A six-month intelligence operation preceded the $270 million exploit of Drift Protocol and was carried out by a North Korean state-affiliated group, according to a detailed incident update published by the team earlier on Sunday.
The attackers first made contact around fall 2025 at a major crypto conference, presenting themselves as a quantitative trading firm looking to integrate with Drift.
They were technically fluent, had verifiable professional backgrounds, and understood how the protocol operated, Drift said. A Telegram group was established and what followed were months of substantive conversations around trading strategies and vault integrations, interactions that are standard for how trading firms onboard with DeFi protocols.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, held multiple working sessions with contributors, deposited over $1 million of their own capital, and built a functioning operational presence inside the ecosystem.
Drift contributors met individuals from the group face to face at multiple major industry conferences across several countries through February and March. By the time the attack launched on April 1, the relationship was nearly half a year old.
The compromise appears to have come through two vectors.
A second downloaded a TestFlight application, Apple’s platform for distributing pre-release apps that bypasses App Store security review, which the group presented as their wallet product.
For the repository vector, Drift pointed to a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, that the security community had been flagging since late 2025, where simply opening a file or folder in the editor was sufficient to silently execute arbitrary code with no prompt or warning of any kind.
Once devices were compromised, the attackers had what they needed to obtain the two multisig approvals that enabled the durable nonce attack CoinDesk detailed earlier this week. Those pre-signed transactions sat dormant for more than a week before being executed on April 1, draining $270 million from the protocol’s vaults in under a minute.
The attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas.
The individuals who appeared in person at conferences were not North Korean nationals, however. DPRK threat actors at this level are known to deploy third-party intermediaries with fully constructed identities, employment histories, and professional networks built to withstand due diligence.
Drift urged other protocols to audit access controls and treat every device touching a multisig as a potential target. The broader implication is uncomfortable for an industry that relies on multisig governance as its primary security model.
But if attackers are willing to spend six months and a million dollars building a legitimate presence inside an ecosystem, meet teams in person, contribute real capital, and wait, the question is what security model is designed to catch that.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Trump’s net worth jumps 60% to $6.3 billion as business expansion sparks controversy over potential conflicts of interest
Trump’s net worth is estimated at $6.3 billion, up about 60% before his return to the White House. This growth is mainly driven by his family’s expansion into overseas real estate deals and the cryptocurrency sector. Government ethics experts say they are concerned and believe there may be conflicts of interest. The White House and the Trump Organization deny such claims.
GateNews1h ago
Citigroup raises its U.S. stock market rating to “Buy,” favoring defensive stocks
Gate News message, April 14, Citi Group’s strategists raised their rating for the U.S. stock market from "Neutral" to "Buy," aligning with the views of other analysts on Wall Street. Citi said that heightened uncertainty in the war situation has made investors more inclined to choose companies with higher quality and stronger defensiveness. Based on the principles of a "quality/defensive tilt," Citi adjusted its global asset allocation. Meanwhile, Citi downgraded its emerging market stock rating from "Buy" to "Neutral," saying these markets are more vulnerable to energy shocks, and that a stronger U.S. dollar puts additional pressure on them.
GateNews1h ago
Iranian Ambassador to India: Indian oil tankers have not paid the Strait of Hormuz transit fees to Iran
Iran’s ambassador to India, Fattahali, said that Indian tankers passing through the Strait of Hormuz did not pay the transit fee to Iran, and the Indian government also denied having paid any fee. Since the outbreak of the Iran war, Iran has blockaded that route, and there are still 15 Indian vessels stuck in the Persian Gulf.
GateNews3h ago
JPMorgan CEO Dimon Warns: A Possible Iran War Could Reignite the Inflation Pressure, and the Federal Reserve’s Interest Rates May Stay High for Longer
JPMorgan Chase CEO Jamie Dimon warned in his annual shareholder letter that a war with Iran could trigger persistent oil and commodity price shocks, creating inflation pressure that is stickier than the market expects, and that the Federal Reserve may need to maintain high interest rates for longer. He noted that the war’s economic impact is widespread, including a global restructuring of supply chains and rising energy prices. In addition, Dimon still holds a positive view of the U.S. economy, but warned that the economic shocks from the war could weaken that resilience.
ChainNewsAbmedia3h ago
U.S. Vice President Vance: The U.S. withdrew from the U.S.-Iran talks because Iran’s representatives lacked sufficient authorization
U.S. Vice President Vance disclosed the reason for the deadlock in the U.S.-Iran nuclear talks, saying that the U.S. side withdrew from the negotiations because Iran’s representative lacked authorization under the agreement. Vance emphasized that Trump is willing to normalize relations between the U.S. and Iran, but only on the condition that Iran does not pursue nuclear weapons and does not support terrorism. Any future progress in the talks would require approval from Iran’s leadership in Tehran.
GateNews4h ago
U.S. stocks have recovered the losses since the Iran war, while Bitcoin pushes up to 74K
Due to market expectations that the United States and Iran will reach an agreement, the S&P 500 index has rebounded to its highest level since the war, and Bitcoin has also surged to $74,900. Despite the failure of peace talks between the U.S. and Iran, the U.S. has imposed a maritime blockade to pressure Iran. MicroStrategy once again made a large-scale purchase of Bitcoin, indicating that investor confidence is picking up.
ChainNewsAbmedia5h ago
