Drift Protocol’s $280M Hack Traced to North Korean Intelligence Operation
Drift Protocol has linked its $280 million exploit, executed on April 1, to a six-month social engineering campaign attributed with “medium-high confidence” to North Korean state-linked threat actors. The Solana-based perpetuals exchange published preliminary findings on April 5, describing what investigators called a structured intelligence operation requiring organizational backing, real capital, and sustained human infiltration. The picture that emerges is less a hack than a methodical prosecution of a target, with the protocol’s own trust mechanisms turned against it.
Six Months of Groundwork Before a Single Transaction Moved
According to Drift’s post-mortem, first contact occurred around October 2025 at a major crypto conference, where attackers presented themselves as representatives of a quantitative trading firm. Over the following months, they deployed more than $1 million of their own capital, onboarded an Ecosystem Vault, and participated in technical working sessions. By early 2026, Drift contributors regarded them as a routine integration partner. The attackers, as Drift noted, “were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated.”
Two technical vectors completed the compromise. The first was a malicious TestFlight application distributed through Apple’s pre-release channel, bypassing standard app review. The second exploited a known vulnerability in development tools including VSCode and Cursor, where opening a file could trigger silent code execution. Once contributor devices were compromised, attackers secured the multisig approvals they needed. Pre-signed transactions then sat dormant for more than a week before draining protocol vaults in under a minute. As reported in our earlier coverage of Solana’s largest DeFi hack of 2026, the speed of execution stood in stark contrast to the patience of the preparation.
Legal Exposure and a Sector-Wide Security Reckoning
Drift attributed the operation to UNC4736, also known as AppleJeus or Citrine Sleet, the same group assessed with medium-high confidence to be responsible for the $58 million Radiant Capital hack in October 2024. Drift was explicit that the individuals who appeared at conferences were not North Korean nationals, noting that state-linked actors at this level are known to deploy third-party intermediaries for face-to-face relationship building. That detail matters for attribution: identity verification and in-person interaction, long treated as credible due diligence, no longer function as reliable controls.
The legal dimension is also sharpening. Attorney Ariel Givner told Cointelegraph that the incident may constitute civil negligence, stating plainly that the team “failed their basic duty to protect the money they were managing.” Givner pointed to two specific omissions: signing keys were not held on air-gapped systems separate from developer machines, and the team did not conduct adequate due diligence on developers encountered at industry events. Those are not exotic requirements. They are baseline operational security. The gap between what was expected and what was practiced is precisely the kind of gap a civil claim is built on, as Cointelegraph’s legal analysis makes clear.
The broader numbers reinforce the urgency. PeckShield recorded a 96% rise in crypto hack losses in March 2026, with $52 million stolen across 20 separate exploits. The Drift incident dwarfs that monthly total by a factor of five. SOL was trading at $81.73 at time of writing, up 2.68% over 24 hours, with the network processing 2,771 transactions per second across 767 active validators. The chain itself performed without fault. The failure was entirely human, which is the hardest category of vulnerability to patch with a protocol upgrade.
