The Solana-based decentralized exchange Drift Protocol has revealed that the $285 million cyberattack on April 1, 2026, was orchestrated by a threat actor linked to North Korea.
Drift described the breach as “an attack six months in the making,” linking it with medium confidence to a state-sponsored threat group known as UNC4736 (aka AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). According to Drift, the attackers combined technical intrusion methods with real-world social engineering tactics, beginning in the fall of 2025.
The company said that several people posing as representatives of a quantitative trading firm approached Drift contributors at major cryptocurrency conferences slowly building trust over following six months via professional interaction. Drift described the operatives as technically sophisticated and credible, noting that they were not North Korean nationals and likely were third-party intermediaries tasked with face-to-face relationship-building.
The campaign eventually led to the onboarding of a seemingly legitimate trading vault within Drift’s ecosystem. The attackers deposited over $1 million of their own funds to establish credibility and engaged in extensive discussions about trading strategies and integrations. The efforts, Drift said, were part of a “structured intelligence operation” designed to infiltrate the platform.
Drift says that were possibly three attack vectors: in one case, a contributor may have been compromised after cloning a malicious code repository that exploited Microsoft Visual Studio Code’s task execution features. In another, a contributor was persuaded to download a fake wallet application via Apple’s TestFlight platform.
“For the repository-based vector, one possibility is a known VSCode and Cursor vulnerability that the security community was actively flagging throughout December 2025 through February 2026. Simply opening a file, folder, or repository in the editor was sufficient to silently execute arbitrary code, with no prompt or indication to the user, clicks, permissions dialog or warning of any kind,” the blog post notes.
Drift said that following the hack, forensic review of known affected devices, accounts, and communication histories pointed to interactions with the trading group, suggesting it to be an intrusion vector. Just after the cyberattack, “their Telegram chats and malicious software had been completely scrubbed,” the company said.
Based on the evidence, the intrusion was attributed to the same threat actor responsible for the 2024 hack of Radiant Capital.
“The investigation has shown so far that the profiles used in this third party targeted operation had fully constructed identities including employment histories, public-facing credentials and professional networks. The people Drift contributors met in person appeared to have spent months building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship,” the company concluded.