What initially appeared to be a sudden exploit has now been revealed as a long-term, highly coordinated operation. Drift Protocol has disclosed that the $270 million hack was the result of a six-month infiltration campaign, allegedly tied to North Korean state-linked actors.
Rather than exploiting a simple vulnerability, the attackers built trust slowly, posing as a legitimate quantitative trading firm and embedding themselves within the ecosystem. Their approach went beyond digital deception. They engaged contributors directly, attended crypto conferences, and established relationships that appeared credible at every level.
This was not a smash-and-grab attack. It was calculated, patient, and designed to bypass not just technical defenses but human trust.
First Contact Begins At Crypto Conferences
The operation reportedly began in fall 2025, when the attackers made first contact at a major crypto conference. At the time, there were no immediate red flags. The group presented themselves as technically proficient professionals with verifiable backgrounds.
They spoke the language of DeFi fluently, demonstrating a deep understanding of Drift’s infrastructure and trading mechanisms. This level of expertise helped them blend in seamlessly with legitimate contributors and partners.
Soon after, communication moved to Telegram, where discussions continued over several months. These interactions were not rushed or suspicious. Instead, they mirrored the cadence of real collaboration, complete with technical discussions, strategic input, and ongoing engagement.
By maintaining consistency and credibility, the attackers gradually built trust within the community.
Building Trust Through Capital And Collaboration
By January 2026, the group had taken their involvement even further. They successfully onboarded an Ecosystem Vault and began participating in working sessions alongside Drift contributors.
Crucially, they also committed real capital, depositing over $1 million of their own funds into the protocol. This move reinforced their legitimacy, signaling that they had skin in the game.
Throughout February and March, members of the Drift ecosystem met these individuals in person across multiple countries. These face-to-face interactions added another layer of trust, making it even less likely that their intentions would be questioned.
By the time the attack was executed, the relationship between the attackers and the community had been established for nearly six months. It was a level of infiltration rarely seen in DeFi exploits.
Attack Execution Leveraged Sophisticated Entry Points
When the compromise finally occurred, it came through two highly targeted vectors.
The first involved a malicious TestFlight application, presented as a legitimate wallet product. This allowed the attackers to gain access to contributor devices under the guise of testing new tools.
The second vector exploited a known vulnerability in development environments like VSCode and Cursor. This flaw, flagged by the security community months earlier, enabled the execution of arbitrary code simply by opening a file.
Together, these methods allowed the attackers to compromise key devices without triggering immediate suspicion. Once inside, they were able to access sensitive workflows and approval mechanisms.
This stage of the operation highlights a critical shift in attack strategies. Instead of targeting smart contracts directly, attackers are increasingly focusing on the human and tooling layers surrounding them.
Multisig Weaknesses Exposed In Final Drain
With access secured, the attackers moved to the final phase: execution.
They obtained two multisig approvals, which were then used to authorize transactions. Notably, these transactions were pre-signed and left dormant for over a week, avoiding immediate detection.
On April 1, the attackers acted. In under a minute, approximately $270 million was drained from Drift’s vaults.
The speed and precision of the execution left little room for intervention. By the time the transactions were recognized, the funds had already been moved.
Drift has since warned that this incident exposes fundamental weaknesses in multisig-based security models. While multisig systems are designed to distribute trust, they remain vulnerable when signers themselves are compromised.
Links To North Korean State Actors Surface
Investigations into the attack have linked the operation to UNC4736, a group also known as AppleJeus or Citrine Sleet. This entity is widely associated with North Korean cyber operations and has been connected to previous high-profile exploits, including the Radiant Capital attack.
Interestingly, the individuals who interacted directly with Drift contributors were not identified as North Korean nationals. Instead, they appear to have been third-party intermediaries, equipped with carefully constructed identities designed to withstand scrutiny.
This layered approach makes attribution more complex while increasing the effectiveness of the operation. By separating the on-the-ground actors from the coordinating entity, the attackers were able to maintain plausible legitimacy throughout the infiltration.
A Wake-Up Call For DeFi Security Models
The Drift exploit is forcing the industry to confront an uncomfortable reality. Traditional security models, focused on code audits, smart contract vulnerabilities, and multisig protections, may not be enough to defend against adversaries willing to invest time, money, and human resources.
If attackers can spend six months building relationships, deploy capital to gain trust, and physically meet with teams, the attack surface extends far beyond code.
This raises a critical question for the DeFi ecosystem: what kind of security framework can detect and prevent this level of infiltration?
For now, the incident stands as one of the most sophisticated social-engineering-driven exploits in crypto history. It underscores the need for a more holistic approach to security, one that accounts for human behavior, operational processes, and the increasingly blurred lines between online and offline interactions.
As protocols continue to grow and attract more capital, the stakes will only rise. And as this case shows, the next generation of attacks may not come from anonymous wallets, but from trusted partners sitting across the table.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Source: https://nulltx.com/north-korea-linked-group-behind-270m-drift-hack-six-month-plot-revealed/
