The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building “a functioning operational presence inside the Drift ecosystem.”
On April 1st, the Solana-based trading platform detected unusual activity that was followed by confirmation that funds had been lost in a sophisticated attack that allowed hijacking of the Security Council administrative powers.
Blockchain intelligence firms Elliptic and TRM Labs attributed the heist to North Korean hackers, who took about 12 minutes to drain user assets.
The investigation revealed that the hackers had been preparing the attack for at least six months, posing as a quantitative firm and approaching Drift contributors in person at multiple crypto conferences.
“It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months,” Drift Protocol says.
The threat actor continued to communicate with their targets via Telegram, discussing trading strategies and potential vault integrations. They were technically proficient and demonstrated familiarity with how Drift worked, with interactions resembling typical onboarding exchanges between trading firms and the platform.
According to Drift, the Telegram goup used for engaging contributors was deleted immediately after the theft occurred.
The platform has not determined with certainty the attack vector, but believes that two contributors were compromised in the following ways:
- A malicious code repository shared with a contributor, possibly exploiting a VSCode/Cursor vulnerability that allowed silent code execution
- A malicious TestFlight application presented as a wallet product
Multiple indicators found in Elliptic and TRM Labs investigations point to a North Korean threat actor. Drift’s findings also indicate with medium-high confidence that the attack was perpetrated by UNC4736 (a.k.a. AppleJeus and Labyrinth Chollima), a threat actor linked to North Korea by multiple security companies.
Incident response company Mandiant has previously associated UNC4736 with Lazarus. The same threat group is responsible for the 3CX supply-chain attack in 2023, the $50 million Radiant cryptocurrency theft in 2024, and it has also been linked to Chrome zero-day exploitation.
However, it is noted that the in-person actors who met with key Drift contributors at conferences were non-Korean intermediaries.
Currently, all Drift Protocol functions remain frozen, and the compromised wallets have been removed from the multisig process.
Drift says that the attackers’ wallets have been flagged across exchanges and bridge operators to prevent the threat actor from moving or withdrawing the funds.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.