Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Inside the Trump Family’s $1.2B Crypto Windfall Who Paid the Price
    Inside the Trump Family’s $1.2B Crypto Windfall: Who Paid the Price?
  • Opinion
    OpinionShow More
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
    Is Crypto Dying, or Is Pump.fun Turning It Into an Attention Casino
    Is Crypto Dying, or Is Pump.fun Turning It Into an Attention Casino?
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
DeFi News

Drift Protocol Reveals North Korean State Hackers Behind $285M Exploit

Attackers posed as a legitimate trading firm, met Drift contributors at conferences across multiple countries over six months, and deposited over $1 million before executing DeFi's biggest heist of 2026.

Written By Dhara Chavda Dhara Chavda
Fact Checked by Divya Mistry Divya Mistry
Published 2026-04-06·Updated 3 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Drift Protocol Reveals North Korean State Hackers Behind $285M Exploit

Key Highlights

  • Drift Protocol’s detailed incident update reveals the exploit was preceded by a six-month infiltration campaign carried out by operatives posing as a quantitative trading firm.
  • Three potential compromise vectors have been identified.
  • The attack is attributed with medium-high confidence to UNC4736, the same North Korean state-affiliated group linked to the $50 million Radiant Capital hack.

Solana-based decentralized perpetual futures exchange Drift Protocol has published a detailed incident background update shedding new light on how the devastating April 1 exploit was orchestrated through months of deliberate social engineering rather than a traditional code vulnerability. The exploit is the largest DeFi hack of 2026 and the second-largest security incident in the Solana ecosystem after the $326 million Wormhole bridge exploit in 2022.

The protocol, which saw its total value locked (TVL) collapse from approximately $550 million to under $250 million following the attack, says the exploit was the culmination of what it describes as “a structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation.”

A relationship built over six months

According to Drift’s post-mortem, the operation began in the fall of 2025, when contributors were approached at a major crypto conference by individuals presenting themselves as representatives of a quantitative trading firm interested in integrating with the protocol. What followed was a patient, methodical campaign of trust-building that spanned roughly half a year.

The group was technically fluent, carried verifiable professional backgrounds, and demonstrated familiarity with Drift’s internal operations. A Telegram group was created upon initial contact, and the attackers maintained substantive conversations around trading strategies and vault integrations—interactions that Drift describes as entirely typical of how trading firms onboard with the protocol.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, submitted strategy documentation, participated in multiple working sessions with contributors, and deposited over $1 million of their own capital. Throughout February and March 2026, Drift contributors met members of the group face-to-face at several major industry conferences in different countries.

By the time the attack was launched, these were not strangers but established working partners with a nearly six-month-old relationship. After the April 1 exploit, their Telegram chats and all associated malicious software were immediately scrubbed, according to Drift’s forensic review.

Three attack vectors identified

The investigation has so far identified three possible intrusion vectors through which contributor devices were compromised. One contributor may have been targeted after cloning a code repository shared by the group under the guise of a frontend deployment for their vault. A second contributor was induced to download a TestFlight application the group presented as their wallet product.

For the repository-based vector, Drift pointed to a particularly insidious vulnerability in VSCode and Cursor—two of the most widely used code editors in software development—that the security community had been actively flagging from December 2025 through February 2026.

Simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt, permission dialog, or warning of any kind. Once devices were compromised, the attackers obtained the multisig approvals needed to execute the drain. Full device forensics remain ongoing.

Attribution points to North Korea

With medium-high confidence, the SEAL 911 team has assessed this operation as the work of UNC4736, a North Korean state-affiliated threat actor also tracked as AppleJeus or Citrine Sleet. The basis for this attribution rests on both on-chain evidence—fund flows used to stage and test this operation trace back to the Radiant Capital attackers—and operational patterns, including identifiable overlaps between personas deployed in this campaign and known DPRK-linked activity.

This finding aligns with assessments from multiple blockchain intelligence firms. Elliptic identified multiple indicators linking the exploit to the DPRK, noting that the on-chain behavior and laundering methodologies were consistent with techniques from previous North Korea-attributed operations. TRM Labs’ initial investigation similarly concluded the hack was likely perpetrated by North Korean hackers. TRM

Critically, Drift stressed that the individuals who appeared in person at conferences were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries for face-to-face relationship-building. Mandiant, which has been formally engaged for the investigation, has not yet issued a formal attribution, as device forensics are still underway.

A pattern of escalating North Korean crypto attacks

The Drift exploit fits a disturbing and escalating pattern of state-sponsored crypto theft attributed to North Korean hacking units. In October 2024, Radiant Capital, a decentralized cross-chain lending protocol, suffered a $50 million attack that was later attributed by Mandiant to the same UNC4736 group. That attack also began with a social engineering vector—a Telegram message impersonating a former contractor that delivered malware through a ZIP file.

