North Korea's $270M Crypto Heist: A 6-Month Undercover Operation Inside Drift Protocol

North Korean hackers behind the Drift Protocol $270M cryptocurrency heist

On April 1, 2026, Drift Protocol lost $270 million in under sixty seconds. But the real story starts six months earlier, at a crypto conference somewhere in the world, where a group of technically fluent, professionally credentialed strangers introduced themselves as a quantitative trading firm interested in integrating with the protocol.

According to a detailed post-mortem published by Drift, what followed was one of the most sophisticated long-con operations ever executed against a DeFi protocol — and a warning that the multisig security model the industry has relied on for years may not be designed to stop this kind of attack.

The Long Con: Six Months of Trust-Building

The attackers first made contact in fall 2025. They were technically fluent, understood how Drift operated, and had verifiable professional backgrounds. Over the following months, they joined working sessions with Drift contributors, held detailed conversations about trading strategies and vault integrations, and built what looked like a legitimate operating presence inside the ecosystem.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million of their own capital, and continued deepening their relationship with the team. By February and March, Drift contributors had met individuals from the group face-to-face at multiple major industry conferences across several countries.

By the time the attack launched on April 1, the relationship was nearly half a year old. This was not a smash-and-grab. This was a professional infiltration.

How They Got In — The Technical Exploit

The compromise came through two vectors:

  • Malicious TestFlight app: The attackers distributed a wallet application through Apple's TestFlight platform — Apple's tool for distributing pre-release apps that bypasses App Store security review. A Drift contributor downloaded and installed it.
  • VSCode/Cursor vulnerability: The attackers leveraged a known but widely unpatched vulnerability in VSCode and Cursor, two of the most popular code editors in software development. Simply opening a file or folder in the affected editors was enough to silently execute arbitrary code with no prompt or warning of any kind.

Once devices were compromised, the attackers had what they needed: access to obtain the two multisig approvals required to authorize large withdrawals.

The April 1st Attack: $270M Drained in Under a Minute

The pre-signed transactions sat dormant for more than a week after the multisig approvals were obtained. Then on April 1, the attackers executed what Drift describes as a "durable nonce attack" — a technique that allowed pre-signed transactions to be submitted long after they were created. In under sixty seconds, $270 million was drained from the protocol's vaults.

The timing — April Fools' Day — may or may not have been deliberate. Either way, the effect was devastating.

Who Is UNC4736?

Investigators attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. The attribution is based on on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas.

Critically, the individuals who met Drift contributors in person at conferences were not North Korean nationals. DPRK threat actors at this level deploy third-party intermediaries with fully constructed identities, employment histories, and professional networks built to withstand due diligence. This is a known DPRK operational pattern — they have been running this playbook against the crypto industry for years, but the Drift operation represents a significant escalation in scale and patience.

What This Means for DeFi Security

Drift's post-mortem pulls no punches on the implications: "If attackers are willing to spend six months and a million dollars building a legitimate presence inside an ecosystem, meet teams in person, contribute real capital, and wait — the question is what security model is designed to catch that."

The uncomfortable answer is: probably none of the current ones. Multisig governance, long considered DeFi's gold standard for preventing unauthorized fund movements, failed here not because the cryptography was broken, but because the humans holding the keys were methodically socially engineered over months.

Drift's recommendations for the industry:

  • Audit access controls and treat every device touching a multisig as a potential target
  • Patch VSCode/Cursor immediately — the vulnerability that enabled this attack has been publicly known since late 2025
  • Treat TestFlight app requests from business partners with extreme skepticism
  • Assume that any group that has been building a relationship over months could be a threat actor

The Bottom Line

The $270M Drift hack is not primarily a story about a technical vulnerability. It is a story about patience, professionalism, and the limits of trust. North Korea's crypto operations have stolen an estimated $3+ billion from the industry over the past decade, and they are getting more sophisticated with every campaign. The Drift attack suggests that no DeFi protocol with significant TVL should consider itself safe from a state-level adversary willing to invest months of preparation.

The crypto industry talks a lot about decentralization and trustlessness. The irony of this attack is that it exploited the one thing DeFi has never fully solved: the humans at the center of it.