Drift Protocol has revealed that a state-linked North Korean hacking group spent approximately six months embedding itself within the project before carrying out a $270 million exploit on April 1. The attackers operated under the cover of a quantitative trading firm, methodically building credibility with the protocol’s contributors over an extended period. The operation is described as a deliberate long-con strategy designed to gain deep access before striking.
According to investigators, the group established trust through a series of calculated steps. They attended industry conferences to meet Drift contributors in person, deposited more than $1 million into the protocol, and integrated an Ecosystem Vault to appear as a legitimate participant. These actions allowed the attackers to position themselves for a more invasive compromise at a later stage.
The technical execution of the attack involved two distinct methods of device compromise. The group deployed a malicious TestFlight app alongside a vulnerability affecting VSCode and Cursor to gain access to contributors’ devices. Through these entry points, the attackers were able to obtain the multisig approvals necessary to move funds out of the protocol.
Investigators attributed the attack to a threat actor tracked as UNC4736, also known as AppleJeus or Citrine Sleet. This group has been previously linked to North Korean state-sponsored cyber operations targeting the cryptocurrency sector. The attribution points to a sophisticated and well-resourced adversary capable of sustaining prolonged deception campaigns.
Drift has used the incident to highlight what it describes as deep structural weaknesses in multisig-based security models used across decentralized finance. The protocol warned that identity-rich, long-term infiltration operations of this kind are particularly difficult to defend against using conventional security measures. The case underscores how social engineering at the human level can circumvent technical safeguards that projects typically rely upon.
The broader DeFi industry faces renewed scrutiny following the disclosure, as the attack demonstrates that threat actors are willing to invest significant time and resources to compromise high-value targets. The use of in-person relationship building alongside technical exploits represents an evolution in tactics that security teams across the sector will need to account for. Drift’s warning serves as a call for the industry to reassess how multisig governance structures are protected against insider-style threats.
Originally reported by CoinDesk.
