In a meticulously planned operation spanning six months, North Korean state-sponsored hackers have been linked to the theft of $285 million from the Solana-based decentralized exchange, Drift Protocol. The sophisticated social engineering campaign involved attackers posing as a legitimate quantitative trading firm, building trust through in-person meetings and even deploying real capital before executing the massive digital heist.

Key Takeaways

• North Korean hackers, identified as UNC4736 (also known as AppleJeus or Citrine Sleet), are believed to be behind the $285 million theft from Drift Protocol.

• The attack was the culmination of a six-month social engineering operation that began in the fall of 2025.

• Attackers posed as a quantitative trading firm, engaging Drift contributors in person at conferences and building rapport over several months.

• The hackers deployed over $1 million in capital to establish an "Ecosystem Vault" on Drift, further solidifying their deceptive presence.

• Compromise likely occurred through a malicious code repository shared with a developer or a fraudulent TestFlight application presented as a wallet.

• The theft, executed on April 1, 2026, took approximately 12 minutes, making it one of the largest DeFi hacks of the year.

A Six-Month Deception Campaign

The operation began around the fall of 2025 when individuals, posing as representatives of a quantitative trading company, approached Drift contributors at major cryptocurrency conferences. These individuals were not North Korean nationals but rather third-party intermediaries, a tactic known to be employed by DPRK threat actors. They presented themselves as technically fluent, with verifiable professional backgrounds, and a deep understanding of Drift's operations.

A Telegram group was established, facilitating months of substantive conversations about trading strategies and potential vault integrations. This period of engagement was designed to mimic the typical onboarding process for legitimate trading firms.

Building Trust and Deploying Capital

Between December 2025 and January 2026, the group took a significant step by onboarding an "Ecosystem Vault" on Drift. As part of this process, they deposited over $1 million of their own funds and engaged contributors with detailed product questions. This move was calculated to build a functional operational presence within the Drift ecosystem, continuing integration discussions through February and March 2026.

The Attack Vectors

While the exact method of compromise is still under investigation, Drift has identified two primary vectors. One contributor may have been compromised after cloning a malicious code repository shared by the group, which contained a weaponized Visual Studio Code project designed to execute malicious code upon opening. Another contributor was reportedly persuaded to download a wallet product via Apple's TestFlight for beta testing.

Attribution and Impact

Security firms, including Mandiant and TRM Labs, have linked the attack to UNC4736, a North Korean state-sponsored group with a history of targeting the cryptocurrency sector. On-chain fund flows and operational overlaps trace back to previous attacks attributed to this group, including the Radiant Capital hack in October 2024. The stolen assets were quickly consolidated and moved through various cryptocurrencies and bridges, with efforts underway by law enforcement and forensic partners to trace and recover the funds. Drift has frozen all protocol functions and removed compromised wallets to prevent further loss.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats. As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation, The Hacker News.

• North Korean Hackers Pose as Trading Firm to Steal $285M from Drift, Hackread.

• Drift $280M crypto theft linked to 6-month in-person operation, BleepingComputer.

• North Korea Spent 6 Months To Drain $285M From Drift Protocol In 12 Mins, The Cyber Express.

• How Spies Infiltrated Drift Protocol for 6 Months Before Attacking, BeInCrypto.