Drift Protocol Reveals Details of $280 Million Hack
Hackers spent six months personally communicating with the project team
The cyberattack on Drift Protocol was described as a “structured infiltration operation requiring organizational support, significant resources, and several months of meticulous preparation.”
— Drift (@DriftProtocol) April 5, 2026
According to the project’s team, the incident on April 1, which resulted in damages of approximately $280 million, was orchestrated by a group from North Korea. They spent six months planning and executing the attack.
Infiltration
Representatives of Drift stated that in the autumn of 2025, individuals claiming to represent an unnamed trading company approached them at a thematic conference, expressing a desire to integrate into the protocol.
It was later discovered that the criminals deliberately monitored project participants and gained their trust.
“They possessed technical skills, had verified professional experience, and were familiar with Drift’s operations. After the first meeting, we created a group in Telegram, which was followed by months of substantive discussions on trading strategies and potential storage integration,” the team noted.
The fake company then began connecting its own storage solutions to Drift, which required filling out a form with a detailed strategy description. Additionally, they invested over $1 million of their own funds into the ecosystem.
Close communication between developers and the perpetrators continued until the end of March. After the attack, all shared chats and contacts were deleted.
“These were not strangers, but people with whom project participants worked and met personally. Throughout this process, links to projects, tools, and applications were shared,” Drift emphasized.
Mechanisms of the Hack
As previously reported, the hackers gained access to depository storage through the creation of fake deferred signatures. The team has now identified three likely attack vectors:
- One employee may have been compromised after cloning a code repository under the guise of deploying an interface for storage.
- Another team member was persuaded to download a malicious TestFlight application, presented as a digital wallet.
- A vulnerability was allegedly present in the repositories, allowing any code to be executed unnoticed by simply opening a file, folder, or other documents in the editor.
Drift continues forensic analysis of the affected equipment. Specialists from SEALS 911 and law enforcement agencies are assisting in the investigation.
The official source of the vulnerability has not yet been identified. The protocol’s operation remains suspended.
Specific Culprit
Data obtained during the investigation linked the attack to the group UNC4736, a North Korean state entity also known as AppleJeus or Citrine Sleet.
The same criminals were allegedly behind the hack of Radiant Capital for over $50 million in October 2024. They were traced through on-chain data indicating common financial flows, as well as related real-world identities.
To infiltrate Drift, the criminals provided completely fabricated data, including employment history, personal information, and professional contacts.
“It is important to note: the individuals who met [with Drift representatives] were not North Korean citizens. It is known that North Korean terrorists operating at this level use intermediaries to establish personal contacts,” the company noted.
Earlier in March, the North Korean group was suspected of attacking the cryptocurrency online store Bitrefill.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!