Drift Crypto Protocol attributed a $270 million exploit carried out on April 1, 2026 to a six-month-long intelligence operation conducted by UNC4736 — a North Korean state threat group also tracked as Citrine Sleet or AppleJeus — in a detailed update on the incident published by the team on Sunday.
Making it the largest native Solana dapp ever exploited. Posing as a quantitative trading company, the attackers deposited more than $1 million of their own capital into the Ecosystem Vault, held working sessions with contributors across multiple countries, and waited nearly half a year before executing a vulnerable attack that drained the protocol’s vaults in less than a minute.
The scope and duration of the operation sets it apart from previous DeFi exploits in ways that carry implications far beyond Drift’s immediate recovery.
We believe this is not a measure of Drift’s specific security posture, but rather a calibrating signal about the maturity of state-sponsored cryptocurrency thefts — a signal that makes the standard DeFi security checklist, including smart contract audits, structurally inadequate against adversaries operating on intelligence rather than opportunistic timelines.
I implore everyone in crypto to read this in its entirety.
I was expecting this to be another case of social engineering, and possibly some employment/job offer involved.
I was so wrong.
The depth of the operation and characters makes me think they already have several other teams locked down.
– Tay 💖 (@tayvano_) April 5, 2026
discovers: Meme Coin Supercycle: Best performer this week
UNC4736 process on crypto drift: six-month timeline, double-stealth vectors, and permanent zero-execution
According to the Drift crypto incident update, the first contact occurred in the fall of 2025 at a major cryptocurrency conference, where the group presented itself as a technically fluent quantitative trading company seeking vault integration.
The relationship followed fairly standard DeFi onboarding patterns — a Telegram group, ongoing conversations about trading strategies, and substantive discussions about the protocol’s architecture — none of which would have been classified as anomalous to shareholders accustomed to institutional counterparties conducting extensive due diligence.
Between December 2025 and January 2026, the group joined the Vault on Drift Ecosystem, deposited over $1 million in capital, and established an effective operational presence within the ecosystem.
Contributors to Drift Crypto met individuals associated with the group face-to-face at several major industry conferences across several countries during February and March 2026 – a detail that confirms the DPRK’s known operational pattern: the individuals who appeared in person were not North Korean citizens but third-party intermediaries with full professional identities, employment histories and social networks designed to withstand due diligence review.
Pretty crazy if true
tl:dr – Hackers casually gained trust through an IRL conference meeting, set up a TG channel, became customers, started building integrations over the course of 6 months, then got one person with a flight test link to show what they’d built https://t.co/LLW7yFBpNs
— because (@because) April 5, 2026
The technical breach appears to have been via two vectors identified in Drift’s disclosure. The first concerns the TestFlight app – Apple’s platform for distributing pre-release software that bypasses the App Store’s security review – which the group introduced as its own portfolio product.
The second exploited a known vulnerability in VSCode Indicatortwo widely used code editors, where opening a file or folder was enough to silently execute arbitrary code; The security community has been referring to this carrier since late 2025.
Once contributor devices were compromised, the attackers obtained the two multisig consents required to pre-sign transactions using Solana’s persistent mechanism. These transactions remained dormant for more than a week before being activated on April 1, draining $270 million — including 41.72 million JLP tokens that were later exchanged via Jupiter, Raydium, Orca, and Meteora and delivered to Ethereum — in less than sixty seconds.
The attribution to UNC4736 is based on on-chain fund flows linking the attack to wallets associated with the October 2024 Radiant Capital exploit, as well as operational overlap with known DPRK-linked figures identified by forensics firm Mandiant, which Drift retained for investigation, and blockchain security firm SEALS 911, which assigned the connection moderate to high confidence. UNC4736 operates under North Korea’s Reconnaissance General Office — the same directorate responsible for previous AppleJeus malware campaigns — and its playbook has gradually incorporated extended personal social engineering as a precursor phase.
We expect Mandiant’s full forensic report to reveal additional infrastructural overlaps linking this operation to previous campaigns associated with the Lazarus group outside of the already identified Radiant Capital portfolio group.
explores: Cryptocurrency hack alerts this week
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to provide accurate and timely information but should not be considered financial or investment advice. Since market conditions can change rapidly, we encourage you to verify the information yourself and consult with a professional before making any decisions based on this content.
Neil is a professional cryptocurrency content writer with years of experience. He has written for numerous cryptocurrency websites to report breaking news, and has been hired by all kinds of cryptocurrency projects, to create content that will increase their exposure and attract more potential investors.
