Drift Protocol Reveals Details of $280M Hack: North Korean Group UNC4736 Identified as Perpetrator

Six Months of Infiltration: How Hackers Breached Drift Protocol

Drift Protocol has released a detailed account of the investigation into a hacking incident that cost the project approximately $280 million. According to the team, the attack — which took place on April 1 — was carried out by a North Korean group that spent roughly six months planning and executing the operation.

"https://t.co/qYBMCup9i6" — Drift (@DriftProtocol), original post

Drift described the breach as a "structured infiltration operation that required organizational support, significant resources, and several months of careful preparation."

How the Attackers Gained Trust

According to the Drift team, individuals representing an unnamed trading firm approached project members at a themed conference in the fall of 2025. They expressed interest in integrating with the protocol. It later emerged that the perpetrators had been deliberately tracking project participants and building trust with them over time.

The team noted that these individuals possessed technical skills, had verifiable professional backgrounds, and were familiar with how Drift operates. Following the initial meeting, a Telegram group was created, leading to months of substantive discussions about trading strategies and potential vault integration.

The front company then began connecting its own vaults to Drift, which required completing a form with a detailed strategy description. Additionally, the attackers invested over $1 million of their own funds into the ecosystem — apparently to solidify credibility.

Close communication between the developers and the attackers continued until approximately the end of March. After the attack was executed, all shared chats and contact information were deleted. The Drift team emphasized that these were not strangers but people that project members had worked with and met in person. Throughout the engagement, links to projects, tools, and applications were shared.

Three Probable Attack Vectors

As previously reported, the hackers gained access to custodial vaults by creating forged deferred signatures. The team has now identified three likely attack vectors:

• One team member may have been compromised after cloning a code repository that was disguised as a vault interface deployment.
• Another project member was persuaded to download a malicious TestFlight application presented as a digital wallet.
• Repositories allegedly contained a vulnerability that allowed arbitrary code execution simply by opening a file, folder, or document in an editor.

Drift continues to conduct forensic analysis of affected equipment. Specialists from SEALS 911 and law enforcement agencies are assisting with the investigation. The specific source of the vulnerability has not yet been determined, and the protocol remains suspended.

Why This Matters

This incident highlights a significant evolution in attacks targeting crypto projects — from purely technical exploits to long-term infiltration operations involving sophisticated social engineering. The attackers invested six months and over $1 million to embed themselves within the project, underscoring the growing sophistication of such threats. For the broader DeFi industry, this serves as a stark reminder that counterparty verification procedures must be strengthened, even when dealing with seemingly credible professional entities.

The Group Behind the Attack

Evidence gathered during the investigation linked the attack to UNC4736, a North Korean state-backed group also known as AppleJeus or Citrine Sleet. This same group is believed to have been behind the Radiant Capital hack, which resulted in losses exceeding $50 million in October 2024.

The connection was established through on-chain data revealing shared money flows, as well as through identified real-world individuals linked to the group. To infiltrate Drift, the criminals provided entirely fabricated information, including employment history, personal details, and professional references.

The Drift team clarified that the individuals who met project representatives in person were not North Korean nationals. North Korean operators at this level are known to use intermediaries for establishing face-to-face contacts.

Earlier in March, the same North Korean group was suspected of attacking crypto e-commerce platform Bitrefill.