Drift Protocol's $285M Hack Was Six Months in the Making, North Korean Group Blamed

The April 1, 2026 exploit of Solana-based Drift Protocol, which drained approximately $285 million from the platform, was not a spontaneous attack. According to Drift's preliminary investigation, it was the result of a structured intelligence operation that began at least six months earlier, attributed with medium-high confidence to UNC4736, a North Korean state-affiliated threat group also tracked as AppleJeus or Citrine Sleet.

How Did the Drift Protocol Hack Actually Begin?

According to the Drift Protocol team, the operation started at a major crypto conference in Fall 2025, where individuals presenting as a quantitative trading firm approached Drift contributors. What followed was not a quick phishing attempt. It was a deliberate, months-long relationship-building campaign conducted across multiple in-person meetings, at multiple industry conferences, in multiple countries.

The group was technically fluent, held verifiable professional backgrounds, and demonstrated detailed familiarity with how Drift operated. A Telegram group was set up after the first meeting, and substantive discussions about trading strategies and vault integrations continued for months. Drift's team noted that these interactions were entirely consistent with how legitimate trading firms typically engage with the protocol.

From December 2025 through January 2026, the group onboarded an Ecosystem Vault on Drift. This process involved submitting strategy details through a formal intake form, participating in multiple working sessions with Drift contributors, and depositing over $1 million of their own capital. They built a functioning operational presence inside the protocol, deliberately and patiently.

The Final Months Before the Exploit

Integration conversations continued through February and March 2026. Drift contributors met individuals from the group again, in person, at major industry events. By the time April arrived, the relationship was nearly six months old. These were not strangers. They were people Drift's team had worked alongside and met face-to-face on multiple occasions.

Throughout this period, the group shared links to projects, tools, and applications they claimed to be building. Sharing such resources is standard practice in trading firm relationships, which is precisely what made it an effective delivery mechanism.

What Were the Technical Attack Vectors?

After the April 1 exploit, Drift conducted a forensic review of affected devices, accounts, and communication histories. The Telegram chats and malicious software used by the group had been completely scrubbed the moment the attack occurred. Drift's investigation identified three probable intrusion vectors:

• One contributor may have been compromised after cloning a code repository the group shared, presented as a frontend deployment tool for their vault.
• A second contributor was induced to download a TestFlight application the group described as their wallet product. TestFlight is Apple's platform for distributing beta versions of iOS apps before they are released publicly.
• For the repository-based vector, the likely mechanism was a known vulnerability in the VSCode and Cursor code editors that security researchers were actively flagging between December 2025 and February 2026. Opening a file, folder, or repository in the affected editor was sufficient to silently execute arbitrary code, with no prompt, warning, permissions dialog, or any visible indication to the user.

Full forensic analysis of affected hardware was still ongoing at the time of publication.

How Quickly Did the Attack Execute?

The setup may have taken six months, but the execution was fast. Once admin control of the protocol was seized, real user funds were drained in under 12 minutes. Drift's total value locked (TVL) dropped from roughly $550 million to under $300 million in less than an hour. The DRIFT token fell more than 40% during the incident. Security firm PeckShield confirmed the total loss exceeded $285 million, representing more than 50% of the protocol's TVL at the time.

Drift's team posted on X during the chaos to clarify the situation was genuine, writing: "This is not an April Fools joke. Proceed with caution until further notice." All deposits and withdrawals were suspended as the investigation began.

Where Did the $285 Million Go?

The attacker moved quickly to obscure the fund trail after the exploit. Stolen assets were converted to USDC and SOL, then bridged from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP). CCTP is Circle's native bridging infrastructure that allows USDC to move across different blockchains without wrapping. On Ethereum, the funds were converted into ETH. On-chain tracking confirmed the attacker ultimately accumulated 129,066 ETH, worth approximately $273 million at the time.

The attacker also deposited SOL into both HyperLiquid and Binance, spreading activity across multiple platforms to complicate tracing efforts.

Did Circle Respond Fast Enough?

On-chain investigator ZachXBT publicly criticized Circle after the exploit, pointing out that large amounts of stolen USDC were bridged from Solana to Ethereum during US business hours without being frozen. ZachXBT contrasted this with Circle's recent decision to freeze 16 unrelated corporate hot wallets in a sealed US civil case, arguing that Circle had both the technical ability and a clear precedent to intervene but failed to act quickly enough to limit the damage.

Who Is Behind the Attack?

With medium-high confidence, and supported by investigations conducted by the SEALS 911 team, Drift's inquiry attributes the operation to the same threat actors responsible for the October 2024 Radiant Capital hack. That attack was formally attributed by Mandiant to UNC4736, a North Korean state-affiliated group.

The basis for this connection is both on-chain and operational. Fund flows used to stage and test the Drift operation trace back to wallets linked to the Radiant attackers. Additionally, the personas deployed throughout the Drift campaign have identifiable overlaps with known DPRK-linked activity patterns.

One important clarification from Drift's team: the individuals who appeared in person at conferences were not North Korean nationals. At this level of operation, DPRK-linked threat actors are known to deploy third-party intermediaries to handle face-to-face relationship-building, keeping actual operatives at a distance.

Mandiant has been formally engaged for the investigation but has not yet issued an official attribution for the Drift exploit. That determination requires completed device forensics, which remain ongoing.

Current Response Measures

As of publication, Drift has taken the following steps:

• All remaining protocol functions have been frozen
• Compromised wallets have been removed from the multisig
• Attacker wallets have been flagged across exchanges and bridge operators
• Mandiant has been engaged as the primary forensic partner

Drift stated it is sharing these details publicly so that other teams in the ecosystem can understand what this type of attack actually looks like, and take steps to protect themselves accordingly.

Conclusion

The Drift Protocol hack is not a story about a code vulnerability that slipped through an audit. It is a story about sustained human deception. The attackers spent six months building credibility through in-person meetings, a working vault integration, and over $1 million of their own deposited capital before executing a 12-minute drain of $285 million.

 The technical vectors, a malicious code repository and a fake TestFlight app, were effective precisely because the trust required to open them had already been carefully constructed. 

For DeFi protocols, the lesson is direct: the attack surface is not limited to smart contracts. It includes every contributor device, every third-party repository, and every relationship built at an industry conference. UNC4736 has now demonstrated this twice, first at Radiant Capital in October 2024, and again at Drift in April 2026, with the same patient, resource-backed approach each time.

Resources

1. Drift Protocol on X: Post on March 5

2. PeckShield on X: Posts (April 1-2)

3. Lookonchain on X: Posts (April 1-2)