Drift Crypto Protocol has attributed a $270 million exploit executed on April 1, 2026 to a six-month intelligence operation conducted by UNC4736 – a North Korean state-affiliated threat group also tracked as Citrine Sleet or AppleJeus – in a detailed incident update published by the team on Sunday,

making it the largest native Solana decentralized application exploit on record. Attackers posed as a quantitative trading firm, deposited more than $1 million of their own capital into an Ecosystem Vault, held working sessions with contributors across multiple countries, and waited nearly half a year before executing a durable nonce attack that drained protocol vaults in under a minute.

The operation’s scope and duration distinguish it from prior DeFi exploits in ways that carry implications well beyond Drift’s immediate recovery.

We suspect this is less a measure of Drift’s specific security posture and more a calibrated signal about the maturity of state-sponsored cryptocurrency theft operations – one that renders the standard DeFi security checklist, smart contract audits included, structurally inadequate against adversaries operating on intelligence timelines rather than opportunistic ones.

I beg everyone in crypto to read this in full.

I expected this to be another case of social engineering, likely some recruiter/job offer shit.

I was very wrong.

And the depth of the operation and personas makes me think they already have multiple other teams on lock.

😳 https://t.co/8ZTEDwqs9Y

— Tay 💖 (@tayvano_) April 5, 2026

DISCOVER: Meme coin supercycle: Top performers this week

UNC4736 Operation On Drift Crypto: Six-Month Timeline, Dual Intrusion Vectors, and the Durable Nonce Execution

According to Drift crypto incident update, first contact occurred in fall 2025 at a major crypto conference, where the group presented themselves as a technically fluent quant trading firm seeking vault integration.

The relationship followed entirely standard DeFi onboarding patterns – a Telegram group, sustained conversations about trading strategies, and substantive discussions around protocol architecture – none of which would have flagged as anomalous to contributors accustomed to institutional counterparties conducting extended due diligence.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, deposited over $1 million in capital, and established a functioning operational presence inside the ecosystem.

Drift crypto contributors met individuals associated with the group face to face at multiple major industry conferences across several countries through February and March 2026 – a detail that underscores a known DPRK operational pattern: the individuals appearing in person were not North Korean nationals but third-party intermediaries carrying fully constructed professional identities, employment histories, and social networks built to withstand due diligence review.

pretty crazy if true

tl:dr – hackers casually gained trust via irl conference meet, setup tg channel and became a customer, started building integrations over 6 months and then got one person with a testflight link to show off what they built https://t.co/LLW7yFBpNs

— mert (@mert) April 5, 2026

The technical intrusion appears to have proceeded through two vectors identified in Drift’s disclosure. The first involved a TestFlight application – Apple’s platform for distributing pre-release software that bypasses App Store security review – which the group presented as their proprietary wallet product.

The second exploited a known vulnerability in VSCode and Cursor, two widely used code editors, where opening a file or folder was sufficient to silently execute arbitrary code; the security community had been flagging this vector since late 2025.

Once contributor devices were compromised, attackers obtained the two multisig approvals required to pre-sign transactions using Solana’s durable nonce mechanism. Those transactions sat dormant for more than a week before activating on April 1, draining $270 million – including 41.72 million JLP tokens subsequently swapped through Jupiter, Raydium, Orca, and Meteora and bridged to Ethereum – in under sixty seconds.

Attribution to UNC4736 is based on on-chain fund flows linking the attack to wallets associated with the October 2024 Radiant Capital exploit, as well as operational overlap with known DPRK-linked personas identified by forensic firm Mandiant, which Drift retained for investigation, and blockchain security firm SEALS 911, which assigned the connection medium-high confidence. UNC4736 operates under North Korea’s Reconnaissance General Bureau – the same directorate responsible for prior AppleJeus malware campaigns – and its playbook has progressively incorporated extended in-person social engineering as a precursor phase.

We anticipate Mandiant’s full forensic report will surface additional infrastructure overlaps connecting this operation to prior Lazarus Group-adjacent campaigns beyond the Radiant Capital wallet cluster already identified.

EXPLORE: Crypto breakout alerts this week

next

Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.

