Drift Reveals Attackers Posed as Traders for Months Ahead of $285M Exploit

TL;DR:

• Drift Protocol attributed with “medium-high confidence” the $285 million hack to UNC4736, a group affiliated with the North Korean state.
• The attackers spent six months infiltrating the protocol: they attended conferences, deposited $1 million, and erased all traces after executing the exploit.
• Security researcher Taylor Monahan identified more than 40 DeFi protocols that allegedly had North Korean workers at various stages of their development.

Drift Protocol revealed that the exploit in which it lost approximately $285 million from its decentralized exchange on Solana was a structured intelligence operation spanning six months, attributed with “medium-high confidence” to the group UNC4736, also known as AppleJeus or Citrine Sleet, a unit linked to the North Korean state and responsible for the hack of Radiant Capital in 2024.

According to the incident report, the attackers first appeared at a crypto conference last autumn under the identity of a quantitative trading firm interested in integrating with the platform. Over the following months, they built a relationship of trust through in-person meetings and coordination via Telegram, launched an Ecosystem Vault within Drift, and deposited over $1 million of their own capital. At the time of executing the exploit, they eliminated every trace: the chats and the malware were, according to the protocol, “completely wiped.”

Drift: Manipulation, False Identities and Vulnerabilities

The report indicates that the attack may have leveraged a malicious code repository, a fake TestFlight application, and a vulnerability in VSCode or Cursor that allowed silent code execution. The individuals who met in person with the protocol’s collaborators were not North Korean nationals, but rather intermediaries with constructed identities backed by verifiable public credentials and employment histories.

Michael Pearl, Vice President of Strategy at security firm Cyvers, noted that the Drift case replicates the pattern of the hack suffered by Bybit: the signers were not compromised directly at the protocol level, but rather manipulated into approving malicious transactions. “Security teams must migrate toward pre-transaction validation at the blockchain level,” he warned.

Lazarus Group Has Stolen Around $7 Billion

Security researcher Taylor Monahan, a MetaMask developer, published a list of more than 40 DeFi platforms that allegedly had North Korean workers embedded at various stages of their development. “North Korea’s IT workers built the protocols you know and use, going back to DeFi Summer,” she wrote. Blockchain investigator ZachXBT clarified that the well-known ‘Lazarus Group‘ is the collective name for all state-sponsored North Korean cyber actors, and estimated that the group has stolen approximately $7 billion in cryptocurrencies since 2017.