TL;DR:
- Drift Protocol attributed with “medium-high confidence” the $285 million hack to UNC4736, a group affiliated with the North Korean state.
- The attackers spent six months infiltrating the protocol: they attended conferences, deposited $1 million, and erased all traces after executing the exploit.
- Security researcher Taylor Monahan identified more than 40 DeFi protocols that allegedly had North Korean workers at various stages of their development.
Drift ProtocolĀ revealed that the exploit in which it lost approximately $285 million from its decentralized exchange on Solana was a structured intelligence operationĀ spanning six months, attributed with “medium-high confidence” to the groupĀ UNC4736, also known asĀ AppleJeus or Citrine Sleet, a unit linked to theĀ North KoreanĀ state and responsible for the hack ofĀ Radiant CapitalĀ in 2024.
According to the incident report, the attackers first appeared at a crypto conference last autumn under the identity ofĀ a quantitative trading firmĀ interested in integrating with the platform. Over the following months, theyĀ built a relationship of trustĀ through in-person meetings and coordination via Telegram, launched an Ecosystem Vault within Drift, andĀ deposited over $1 millionĀ of their own capital. At the time of executing the exploit, they eliminated every trace:Ā the chats and the malware were, according to the protocol, “completely wiped.”
Drift: Manipulation, False Identities and Vulnerabilities
The report indicates that the attack may have leveragedĀ a malicious code repository, a fake TestFlight application, and a vulnerability in VSCode or CursorĀ that allowed silent code execution. The individuals who met in person with the protocol’s collaborators were not North Korean nationals, but ratherĀ intermediaries with constructed identitiesĀ backed by verifiable public credentials and employment histories.
Michael Pearl, Vice President of Strategy at security firm Cyvers, noted that the Drift caseĀ replicates the pattern of the hack suffered byĀ Bybit: the signers were not compromised directly at the protocol level, but ratherĀ manipulated into approving malicious transactions. “Security teams must migrate toward pre-transaction validation at the blockchain level,” he warned.
Lazarus Group Has Stolen Around $7 Billion
Security researcherĀ Taylor Monahan, a MetaMask developer, published a list of more thanĀ 40 DeFi platforms that allegedly had North Korean workersĀ embedded at various stages of their development. “North Korea’s IT workers built the protocols you know and use, going back to DeFi Summer,” she wrote. Blockchain investigator ZachXBT clarified that the well-known ‘Lazarus Group‘Ā is the collective name for all state-sponsored North Korean cyber actors, and estimated that the group has stolen approximatelyĀ $7 billionĀ in cryptocurrencies since 2017.