Web3 News, Cybersecurity News

Drift Protocol, the Solana-based perpetuals exchange, suffered the apparent drainage of approximately $270 million in assets from its primary vault address on April 1, 2026, according to on-chain data from Arkham Intelligence.

The vault’s balance collapsed from $309 million to roughly $41 million across a rapid sequence of transactions spanning more than 15 distinct token types. Security researchers have not yet published an independent analysis confirming the precise exploit vector, and Drift has characterized the situation as an active investigation.

A protocol that loses nearly half its total value locked in a single burst of outflows faces an immediate solvency question for depositors – not a theoretical one. With Drift’s TVL standing at approximately $550 million per DefiLlama at the time the transfers were flagged, the scale of the apparent drainage places this event among the most consequential DeFi exploits on Solana to date.

Drift Protocol is experiencing an active attack. Deposits and withdrawals have been suspended. We are coordinating with multiple security firms, bridges, and exchanges to contain the incident. This is not an April Fools joke. We’ll provide additional updates from this account as… https://t.co/03SRPq4fHj

— Drift (@DriftProtocol) April 1, 2026

DISCOVER: Meme coin supercycle: Top performers this week

Drift Protocol Vault Exploit: What the On-Chain Record Shows

The transfers originated from an address Arkham labels as “Drift Protocol: Vault (JCNCM),” which corresponds to the vault address listed in Drift’s own protocol documentation. The first and largest movement – approximately 41 million JLP tokens valued at roughly $155 million – was routed to a single receiving address, HkGz4K, that carries no known-entity label on Arkham.

That address had been funded with just 1 SOL approximately one week prior and received a $2.52 test transfer from Drift’s vault in late March – a reconnaissance pattern we suspect indicates deliberate pre-attack staging rather than an opportunistic breach.

The drained assets spanned stablecoins, wrapped Bitcoin variants, liquid staking tokens including MSOL, BSOL, INF, and JitoSOL, Jupiter’s JLP vault token, USDT across multiple transactions totaling approximately $5.65 million, 23.366 million FARTCOIN valued at $4.11 million, and 2.865 million SYRUP USDC at $3.32 million. A separate transfer of 125,000 WSOL – approximately $10.45 million – was routed to a second unlabeled address. The breadth of asset types is consistent with a comprehensive sweep of all deposited collateral rather than a targeted single-asset withdrawal.

Blockchain analyst Lookonchain reported that the suspected exploiter began swapping drained assets into ETH, a common laundering vector following large DeFi thefts. PeckShield founder Jiang Xuxian said the attack likely hinged on compromised admin keys – “The admin keys behind Drift were definitely leaked or compromised” – framing the incident as a human-error key management failure rather than a smart contract vulnerability.

EXPLORE: Crypto breakout alerts this week

Protocol Exposure and Ecosystem Contagion Risk

Drift Protocol functions as a non-custodial perpetuals exchange where user collateral is pooled in the vault address that was drained – meaning the $270 million figure represents deposited user funds, not protocol treasury assets. A protocol that loses depositors’ collateral at this scale cannot honor open positions or withdrawal requests until the shortfall is resolved, creating immediate insolvency pressure on active traders with leveraged exposure.

The DRIFT token reflected this immediately, falling 28% to approximately $0.049 on April 1 – a price now 98% below its November 2024 all-time high of $2.60, per market data – while South Korean exchange Upbit suspended all DRIFT trading in response.

The contagion risk extends beyond Drift’s own user base. Solana’s DeFi ecosystem is tightly interconnected through shared liquidity venues and cross-protocol collateral arrangements; Jupiter’s JLP token was among the largest single asset classes drained, and wallet provider Phantom issued active warnings to users attempting to access Drift during the investigation.

Solana developer and Helius CEO Mert Mumtaz flagged a “high likelihood of a potentially large exploit” on X, a signal that carries infrastructure-level weight given Helius’s role as a primary RPC provider for the network. We suspect the incident will accelerate scrutiny of admin key custody practices across Solana-native protocols – a systemic gap that smart contract audits do not address.

DISCOVER: Best Memecoins To Buy This Month!

next

Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.

Web3 News, Cryptocurrency News