Solana-based decentralized exchange Drift Protocol has attributed a $285 million exploit to a North Korean state-affiliated hacking group, UNC4736. The attackers engaged in a sophisticated six-month intelligence operation, including in-person meetings at a crypto conference and deploying malicious developer tools. They deposited over $1 million into the platform before executing the attack and promptly scrubbed all digital traces.
The attack that drained roughly $285 million from the Solana-based decentralized exchange Drift Protocol was a structured six-month intelligence operation by a North Korean state-affiliated threat group. The platform stated this in a detailed incident update posted on Sunday.
Attackers first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm. Over months, they built trust through in-person meetings and Telegram coordination, and even deposited $1 million of their own capital into an Ecosystem Vault.
The intrusion may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability enabling silent code execution. The group vanished when the exploit hit, with chats and malware “completely scrubbed.”
Drift attributed the attack with “medium-high confidence” to UNC4736, also tracked as AppleJeus or Citrine Sleet. This is the same group cybersecurity firm Mandiant linked to 2024’s Radiant Capital hack, as noted by Drift.
Security researcher @tayvano_, credited for assistance, suggested the exposure extends well beyond this incident. In a tweet, the expert listed dozens of DeFi protocols, alleging that “DPRK IT workers built the protocols you know and love, all the way back to defi summer.”
Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt that crypto teams now face adversaries that operate more like intelligence units. “Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat,” he said.
Pearl noted that multisignature wallets create a false sense of security, introducing “a paradox” where shared responsibility lowers scrutiny. “Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution,” he added.
On developer tools as an attack surface, Pearl said the assumption has to change from the ground up. “You have to assume the endpoint is compromised,” he said, pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points.
