Drift Protocol Exploit Detailed: North Korean Hackers Spent 6 Months Inside, Used $1M Trojan Horse

Markets 2026-04-05 19:27

Drift Protocol Exploit Detailed: North Korean Hackers Spent 6 Months Inside, Used M Trojan Horse

The biggest DeFi exploit of the year started at a networking event with complimentary drinks — Drift Protocol disclosed on Apr. 5 that its Apr. 1 hack was the result of a six-month intelligence operation now linked with medium-high confidence to North Korean state-affiliated actors.

Drift Protocol Attack Details

The infiltration began in fall 2025, when a group posing as a quantitative trading firm approached Drift contributors at a major crypto conference. Over the following months, they met team members face-to-face at multiple industry events across several countries.

They deposited more than $1M of their own capital into an Ecosystem Vault.

They asked detailed product questions across multiple working sessions, building what appeared to be a legitimate trading operation inside Drift's infrastructure.

Between December 2025 and March 2026, the group deepened its ties through vault integrations and continued in-person meetings at conferences. Contributors had no reason for suspicion — by the time of the exploit, the relationship was nearly half a year old and included verified professional backgrounds, substantive technical conversations, and a functioning on-chain presence.

When the attack hit on Apr. 1, the group's Telegram chats and malicious software were scrubbed clean. Forensic review identified two likely intrusion vectors: a malicious code repository shared under the pretense of deploying a vault frontend, and a TestFlight application presented as the group's wallet product.

A known vulnerability in VSCode and Cursor editors, actively flagged by the security community from December 2025 through February 2026, may have enabled silent code execution simply by opening a file.

All remaining protocol functions have been frozen and compromised wallets removed from the multisig. Mandiant has been engaged for the investigation, and attacker wallets have been flagged across exchanges and bridge operators.

Also Read: Bitcoin Decentralization Faces A Problem: Mining Power Tied To Just Three Nations

North Korean Threat Actors Suspected

Investigations conducted by the SEALS 911 team assessed with medium-high confidence that the operation was carried out by the same threat actors behind the October 2024 Radiant Capital hack.

Mandiant previously attributed that attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.

The connection rests on both on-chain evidence and operational patterns.

Fund flows used to stage and test the Drift operation trace back to the Radiant attackers, and personas deployed across the campaign overlap with known DPRK-linked activity. Notably, the individuals who appeared in person were not North Korean nationals — DPRK threat actors at this level are known to use third-party intermediaries for face-to-face engagement.

Read Next: XRP Ledger Hits Record 4.49M Transactions Amid Price Decline

Share to:

This content is for informational purposes only and does not constitute investment advice.

Recommended Reading
2026-04-07 09:33
XRP Liquidity Drops To Near Zero On Binance, Snap Looms
2026-04-07 09:33
XRP Whales Accumulate 10-Month Peak Volume Before Tokyo Summit
2026-04-07 09:33
Bitcoin Faces $2.6 Trillion Japan Bond Risk
2026-04-07 09:33
Chainlink Risks Further Decline After Traders Move $126M In LINK To Binance
2026-04-07 09:18
BMIC Token: Why This Quantum-Secure Presale Should Be on XRP Investors’ Radar
2026-04-07 09:17
America's Stablecoin Law Is Already Reshaping Who Buys Government Debt

Popular Articles

Curated Series

SuperEx Popular Science Articles Column

SuperEx Popular Science Articles Column

This collection features informative articles about SuperEx, aiming to simplify complex cryptocurrency concepts for a wider audience. It covers the basics of trading, blockchain technology, and the features of the SuperEx platform. Through easy-to-understand content, it helps users navigate the world of digital assets with confidence and clarity.
Unstaked related news and market dynamics research

Unstaked related news and market dynamics research

Unstaked (UNSD) is a blockchain platform integrating AI agents for automated community engagement and social media interactions. Its native token supports governance, staking, and ecosystem features. This special feature explores Unstaked’s market updates, token dynamics, and platform development.
XRP News and Research

XRP News and Research

This series focuses on XRP, covering the latest news, market dynamics, and in-depth research. Featured analysis includes price trends, regulatory developments, and ecosystem growth, providing a clear overview of XRP's position and potential in the cryptocurrency market.
How do beginners trade options?How does option trading work?

How do beginners trade options?How does option trading work?

This special feature introduces the fundamentals of options trading for beginners, explaining how options work, their main types, and the mechanics behind trading them. It also explores key strategies, potential risks, and practical tips, helping readers build a clear foundation to approach the options market with confidence.

What are the risks of investing in cryptocurrency?

What are the risks of investing in cryptocurrency?

This special feature covers the risks of investing in cryptocurrency, explaining common challenges such as market volatility, security vulnerabilities, regulatory uncertainties, and potential scams. It also provides analysis of risk management strategies and mitigation techniques, helping readers gain a clear understanding of how to navigate the crypto market safely.