New details have emerged about the attack on Drift Protocol, which resulted in approximately 270 million dollars in damage. According to the updated information shared by the protocol team, a group affiliated with the North Korean state carried out a six-month preparation process within the scope of this plan.
Operation preparation process and infiltration method
During the initial contact, which began at a major cryptocurrency conference in the fall of 2025, attackers attempted to approach the Drift ecosystem by posing as a quantitative trading firm. Group members with technical knowledge and verifiable professional background gained confidence by understanding the working principles of the protocol in detail.
Starting in October, the group gained access via Telegram and initiated communication regarding trading strategies, which is considered standard process with DeFi protocols. Between December 2025 and January 2026, they invested over a million dollars of their own capital on Drift, established a functional presence in the ecosystem, and established face-to-face contact with many people from the team.
Throughout February and March, Drift contributors and group members came together at industry events held in many different countries. At this stage, the relationship progressed to create a serious environment of trust.
Attack vectors and security vulnerabilities
It was understood that two basic attack vectors were effective in the technical aspect of the incident. It was stated that one of the group members introduced the wallet application developed through Apple’s TestFlight platform to the ecosystem, thus managing to bypass security checks.
Another vulnerability was a vulnerability in the code editors VSCode and Cursor, which are widely used in software development. Thanks to this vulnerability, which has been brought to the agenda by the security community since the end of 2025, attackers were able to take over devices by running malicious code by simply opening a file or folder.
By passing security checks using these methods, the group gained both the authority to act on the multi-signature infrastructure and the access required for the attack. The previously prepared transactions were executed on April 1 after being kept for more than a week, and the funds in the protocol were withdrawn within minutes.
There are signs that the group called UNC4736, affiliated with North Korea, is behind the attack. This group, which is also followed in the industry under the names AppleJeus and Citrine Sleet, is known in connection with some other attacks that have come to the fore recently.
It was determined that the people seen in person at the conferences were not North Korean citizens. Third-party agents with sophisticated fake identities and professional networks can be used to infiltrate such operations.
Drift team relies on other protocols in the industry; He called for strict monitoring of multi-signature access points and device security. Developments have brought the limits of multisig management as a security model to the agenda again.
