Drift: $270M Exploit Was North Korean Intelligence Op
Drift Crypto Protocol has attributed a $270 million exploit executed on April 1, 2026 to a six-month intelligence operation conducted by UNC4736 – a North Korean state-affiliated threat group also tracked as Citrine Sleet or AppleJeus – in a detailed incident update published by the team on Sunday,
making it the largest native Solana decentralized application exploit on record. Attackers posed as a quantitative trading firm, deposited more than $1 million of their own capital into an Ecosystem Vault, held working sessions with contributors across multiple countries, and waited nearly half a year before executing a durable nonce attack that drained protocol vaults in under a minute.
The operation’s scope and duration distinguish it from prior DeFi exploits in ways that carry implications well beyond Drift’s immediate recovery.
We suspect this is less a measure of Drift’s specific security posture and more a calibrated signal about the maturity of state-sponsored cryptocurrency theft operations – one that renders the standard DeFi security checklist, smart contract audits included, structurally inadequate against adversaries operating on intelligence timelines rather than opportunistic ones.
I beg everyone in crypto to read this in full.
I expected this to be another case of social engineering, likely some recruiter/job offer shit.
I was very wrong.
And the depth of the operation and personas makes me think they already have multiple other teams on lock.
— Tay 💖 (@tayvano_) April 5, 2026
DISCOVER: Meme coin supercycle: Top performers this week
UNC4736 Operation On Drift Crypto: Six-Month Timeline, Dual Intrusion Vectors, and the Durable Nonce Execution
According to Drift crypto incident update, first contact occurred in fall 2025 at a major crypto conference, where the group presented themselves as a technically fluent quant trading firm seeking vault integration.
The relationship followed entirely standard DeFi onboarding patterns – a Telegram group, sustained conversations about trading strategies, and substantive discussions around protocol architecture – none of which would have flagged as anomalous to contributors accustomed to institutional counterparties conducting extended due diligence.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million in capital, and established a functioning operational presence inside the ecosystem.
Drift crypto contributors met individuals associated with the group face to face at multiple major industry conferences across several countries through February and March 2026 – a detail that underscores a known DPRK operational pattern: the individuals appearing in person were not North Korean nationals but third-party intermediaries carrying fully constructed professional identities, employment histories, and social networks built to withstand due diligence review.
pretty crazy if true
tl:dr – hackers casually gained trust via irl conference meet, setup tg channel and became a customer, started building integrations over 6 months and then got one person with a testflight link to show off what they built https://t.co/LLW7yFBpNs
— mert (@mert) April 5, 2026
The technical intrusion appears to have proceeded through two vectors identified in Drift’s disclosure. The first involved a TestFlight application – Apple’s platform for distributing pre-release software that bypasses App Store security review – which the group presented as their proprietary wallet product.
The second exploited a known vulnerability in VSCode and Cursor, two widely used code editors, where opening a file or folder was sufficient to silently execute arbitrary code; the security community had been flagging this vector since late 2025.
Once contributor devices were compromised, attackers obtained the two multisig approvals required to pre-sign transactions using Solana’s durable nonce mechanism. Those transactions sat dormant for more than a week before activating on April 1, draining $270 million – including 41.72 million JLP tokens subsequently swapped through Jupiter, Raydium, Orca, and Meteora and bridged to Ethereum – in under sixty seconds.
Attribution to UNC4736 is based on on-chain fund flows linking the attack to wallets associated with the October 2024 Radiant Capital exploit, as well as operational overlap with known DPRK-linked personas identified by forensic firm Mandiant, which Drift retained for investigation, and blockchain security firm SEALS 911, which assigned the connection medium-high confidence. UNC4736 operates under North Korea’s Reconnaissance General Bureau – the same directorate responsible for prior AppleJeus malware campaigns – and its playbook has progressively incorporated extended in-person social engineering as a precursor phase.
We anticipate Mandiant’s full forensic report will surface additional infrastructure overlaps connecting this operation to prior Lazarus Group-adjacent campaigns beyond the Radiant Capital wallet cluster already identified.
EXPLORE: Crypto breakout alerts this week
next