A six-month intelligence operation preceded the $270 million Drift Protocol exploit and was carried out by a group affiliated with the North Korean state, according to a detailed update on the incident released by the team on Sunday.
The attackers first made contact around fall 2025 at a major crypto conference, presenting themselves as a quantitative trading company looking to integrate with Drift.
They were technically fluent, had verifiable professional experience and understood how the protocol worked, Drift said. A Telegram group was established and what followed were months of substantive conversations about trading strategies and vault integrations, interactions that are standard for how trading companies get on board with DeFi protocols.
Between December 2025 and January 2026, the group incorporated an Ecosystem Vault on Drift, held multiple breakout sessions with contributors, deposited over $1 million of its own capital, and built a functional operational presence within the ecosystem.
Drift contributors met people from the group face-to-face at several major industry conferences in several countries during February and March. When the attack was launched on April 1, the relationship was almost half a year old.
The compromise appears to have come through two vectors.
A second downloaded a TestFlight app, Apple’s platform for distributing pre-release apps that bypasses App Store security review, which the group pitched as its wallet product.
For the repository vector, Drift pointed out a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, which the security community had been pointing out since late 2025, where simply opening a file or folder in the editor was enough to silently execute arbitrary code without prompts or warnings of any kind.
Once the devices were compromised, the attackers had what they needed to obtain the two multi-signature approvals that enabled the durable nonce attack that CoinDesk detailed earlier this week. Those pre-signed transactions remained dormant for more than a week before being executed on April 1, draining $270 million from the protocol’s vaults in less than a minute.
The attribution points to UNC4736, a group affiliated with the North Korean state, also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known individuals linked to the DPRK.
However, the people who attended the conferences in person were not North Korean citizens. DPRK threat actors at this level are known to use third-party intermediaries with fully constructed identities, work histories, and professional networks designed to withstand due diligence.
Drift urged other protocols to audit access controls and treat every device that touches a multisig as a potential target. The broader implication is uncomfortable for an industry that relies on multi-sig governance as its primary security model.
But if attackers are willing to spend six months and a million dollars building a legitimate presence within an ecosystem, meeting with teams in person, putting up real capital, and waiting, the question is what security model is designed to detect that.
