This is the scariest hack story crypto has seen in years, and it’s not because of the $270 million price tag. It’s because of how it happened.
Drift Protocol published a full incident report on Sunday revealing that the April 1 exploit wasn’t some anonymous hacker finding a bug. It was a state-sponsored North Korean intelligence operation that took six months of patient, calculated infiltration.
They Showed Up In Person
Let that sink in. The attackers — now attributed to UNC4736, also known as AppleJeus or Citrine Sleet — first made contact at a major crypto conference in fall 2025. They posed as a legitimate quantitative trading firm looking to integrate with Drift.
They weren’t sloppy about it either. These people were technically fluent, had verifiable professional backgrounds, and actually understood how the protocol worked. They set up a Telegram group and spent months having real conversations about trading strategies and vault integrations.
- Between December 2025 and January 2026, they onboarded an Ecosystem Vault on Drift
- They deposited over $1 million of their own capital
- They held multiple working sessions with Drift contributors
- They met team members face to face at conferences in multiple countries through February and March
By the time April 1 rolled around, these attackers had been a trusted part of the Drift ecosystem for half a year. That level of commitment is terrifying.
How They Actually Got In
The compromise came through two attack vectors. One team member downloaded a TestFlight app — Apple’s pre-release distribution platform that bypasses App Store security review — that the group presented as their wallet product.
The second vector exploited a known vulnerability in VSCode and Cursor, two of the most popular code editors in development. The security community had been flagging this since late 2025: simply opening a file or folder in the editor could silently execute arbitrary code with zero warning.
Once devices were compromised, the attackers obtained the two multisig approvals needed. The pre-signed transactions sat dormant for over a week before being executed on April 1, draining $270 million from the protocol’s vaults in under a minute.
The Uncomfortable Truth for DeFi
The attackers weren’t North Korean nationals at conferences, by the way. DPRK threat actors at this level use third-party intermediaries with fully constructed identities, employment histories, and professional networks built to pass due diligence.
If attackers are willing to spend six months and a million dollars building a legitimate presence inside an ecosystem, meet teams in person, contribute real capital, and wait — what security model is designed to catch that?
That’s the question Drift is asking the entire industry, and honestly, nobody has a good answer. Multisig governance is supposed to be the gold standard of DeFi security. But when the people holding the keys get compromised through months of social engineering, the multisig itself is meaningless.
Circle is also catching heat for not freezing the stolen USDC fast enough — blockchain investigator ZachXBT alleged that faster action could have limited losses. But that’s almost a secondary issue compared to the bigger problem: how do you defend against an enemy that’s willing to play the longest of long games?
DeFi needs a serious conversation about this, because if North Korea is running operations this sophisticated, the current security playbook isn’t enough.
