Attackers Posed as Trading Firm
In a striking example of targeted deception, the group behind the Drift Protocol exploit first approached contributors at a major crypto conference in the fall of 2025.
On paper, these interactions resembled standard networking within the crypto sector, but beneath the surface, a coordinated infiltration was underway.
Six Months of Careful Infiltration
The operation spanned roughly six months, with attackers embedding themselves within Drift’s ecosystem. Between December 2025 and January 2026, they went so far as to onboard an Ecosystem Vault on Drift and deposit over $1 million—an unusually high commitment for an outside party. This move granted them deeper access and trust among core contributors.
Drift’s internal investigation revealed that working sessions—ostensibly for collaboration—were used to share malicious links and tools. The attackers exploited vulnerabilities in widely used code editors such as VSCode and Cursor, along with a TestFlight app masquerading as a legitimate wallet product. By leveraging these entry points, they compromised key devices belonging to team members responsible for protocol security.
It’s unclear if any warning signs were detected during this prolonged engagement.
Vaults Drained in Under a Minute
On April 1, 2026, the attackers executed their plan, draining approximately $270 million from Drift’s vaults in less than sixty seconds. External estimates put total losses closer to $285 million, making this one of the most significant exploits on a Solana-based platform so far this year. The speed and precision of the attack left little opportunity for any immediate response by Drift’s team or its automated defenses.
Immediately after extracting funds from multiple vaults, the perpetrators wiped their digital presence and ceased all communication channels previously used with Drift contributors. The stolen assets were distributed across four Ethereum wallets; one identified address is 0xAa843eD65C1f061F111B5289169731351c5e57C1. In response, Drift sent an on-chain message from wallet 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to these wallets stating: “Critical information of parties related to the exploit have been identified.”
Despite this direct communication attempt, experts like Michael Egorov of Curve Finance have noted that North Korean hackers historically do not engage in negotiation or show concern for law enforcement intervention.
See Also
Ties to Previous Radiant Capital Hack
Drift Protocol’s post-mortem indicates with “medium-high confidence” that the same actors are responsible for both this exploit and the $58 million Radiant Capital hack from October 2024. Both attacks shared key operational patterns: social engineering through industry events, malware-laced communications via platforms like Telegram, and rapid fund extraction followed by digital disappearance. In Radiant Capital’s case, malware was delivered under the guise of an ex-contractor—a tactic mirrored by Drift's attackers during their six-month infiltration.
According to coindesk.com, attribution points toward UNC4736—a group also tracked as AppleJeus or Citrine Sleet—based on similarities in on-chain fund flows and overlaps with known DPRK-linked personas.
Attribution Points to North Korean Group
Several blockchain security experts have linked this operation directly to North Korea’s Democratic People’s Republic (DPRK). The group UNC4736 has been implicated in previous high-profile crypto thefts totaling $6.5 billion over recent years. The attack on Drift fits into an established pattern: long-term social engineering culminating in swift technical exploitation and immediate laundering of stolen funds through complex wallet networks.
While Drift has reached out publicly via on-chain messages to negotiate or recover funds, history suggests such overtures are unlikely to succeed given past DPRK-linked incidents.
The Gist
- •On April 1, 2026, attackers drained $270–$285 million from Drift Protocol in under one minute.
- •The exploit followed a six-month social engineering operation by North Korean group UNC4736, starting at a crypto conference in fall 2025.
- •Attackers deposited over $1 million into Drift’s Ecosystem Vault between December 2025 and January 2026 to gain trust and access.
What could influence sentiment
If Drift Protocol’s on-chain messages to the four Ethereum wallets holding the stolen funds—including 0xAa843eD65C1f061F111B5289169731351c5e57C1—result in any response or movement of assets, it would immediately signal a shift in the hackers’ intentions or risk profile; however, whether the North Korea-linked actors will engage remains unclear.