TLDR:
- Drift Protocol froze all functions after a targeted exploit on April 1, 2026, linked to a state-backed group.
- Attackers posed as a trading firm for six months, meeting contributors in person across multiple countries.
- Three attack vectors were identified, including a silent code execution flaw in VSCode and Cursor editors.
- SEAL911 attributed the attack with medium-high confidence to UNC4736, a North Korean state-affiliated threat actor.
Drift Protocol suffered a major exploit on April 1, 2026, triggering a full protocol freeze. The incident has since been revealed as a structured, months-long intelligence operation.
Forensic partners, including Mandiant, are assisting law enforcement in investigating the breach. Preliminary findings point to a North Korean state-affiliated threat group as the likely perpetrators.
This marks one of the most deliberate social engineering campaigns documented in decentralized finance to date.
A Six-Month Social Engineering Campaign
The attack on Drift Protocol did not begin on the day it occurred. It traces back to Fall 2025, when contributors were approached at a major crypto conference.
The group presented themselves as a quantitative trading firm seeking protocol integration. They were technically fluent and carried verifiable professional backgrounds.
Over the following months, individuals from this group continued meeting Drift contributors in person. These encounters occurred at multiple industry conferences across several countries.
A Telegram group was established from the very first meeting. What followed were months of detailed conversations around trading strategies and vault integrations.
From December 2025 through January 2026, the group onboarded an Ecosystem Vault on the protocol. They deposited over $1 million of their own capital and participated in multiple working sessions.
By February and March 2026, the protocol noted that “these were not strangers; they were people Drift contributors had worked with and met in person.” Links to projects, tools, and applications were routinely shared throughout this period.
The investigation later revealed that “the profiles used in this operation had fully constructed identities including employment histories, public-facing credentials and professional networks.”
Contributors engaged with them across detailed product discussions. This built a credible operational presence inside the Drift ecosystem over time.
Three Attack Vectors and North Korean Attribution
After the April 1 exploit, a forensic review of affected devices and communications flagged the trading group as the likely intrusion vector.
Their Telegram chats and malicious software were completely wiped right after the attack. Three potential attack vectors have since emerged from the ongoing investigation.
One contributor may have cloned a code repository shared by the group. It was presented as a frontend deployment for their vault. Another contributor was induced to download a TestFlight application framed as the group’s wallet product.
Regarding the repository-based vector, “simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt or indication to the user, clicks, permissions dialog or warning of any kind.”
Full forensic analysis of affected hardware remains ongoing. Drift has since urged the broader ecosystem to “check in on your teams, audit who has access to what, and treat every device that touches your multisig as a potential target.”
With medium-high confidence, the SEALS 911 team assessed this as the work of UNC4736. That group is a North Korean state-affiliated actor tracked as AppleJeus or Citrine Sleet.
On-chain fund flows and overlapping personas connect this campaign to the October 2024 Radiant Capital hack. The individuals who appeared in person were not North Korean nationals, as DPRK threat actors are known to use third-party intermediaries for direct contact.
The post Drift Protocol Hack: How a North Korean Group Spent Six Months Infiltrating a DeFi Protocol appeared first on Blockonomi.
Be the first to comment