The scale escalated dramatically in February 2025, when the FBI confirmed that North Korea was responsible for the $1.5 billion theft from cryptocurrency exchange Bybit Internet Crime Complaint Center, making it the largest crypto heist in history. That attack similarly targeted the human and operational layer rather than smart contracts, compromising a developer at multisig wallet provider Safe.

Ledger CTO Charles Guillemet drew a direct comparison between the Drift and Bybit exploits, calling it a sophisticated supply-chain-level compromise targeting people rather than code. The three most devastating crypto exploits in recent months—Bybit, Radiant, and now Drift—have all bypassed smart contract audits and hardware wallet protections by weaponizing human trust.

Current status and ecosystem warning

Drift has confirmed that all remaining protocol functions have been frozen and compromised wallets removed from the multisig. Attacker wallets have been flagged across exchanges and bridge operators. The DRIFT token has plunged over 98% from its all-time high, and roughly 20 Solana-based protocols with exposure to Drift liquidity have been impacted.

The protocol has issued a stark warning to the broader DeFi ecosystem: audit who has access to what, check in on teams, and treat every device that touches a multisig as a potential target.

For teams that believe they may have been targeted by the same or a similar group, Drift recommends reaching out to SEAL 911 immediately for threat triage and incident response support.

Also Read: Drift Protocol Exploited for Over $270M, Token Crashes Over 20%

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News
Google News Banner

TAGGED:Crypto HackNorth Korea
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link
Dhara Chavda
By Dhara Chavda
Follow:
Dhara Chavda is a Research Analyst at The Crypto Times. She covers U.S. crypto regulation — including the CLARITY Act and GENIUS Act — DeFi security and major protocol exploits, and investigations into crypto fraud and enforcement actions. Her work emphasizes primary sourcing and on-chain verification over secondary commentary. Dhara joined The Crypto Times in 2020 and has followed every major market cycle since — the 2021 bull run, the 2022 Terra and FTX collapses, the 2023 banking turmoil, the 2024 spot Bitcoin ETF launch, and the 2025–2026 regulatory cycle — first assigning and reviewing the desk's coverage, and now writing it herself. Her reporting has been cited by international outlets including TheStreet and Argentina's La Nación. She holds a Bachelor of Engineering in Computer Engineering from Gujarat Technological University (GTU), which informs her technical reporting on on-chain data, smart contract analysis, and protocol architecture.
Divya Mistry
By Divya Mistry
Follow:
Divya Mistry is the Senior Editor at The Crypto Times. She leads the central editorial desk, overseeing the review and publication of policy analyses, investigative reports, exchange coverage, and protocol exploit stories. Her editorial remit spans digital asset markets, global exchange operations, cross-border digital asset settlements, regulatory developments, and other key developments shaping the cryptocurrency industry. Divya brings more than a decade of experience in editorial strategy, content development, public relations, marketing communications, and research. Before joining The Crypto Times, she worked across multiple sectors, including finance, technology, education, healthcare, real estate, entertainment, lifestyle, and vertical transport, contributing to both digital and print publications. Her research and content work has been featured on platforms including DNA India, Zee, Forbes, and Elevator World India. She holds a Master's degree in English Literature from the University of Mumbai. Drawing on her background in long-form publishing, research, and editorial leadership, she reviews and refines complex stories to ensure accuracy, clarity, and strong editorial standards before publication.

Latest News

Weekly Wrap: MiCA Kicks In, Trump's Crypto Fortune Tops $1B, Bitcoin Rebounds
Weekly Wrap: MiCA Kicks In, Trump’s Crypto Fortune Tops $1B, Bitcoin Rebounds
Pak Deputy PM Ishaq Dar's Relative Arrested in Crypto Extortion Case
Pak Deputy PM Ishaq Dar’s Relative Arrested in Crypto Extortion Case
Kalshi Nears $10B Monthly Volume as Prediction Markets Grow
Kalshi Nears $10B Monthly Volume as Prediction Markets Grow
Algorand Calls for Shared Post-Quantum Crypto Security Standards
Algorand Calls for Shared Post-Quantum Crypto Security Standards
Vitalik Buterin Unveils Lean Ethereum Roadmap for Next Era
Vitalik Buterin Unveils Lean Ethereum Roadmap for Next Era 

Find Us on Socials

You may also like

Aave DAO Clears stcUSD Listing for MegaETH Lending Market

Aave DAO Clears stcUSD Listing for MegaETH Lending Market 

Gnosis Pay Restores 100% User Funds After $1.8M Crypto Exploit

Gnosis Pay Restores 100% User Funds After $1.8M Crypto Exploit

Hinkal Protocol Reveals Initial Cause Behind $820K Ethereum Exploit

Hinkal Protocol Reveals Initial Cause Behind $820K Ethereum Exploit

Hinkal Protocol Exploited 450+ ETH Laundered via Tornado Cash & THORChain

Hinkal Protocol Exploited: $820K Laundered via Tornado Cash & THORChain

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information