North Korean Hackers Orchestrate $280M Drift Protocol Social Engineering Heist

By Fenrir, CryptoCity

---

The $280 Million DeFi Heist: How North Korean Hackers Orchestrated a Six-Month Social Engineering Masterpiece

April 1st, a day typically associated with harmless pranks, brought a devastating reality to Drift Protocol, a leading perpetual futures exchange within the Solana ecosystem. In a mere 10 seconds, approximately $280 million to $286 million in user assets vanished, marking one of the largest DeFi hacks in recent history.

• Related News: Solana Trading Protocol Drift Hacked, Over $200 Million Lost, Native Token $DRIFT Plummets 38%

According to the post-incident investigation report released by the Drift team, this catastrophic event was the culmination of a “structured intelligence operation” meticulously planned over six months. Initial findings strongly link the operation to the North Korean threat group UNC4736, also known as AppleJeus or Citrine Sleet, which was responsible for a $50 million attack on Radiant Capital in October 2024. This sophisticated infiltration of Drift bypassed traditional code vulnerability exploitation, instead leveraging highly precise human manipulation to circumvent code audits and multi-layered hardware wallet protections.

---

North Korean Hackers’ “Shadow Agent” Strategy

The elaborate long-game deception commenced in October 2025 at a major cryptocurrency conference. Several individuals, posing as representatives of a legitimate quantitative trading firm, proactively engaged with Drift’s core team members, expressing keen interest in potential collaborations involving protocol integration and liquidity provision.

Over the subsequent six months, these sophisticated attackers demonstrated exceptional professionalism and technical acumen. They frequently discussed complex trading strategies with the development team via Telegram channels. Furthermore, between December 2025 and January 2026, they actually deployed a fully functional “Ecosystem Vault” on Drift, depositing over $1 million of their own funds to establish undeniable credibility and trust within the community.

Notably, Drift confirmed that the individuals physically present at the conference were not of North Korean nationality. This indicates a growing trend where North Korean hacking groups frequently employ third-party intermediaries or perfectly profiled agents for physical social engineering. This “deep cultivation” approach successfully disarmed the Drift team, leading them to perceive the lurking threat as a reliable, long-term partner rather than a malicious entity.

---

Exploiting Durable Nonces and Developer Tool Vulnerabilities

Once deep trust was established, the hackers initiated their final infiltration plan by sharing malicious code repositories (Repos) or inviting developers to install beta applications (TestFlight) designed to infect their work devices. Investigations revealed that the attackers exploited critical security vulnerabilities present in popular developer tools, VSCode and Cursor, at the time. Developers merely needed to open a specific folder within the editor for the malicious code to execute automatically without any prompts or user interaction.

Upon successfully gaining control of the devices belonging to two Security Council members, the hackers then manipulated them into signing authorized commands with administrative privileges. Subsequently, they leveraged a legitimate feature of the Solana network known as “Durable Nonces” to store these pre-signed transaction instructions on the blockchain for up to a week, effectively evading immediate detection and raising no red flags.

On April 1st, the trap fully sprung. The hackers executed 31 meticulously timed withdrawal transactions in a mere 10 seconds. The compromised assets were extensive, including $155 million in $JLP tokens, over $66.4 million in $USDC, and $477,000 in $WETH, among other mainstream assets. This led to a drastic plummet in Drift’s Total Value Locked (TVL) from $550 million to less than $250 million, and its native token, DRIFT, saw its price crash by over 98% in the immediate aftermath.

---

Civil Negligence Controversy and the AI Threat: A Forced Evolution for DeFi Security

This incident has ignited fierce criticism from both legal and technical communities. Cryptocurrency lawyer Ariel Givner pointed out that the Drift team’s actions could constitute “civil negligence.” She argued that the development team failed to adhere to fundamental operational security procedures, such as storing signing keys on completely isolated physical devices (air-gapped systems) and exercising extreme caution before opening external files from unknown sources on devices linked to privilege management.

Concurrently, Ledger CTO Charles Guillemet issued a stark warning: with the rapid advancement and widespread adoption of AI technology, the cost of executing such sophisticated social engineering attacks is rapidly approaching zero. AI can generate incredibly convincing fake identities, technical documentation, and persuasive communications, rendering traditional human defense lines increasingly vulnerable. Currently, Drift has frozen all protocol functionalities and is attempting on-chain negotiations with the hacker’s wallet, but the general sentiment regarding fund recovery remains largely pessimistic.

This audacious heist serves as a grave warning to the entire decentralized finance industry: when attackers shift their focus to exploiting human psychology rather than just code logic, relying solely on multi-signature wallet governance is no longer sufficient to guarantee asset security. Strengthening operational discipline, implementing rigorous hardware isolation, and fostering a culture of extreme vigilance are the only viable paths to defend against state-level threats in the evolving landscape of DeFi.

---

(The above content is excerpted and reproduced with permission from our partner “CryptoCity”, original link)