Drift Protocol Reveals North Korean State Hackers Behind $285M Exploit

Solana-based decentralized perpetual futures exchange Drift Protocol has published a detailed incident background update shedding new light on how the devastating April 1 exploit was orchestrated through months of deliberate social engineering rather than a traditional code vulnerability. The exploit is the largest DeFi hack of 2026 and the second-largest security incident in the Solana ecosystem after the $326 million Wormhole bridge exploit in 2022.

The protocol, which saw its total value locked (TVL) collapse from approximately $550 million to under $250 million following the attack, says the exploit was the culmination of what it describes as “a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation.”

A relationship built over six months

According to Drift’s post-mortem, the operation began in the fall of 2025, when contributors were approached at a major crypto conference by individuals presenting themselves as representatives of a quantitative trading firm interested in integrating with the protocol. What followed was a patient, methodical campaign of trust-building that spanned roughly half a year.

The group was technically fluent, carried verifiable professional backgrounds, and demonstrated familiarity with Drift’s internal operations. A Telegram group was created upon initial contact, and the attackers maintained substantive conversations around trading strategies and vault integrations—interactions that Drift describes as entirely typical of how trading firms onboard with the protocol.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, submitted strategy documentation, participated in multiple working sessions with contributors, and deposited over $1 million of their own capital. Throughout February and March 2026, Drift contributors met members of the group face-to-face at several major industry conferences in different countries.

By the time the attack was launched, these were not strangers but established working partners with a nearly six-month-old relationship. After the April 1 exploit, their Telegram chats and all associated malicious software were immediately scrubbed, according to Drift’s forensic review.

Three attack vectors identified

The investigation has so far identified three possible intrusion vectors through which contributor devices were compromised. One contributor may have been targeted after cloning a code repository shared by the group under the guise of a frontend deployment for their vault. A second contributor was induced to download a TestFlight application the group presented as their wallet product.

For the repository-based vector, Drift pointed to a particularly insidious vulnerability in VSCode and Cursor—two of the most widely used code editors in software development—that the security community had been actively flagging from December 2025 through February 2026.

Simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt, permission dialog, or warning of any kind. Once devices were compromised, the attackers obtained the multisig approvals needed to execute the drain. Full device forensics remain ongoing.

Attribution points to North Korea

With medium-high confidence, the SEAL 911 team has assessed this operation as the work of UNC4736, a North Korean state-affiliated threat actor also tracked as AppleJeus or Citrine Sleet. The basis for this attribution rests on both on-chain evidence—fund flows used to stage and test this operation trace back to the Radiant Capital attackers—and operational patterns, including identifiable overlaps between personas deployed in this campaign and known DPRK-linked activity.

This finding aligns with assessments from multiple blockchain intelligence firms. Elliptic identified multiple indicators linking the exploit to the DPRK, noting that the on-chain behavior and laundering methodologies were consistent with techniques from previous North Korea-attributed operations. TRM Labs’ initial investigation similarly concluded the hack was likely perpetrated by North Korean hackers. TRM

Critically, Drift stressed that the individuals who appeared in person at conferences were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries for face-to-face relationship-building. Mandiant, which has been formally engaged for the investigation, has not yet issued a formal attribution, as device forensics are still underway.

A pattern of escalating North Korean crypto attacks

The Drift exploit fits a disturbing and escalating pattern of state-sponsored crypto theft attributed to North Korean hacking units. In October 2024, Radiant Capital, a decentralized cross-chain lending protocol, suffered a $50 million attack that was later attributed by Mandiant to the same UNC4736 group. That attack also began with a social engineering vector—a Telegram message impersonating a former contractor that delivered malware through a ZIP file.

The scale escalated dramatically in February 2025, when the FBI confirmed that North Korea was responsible for the $1.5 billion theft from cryptocurrency exchange Bybit Internet Crime Complaint Center, making it the largest crypto heist in history. That attack similarly targeted the human and operational layer rather than smart contracts, compromising a developer at multisig wallet provider Safe.

Ledger CTO Charles Guillemet drew a direct comparison between the Drift and Bybit exploits, calling it a sophisticated supply-chain-level compromise targeting people rather than code. The three most devastating crypto exploits in recent months—Bybit, Radiant, and now Drift—have all bypassed smart contract audits and hardware wallet protections by weaponizing human trust.

Current status and ecosystem warning

Drift has confirmed that all remaining protocol functions have been frozen and compromised wallets removed from the multisig. Attacker wallets have been flagged across exchanges and bridge operators. The DRIFT token has plunged over 98% from its all-time high, and roughly 20 Solana-based protocols with exposure to Drift liquidity have been impacted.

The protocol has issued a stark warning to the broader DeFi ecosystem: audit who has access to what, check in on teams, and treat every device that touches a multisig as a potential target.

For teams that believe they may have been targeted by the same or a similar group, Drift recommends reaching out to SEAL 911 immediately for threat triage and incident response support.

Also Read: Drift Protocol Exploited for Over $270M, Token Crashes Over 20%