements for class action lawsuits against Drift are already circulating.
Drift representatives stated they possess “medium-high confidence” that identical threat actors executed the October 2024 Radiant Capital compromise, where malicious software was distributed through Telegram by someone impersonating a former contractor.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
