Drift Protocol said a North Korean state-linked group orchestrated a six-month infiltration before executing a $270 million exploit on April 1, following a prolonged social engineering campaign.
The attackers posed as a quantitative trading firm, integrated into the ecosystem, deposited over $1 million, and built credibility through technical engagement and in-person meetings across multiple countries.
Drift warned that the operation demonstrates how sophisticated adversaries can bypass multisig protections through long-term trust-building and targeted device compromise.
The group established contact in late 2025, participated in ongoing discussions, and onboarded an Ecosystem Vault while embedding themselves operationally within the protocol’s contributor network.
Devices were compromised via a malicious TestFlight app and a known vulnerability in VSCode and Cursor, enabling attackers to secure multisig approvals and execute pre-signed transactions that drained funds within minutes.
Investigators attributed the attack to UNC4736, also known as AppleJeus or Citrine Sleet, citing overlaps with previous DPRK-linked operations and on-chain fund flows connected to earlier exploits.
Drift said the incident underscores the need for stricter access controls and reassessment of multisig security assumptions, as attackers increasingly deploy identity-rich, long-duration infiltration strategies to exploit DeFi systems.