North Korean Group Steals $285M from Drift Protocol in Six-Month Operation

Attack Execution and Technical Exploits

“Drift confirmed the breach but stated it was not caused by program or smart contract vulnerabilities, instead attributing it to unauthorized or misrepresented transaction approvals facilitated by social engineering.”

The decentralized finance (DeFi) platform Drift Protocol experienced a $285 million security breach attributed to UNC4736, a North Korean state-affiliated group also known as AppleJeus or Citrine Sleet. The incident, which unfolded over six months, involved a complex social engineering operation that compromised Drift’s administrative controls. According to Drift’s post-mortem analysis, attackers exploited a ‘novel attack’ method to gain access to the platform’s Security Council, enabling unauthorized transactions through pre-signed approvals and delayed execution. The breach impacted borrow/lend functionalities, vault deposits, and trading funds, with stolen assets primarily converted into USD Coin (USDC) and Ethereum (ETH). This marks the largest DeFi hack recorded in 2026, exceeding the $40 million loss from the Step Finance incident but falling short of the 2025 ByBit breach, which involved $1.5 billion in assets.

Blockchain security firm Elliptic linked the breach to North Korea, citing on-chain fund flows, laundering techniques, and operational similarities to prior DPRK-linked attacks. Independent researchers corroborated the attribution, noting parallels with the 2024 Radiant Capital breach and the Bybit incident. Drift confirmed the breach but stated it was not caused by program or smart contract vulnerabilities, instead attributing it to unauthorized or misrepresented transaction approvals facilitated by social engineering. The incident highlights the evolving threat landscape for DeFi platforms, where human vulnerabilities increasingly undermine traditional security measures.

UNC4736’s Multi-Stage Infiltration

The UNC4736 operation began in late 2025, with attackers posing as a legitimate quantitative trading firm to build trust within Drift’s community. Forensic analysis revealed the group met contributors in person at global crypto conferences, using fabricated identities and complimentary drinks to establish rapport. Over time, they deposited over $1 million in real capital to reinforce credibility, enabling access to Drift’s Ecosystem Vault and sensitive infrastructure. The attack leveraged three primary vectors: exploiting a silent arbitrary code execution flaw in VSCode and Cursor editors, distributing a malicious TestFlight app disguised as a wallet product, and cloning a malicious code repository presented as a vault frontend. Post-exploit, attackers wiped Telegram chats and malware from compromised devices to obscure digital footprints, complicating forensic investigations.

The technical execution of the attack centered on manipulating Drift’s multisig security model. On March 27, 2026, the platform migrated its Security Council to a zero-timelock 2/5 multisig configuration, removing detection delays. Attackers exploited this by tricking signers into pre-signing approvals for a fictitious CarbonVote Token (CVT), which was minted with seeded liquidity and wash-traded to mimic legitimacy via Dr.ift’s oracles. By treating the manipulated token as collateral, attackers enabled rapid withdrawals of real assets like USDC and JLP. On April 1, 2026, the attackers executed 31 rapid withdrawals of real assets within approximately 12 minutes, facilitated by the zero-timelock migration. Stolen funds were laundered through Solana and Ethereum networks, with USDC swapped via Solana DEX and bridged to Ethereum, mirroring tactics used in prior DPRK operations such as the Radiant Capital hack.

“Researchers noted similarities in on-chain behavior and laundering methods to previous DPRK-linked incidents, including the Bybit and Radiant Capital breaches.”

Attribution and Forensic Findings

Attribution to UNC4736 relied on on-chain analysis, operational overlaps, and forensic evidence. Researchers noted similarities in on-chain behavior and laundering methods to previous DPRK-linked incidents, including the Bybit and Radiant Capital breaches. Attackers used intermediaries with fabricated identities to evade due diligence, aligning with DPRK tactics. While Mandiant assisted in forensic analysis, it has not formally attributed the breach. SEAL911, a threat intelligence group, attributed the attack to UNC4736 with medium-high confidence, citing on-chain fund flows and operational overlaps. The attackers also exploited a delay in pre-signed transaction execution, a vulnerability in Drift’s multisig model, to bypass withdrawal limits. Drift’s post-mortem report emphasized the need for enhanced access controls and auditing of third-party integrations, prompting calls for stricter due diligence on contributors and partners.

The breach underscores critical vulnerabilities in DeFi security, particularly risks associated with multisig configurations and social engineering. While smart contract audits are standard, this incident demonstrates that human and operational risks can be equally significant. Attackers exploited trust in the community and the lack of rigorous verification for third-party integrations, highlighting the need for more comprehensive security measures. Drift’s response included freezing affected functions, removing compromised wallets, and urging the ecosystem to audit access controls. The incident reflects a broader trend of state-sponsored actors targeting DeFi protocols with sophisticated, long-term infiltration strategies. The use of in-person meetings, real capital, and custom malware represents a shift from traditional phishing attacks to multi-stage operations, necessitating a reevaluation of DeFi security frameworks. Industry experts warn that without improved security protocols and due diligence, DeFi platforms remain vulnerable to similar attacks, underscoring the growing sophistication of cyber threats in the cryptocurrency space.