North Korea’s DeFi Infiltration Predates Drift by Years, Researchers Warn
North Korean IT workers have been embedding themselves inside decentralized finance protocols for at least seven years, according to cybersecurity researcher Taylor Monahan, a developer at MetaMask. The disclosure lands days after Drift Protocol confirmed that a six-month social engineering campaign, attributed with “medium-high” confidence to DPRK-linked actors, culminated in a $270 million to $280 million exploit on April 1. The scale of what researchers are now describing reframes the Drift breach not as an isolated incident but as one data point in a much longer pattern of state-directed infiltration.
Monahan stated that DPRK-linked workers built protocols “all the way back to DeFi summer,” placing the start of the campaign around 2019. She identified more than 40 DeFi platforms, including well-known names, as having had North Korean developers working on their codebases at some stage. That figure, if accurate, means the problem extends well beyond any single exploit and implicates a broad cross-section of the ecosystem’s foundational infrastructure.
How the Drift Operation Was Constructed
The mechanics of the Drift attack, detailed in the protocol’s own post-mortem and traced by investigators to a North Korean intelligence operation, illustrate exactly why long-dwell infiltration is so effective. Operatives posed as representatives of a quantitative trading firm, made contact at a crypto conference in autumn 2025, and deposited over $1 million in real capital to establish credibility. Drift team members met them face-to-face at multiple international conferences between February and March 2026. By the time the attack executed, the relationship was nearly six months old.
The technical compromise came through two vectors: a malicious TestFlight application marketed as a proprietary wallet, and a documented vulnerability in the VSCode and Cursor development environments that executed a payload silently upon opening a compromised file. Credentials harvested this way secured two multisignature wallet approvals. Those pre-signed transactions sat dormant for more than a week before draining the protocol in roughly sixty seconds on April 1. Cybersecurity analysts have linked the operation to UNC4736, also designated AppleJeus or Citrine Sleet, the same group attributed to the October 2024 Radiant Capital compromise.
Bitcoin BTC$64,150.00▲1.69%
Ethereum ETH$1,678.89▲1.38%
Tether USDT$0.9994▲0.05%
BNB BNB$609.31▲0.93%
USDC USDC$0.9998▼0.01%
XRP XRP$1.15▲1.80%
Solana SOL$68.10▲2.01%
TRON TRX$0.3168▲1.38%
Figure Heloc FIGR_HELOC$1.03▲0.08%
Dogecoin DOGE$0.0883▲1.53%Legal Exposure and the Insider Risk Model
Attorney Ariel Givner has said the incident may constitute civil negligence, arguing that standard operational security practices were not followed. “In plain terms, civil negligence means they failed their basic duty to protect the money they were managing,” Givner said. She pointed specifically to the absence of air-gapped signing systems and inadequate due diligence on developers encountered at industry events, describing these as requirements that “every credible project understands.” Class action litigation efforts are reportedly already underway.
Researchers tracking the broader DPRK developer campaign note that infiltration frequently does not result in immediate malicious activity, which is precisely what makes it difficult to detect and prosecute. Access is maintained over extended periods, with operatives contributing legitimately to codebases while retaining the ability to manipulate protocol logic or extract credentials at a later, chosen moment. That delayed threat model puts conventional security monitoring at a structural disadvantage. The evidence, assembled piece by piece across seven years of reported activity, points to a program that is patient, methodical, and far from finished.
