Drift Protocol has formally attributed its $270 million exploit to UNC4736, a North Korean state-affiliated hacking group also tracked as AppleJeus and Citrine Sleet. The disclosure, published on April 5, 2026, reveals an infiltration campaign that started in fall 2025 and culminated in a sub-one-minute drain on April 1.
This was not a code bug, an oracle manipulation, or a brute-force key compromise. It was a six-month intelligence operation with in-person meetings, real capital deployed as cover, and two separate device compromise vectors, all aimed at obtaining two multisig signatures.
Six Months of Social Engineering
The operation began at a major crypto conference in fall 2025. Operatives posing as a quantitative trading firm made initial contact with Drift contributors. They were not North Korean nationals. Drift described them as "third-party intermediaries with fully constructed identities, employment histories, and professional networks built to withstand due diligence."
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault and deposited over $1 million of their own capital into the protocol. From February through March, they met Drift team members face-to-face at multiple industry events across several countries.
The trust-building phase served a single purpose: getting close enough to compromise devices that had signing authority over Drift's multisig.
Two Compromise Vectors
The attackers used two separate methods to gain access to contributor devices.
The first was a malicious application distributed through Apple's TestFlight platform. TestFlight allows developers to distribute pre-release apps outside the App Store's standard security review process. At least one Drift contributor downloaded what appeared to be a wallet application through this channel.
The second exploited a known vulnerability in VSCode and Cursor, the two most popular code editors in crypto development. The vulnerability, flagged since late 2025, allows arbitrary code execution when a user opens a file or folder. No warning, no confirmation prompt. Opening a project directory was enough.
With device access secured, the attackers obtained two of the five required multisig approvals. The pre-signed transactions, using Solana's durable nonce feature to bypass normal expiration windows, sat dormant for over a week before the attackers chose to execute.
The Radiant Capital Connection
Drift's attribution rests partly on on-chain forensics. Fund flows from the operation trace back to the same wallets used in the October 2024 Radiant Capital breach, which drained $50 million from the cross-chain lending protocol. Mandiant, the cybersecurity firm brought in to run Drift's forensic investigation, had previously attributed the Radiant attack to the same UNC4736 cluster.
Blockchain analytics firm Elliptic flagged DPRK involvement as early as April 2, noting that the laundering methodology, rapid consolidation and cross-chain bridging of stolen assets, matched patterns from at least seventeen other DPRK operations tracked in 2026 alone.
If confirmed through the full Mandiant investigation, the Drift exploit would represent the eighteenth North Korean crypto operation this year, pushing the group's 2026 total past $300 million. In 2025, North Korean hackers stole a record $2 billion in cryptocurrency, according to Chainalysis. The U.S. Treasury has confirmed these funds finance weapons of mass destruction programs.
What This Means for Multisig Security
Drift's post-mortem carries an uncomfortable conclusion for every protocol that relies on multisig governance. The attackers did not break cryptography. They did not find a zero-day in Solana's runtime. They invested time, money, and human intelligence into becoming trusted insiders, then used that trust to obtain two signatures.
"If attackers are willing to spend six months and a million dollars building a legitimate presence inside an ecosystem, meet teams in person, contribute real capital, and wait," Drift wrote, "the question is what security model is designed to catch that."
The answer, for most protocols, is that none are. Standard multisig setups assume signers are who they claim to be and that their devices are clean. Both assumptions failed here. Hardware signing devices that never touch a network connection would have prevented the durable nonce attack, but few DeFi teams enforce that discipline for routine operations.
Drift has frozen all protocol functions, removed compromised wallets from the multisig configuration, and urged other protocols to audit every device that touches a signing key. The stolen funds, now consolidated into 130,000+ ETH, remain in the attacker's wallet as of April 5, 2026.
Overview
Drift Protocol has attributed its $270 million April 1 exploit to UNC4736, a North Korean state-backed hacking group. The attackers spent six months attending conferences, depositing real capital, and meeting team members in person before compromising contributor devices through a malicious TestFlight app and a VSCode vulnerability. With two multisig approvals obtained through compromised machines, the drain executed in under a minute. On-chain fund flows link the operation to the same group behind the 2024 Radiant Capital exploit. The stolen funds remain in the attacker's wallet. BTC trades at $66,880 and ETH at $2,038, as of April 5, 2026, with the Fear and Greed index at 29 (Fear).
