Hackers communicated directly with the project team for six months.
The attack on Drift Protocol was described as a "structured infiltration operation that required organizational support, significant resources, and several months of meticulous planning."
— Drift (@DriftProtocol) April 5, 2026
According to the project team, the incident on April 1, which resulted in approximately $280 million in losses, was attributed to a North Korean group. They spent six months planning and executing the attack.
Infiltration
Representatives from Drift stated that in the fall of 2025, individuals from an unnamed trading company approached them at a themed conference, expressing interest in integrating with the protocol.
It turned out that the criminals had been tracking project participants and gaining their trust.
"They possessed technical skills, had verified professional experience, and were familiar with how Drift operated. After our first meeting, we created a Telegram group, which led to months of substantive discussions about trading strategies and potential integration of storage," the team noted.
Afterward, the front company began connecting its own storage to Drift, requiring them to fill out a form detailing their strategy. Additionally, they invested over $1 million of their own funds into the ecosystem.
Close communication between the developers and the perpetrators continued until the end of March. After the attack, all shared chats and contacts were deleted.
"These were not strangers, but people with whom project participants had worked and met in person. Throughout this process, links to projects, tools, and applications were shared," Drift emphasized.
Mechanisms of the Hack
As previously reported, hackers gained access to the storage repositories by creating fake delayed signatures. The team has now identified three potential vectors of attack:
- One employee may have fallen victim to a hack after cloning a code repository under the guise of deploying an interface for the storage.
- Another project member was convinced to download a malicious TestFlight application, which was presented as an electronic wallet.
- There was likely a vulnerability in the repositories that allowed any code to be executed simply by opening a file, folder, or other documents in the editor.
Drift continues its forensic analysis of the affected equipment, with assistance from SEALS 911 specialists and law enforcement agencies.
The official source of the vulnerability has not yet been identified. The protocol's operations remain suspended.
Specific Perpetrator
Data obtained during the investigation linked the attack to the UNC4736 group—a North Korean state entity also known as AppleJeus or Citrine Sleet.
These same criminals are believed to have been behind the hack of Radiant Capital, which resulted in over $50 million in losses in October 2024. They were tracked through on-chain data that indicated common cash flows, as well as through associated real identities.
To infiltrate Drift, the perpetrators provided completely fabricated information, including employment history, personal details, and professional contacts.
"It's important to note: the individuals who met with Drift representatives were not citizens of North Korea. It is known that North Korean operatives at this level use intermediaries to establish personal contacts," the company stated.
Recall that in March, the North Korean group was suspected of attacking the cryptocurrency online store Bitrefill.