Meteora(MET) +
MemeCore(M) $4.45 +24.85%
THORChain(RUNE) $0.49 +16.83%
Arcblock(ABT) $1.67 +0.63%
Unibase(UB) +
Starknet(STRK) $0.04 +9.85%
Sei(SEI) $0.06 +10.42%
Zerebro(ZEREBRO) $0.07 +39.51%
Sign(SIGN) +
Grass(GRASS) +
Cosmos(ATOM) $1.91 +6.84%
Avantis(AVNT) +
Audiera(BEAT) $0.57 +18.91%
JUST(JST) $0.08 +6.40%
Lista DAO(LISTA) $0.48 +3.13%
BNB(BNB) $642.47 +1.85%
PAX Gold(PAXG) $4,750.18 -0.40%
CyberConnect(CYBER) $11.71 -0.74%
Meteora(MET) +
MemeCore(M) $4.45 +24.85%
THORChain(RUNE) $0.49 +16.83%
Arcblock(ABT) $1.67 +0.63%
Unibase(UB) +
Starknet(STRK) $0.04 +9.85%
Sei(SEI) $0.06 +10.42%
Zerebro(ZEREBRO) $0.07 +39.51%
Sign(SIGN) +
Grass(GRASS) +
Cosmos(ATOM) $1.91 +6.84%
Avantis(AVNT) +
Audiera(BEAT) $0.57 +18.91%
JUST(JST) $0.08 +6.40%
Lista DAO(LISTA) $0.48 +3.13%
BNB(BNB) $642.47 +1.85%
PAX Gold(PAXG) $4,750.18 -0.40%
CyberConnect(CYBER) $11.71 -0.74%

Drift Protocol Exploit Detailed: North Korean Hackers Spent 6 Months Inside, Used $1M Trojan Horse

By Yellow News
17 days ago
DRIFT RXD DEFI RDNT 1
Send

The biggest DeFi exploit of the year started at a networking event with complimentary drinks — Drift Protocol disclosed on Apr. 5 that its Apr. 1 hack was the result of a six-month intelligence operation now linked with medium-high confidence to North Korean state-affiliated actors.

Drift Protocol Attack Details

The infiltration began in fall 2025, when a group posing as a quantitative trading firm approached Drift contributors at a major crypto conference. Over the following months, they met team members face-to-face at multiple industry events across several countries.

They deposited more than $1M of their own capital into an Ecosystem Vault.

They asked detailed product questions across multiple working sessions, building what appeared to be a legitimate trading operation inside Drift's infrastructure.

Between December 2025 and March 2026, the group deepened its ties through vault integrations and continued in-person meetings at conferences. Contributors had no reason for suspicion — by the time of the exploit, the relationship was nearly half a year old and included verified professional backgrounds, substantive technical conversations, and a functioning on-chain presence.

When the attack hit on Apr. 1, the group's Telegram chats and malicious software were scrubbed clean. Forensic review identified two likely intrusion vectors: a malicious code repository shared under the pretense of deploying a vault frontend, and a TestFlight application presented as the group's wallet product.

A known vulnerability in VSCode and Cursor editors, actively flagged by the security community from December 2025 through February 2026, may have enabled silent code execution simply by opening a file.

All remaining protocol functions have been frozen and compromised wallets removed from the multisig. Mandiant has been engaged for the investigation, and attacker wallets have been flagged across exchanges and bridge operators.

Also Read:Bitcoin Decentralization Faces A Problem: Mining Power Tied To Just Three Nations

North Korean Threat Actors Suspected

Investigations conducted by the SEALS 911 team assessed with medium-high confidence that the operation was carried out by the same threat actors behind the October 2024 Radiant Capital hack.

Mandiant previously attributed that attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.

The connection rests on both on-chain evidence and operational patterns.

Fund flows used to stage and test the Drift operation trace back to the Radiant attackers, and personas deployed across the campaign overlap with known DPRK-linked activity. Notably, the individuals who appeared in person were not North Korean nationals — DPRK threat actors at this level are known to use third-party intermediaries for face-to-face engagement.

Read Next:XRP Ledger Hits Record 4.49M Transactions Amid Price Decline

Related News
Twitter-owned short video app Vine set to return in AI form after 8 years
Bullish MACD Flash: Is DOGE Set to Hit $0.70 Next?
Google unveils new AI Community Center in Accra
27 Shocking Signs You’re Trapped in a Market Bubble Right Now!
Ethereum Skyrockets, Powell Under Attack, + MEGA IPOs Incoming
Nigeria Stablecoin Summit: Stakeholders champion real-world use cases for explosive adoption
Court affirms FIRS’ authority to levy VAT on Bolt’s ride-hailing and food vendor services
Neobanks vs. Traditional Banks in Nigeria: Who is winning?
Nigeria’s 90,000km fibre
NLC calls for legislation to regulate Uber, Bolt, inDrive operations in Lagos