Drift Exploit Was Six‑Month North Korean Intel Op
The $270 million Drift Protocol exploit resulted from a six‑month social‑engineering operation by North Korean group UNC4736. Attackers posed as a quant fund, built trust in person, and used weaponized development tools to steal multisig keys, exposing deep flaws in DeFi security models.
Quick Take
Attackers built a six‑month relationship, met team in person, and deposited capital.
Malware delivered via VSCode/Cursor vulnerability and a TestFlight wallet app.
Two multisig approvals obtained, enabling a durable nonce drain on April 1.
Funds traced to UNC4736, same group behind Radiant Capital attack.
Market Impact Analysis
BearishMassive DeFi exploit erodes trust, likely causes immediate sell‑off in DRIFT and raises fears of similar social‑engineering attacks across protocols.
Speculation Analysis
Key Takeaways
- North Korean group UNC4736 spent six months posing as a quant fund to infiltrate Drift Protocol.
- Attackers used social engineering, in-person meetings, and malware to steal multisig approvals.
- $270 million drained in under a minute via a durable nonce attack on April 1.
- The exploit exposes fundamental weaknesses in DeFi’s reliance on multisig security.
What Happened
Drift Protocol lost $270 million in a devastating exploit that was the culmination of a six-month intelligence operation. North Korean state-affiliated group UNC4736 infiltrated the DeFi protocol by posing as a quantitative trading firm. The attackers built trust through Telegram conversations, in-person meetings at major crypto conferences, and over $1 million in deposited capital. They worked with Drift contributors for months before delivering malware through VSCode and Cursor code editors and a malicious TestFlight wallet app. Once inside, they obtained two multisig approvals and lay dormant for over a week. On April 1, they executed pre-signed durable nonce transactions, draining the vaults in under a minute.
The Numbers
The attackers’ precision is reflected in the data. $270 million vanished in a single fast assault. The operation lasted six months from first contact to execution. UNC4736, also known as AppleJeus, was identified via on-chain flows tied to the Radiant Capital hack. The exploit leveraged a known VSCode/Cursor vulnerability that silently executes arbitrary code. Two multisig approvals were stolen—just enough to authorize the durable nonce drain. These figures underscore a new level of sophistication in crypto heists, where human trust is the primary attack surface.
Why It Happened
The exploit succeeded because the attackers manipulated standard DeFi onboarding practices. Posing as a legitimate trading firm, they passed due diligence with verifiable backgrounds and sustained engagement. The industry’s reliance on multisig security created a single point of failure once the approvals were compromised. Weaponized development tools like VSCode and Cursor allowed malware to infiltrate contributors’ devices without warnings. Apple’s TestFlight bypassed App Store review, enabling a trojan wallet. The six-month honeypot demonstrates that state-sponsored groups are now investing heavily in long-term social engineering to defeat technical controls.
Broader Impact
The Drift attack challenges the entire DeFi security model. Multisig governance, long considered a robust standard, is vulnerable when signers’ devices are targeted. The use of in-person meetings and third-party intermediaries with fabricated identities means even face-to-face verification can be weaponized. Protocols must now treat every device and every relationship as a threat vector. This incident may accelerate a shift toward hardware-enforced security and constant access auditing, reshaping how DeFi teams manage operational risk.
What to Watch Next
- Other DeFi protocols will likely audit multisig signer devices and review access controls immediately.
- Regulators may scrutinize security practices, potentially leading to new custody standards for large protocols.
- DRIFT token faces short-term sell pressure as trust erodes, with broader DeFi sentiment vulnerable.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
