How North Korean Operatives Orchestrated a $270M Crypto Heist After Months of Patient Infiltration

Key Points

• State-sponsored North Korean operatives masqueraded as a legitimate quantitative trading firm, cultivating trust within Drift Protocol over a six-month period before executing a $270 million theft on April 1.
• The threat actors established in-person relationships with protocol contributors at international crypto conferences and injected over $1 million in actual funds to bolster credibility.
• System infiltration occurred through a malicious TestFlight application and exploitation of a documented security flaw in VSCode/Cursor development environments.
• Security researchers have linked the operation to UNC4736, alternatively identified as AppleJeus or Citrine Sleet, with ties to North Korean state interests.
• Legal experts suggest the breach may represent actionable negligence, with class action litigation efforts already underway.

On April 1, Drift Protocol suffered a catastrophic $270 million security breach following an extended infiltration campaign orchestrated by a North Korean state-backed hacking collective spanning approximately half a year.

The sophisticated operation began at a prominent cryptocurrency conference during autumn 2025. The perpetrators successfully impersonated representatives of a quantitative trading operation, arriving with comprehensive technical knowledge, authenticated professional credentials, and detailed familiarity with Drift’s infrastructure and operations.

Initial communications were established through a Telegram channel, initiating months of sustained dialogue. Discussions centered on topics typical of institutional trading partnerships: vault integration protocols, strategic trading methodologies, and operational frameworks.

During the December 2025 to January 2026 timeframe, the fraudulent entity officially established an Ecosystem Vault within the Drift ecosystem. They conducted numerous collaborative working sessions with platform contributors and deployed over $1 million in actual capital—a calculated move designed to establish authenticity.

Throughout February and March 2026, Drift personnel engaged in direct, face-to-face meetings with representatives from the group at various international conference venues across multiple nations. By the time of the April 1 attack, the relationship had matured over nearly half a year.

Technical Compromise Methods Revealed

The breach materialized through a dual-vector attack strategy. Initially, a team member installed a TestFlight application—Apple’s beta distribution system that circumvents standard App Store security verification processes—which the attackers had marketed as their proprietary wallet solution.

Additionally, the threat actors weaponized a publicly documented vulnerability present in VSCode and Cursor, two prevalent integrated development environments. The exploit required nothing more than opening a compromised file within either editor to silently execute malicious payload code without triggering any user notifications or security alerts.

Following successful device compromise, the attackers methodically extracted credentials necessary to secure two multisignature wallet approvals. These pre-authorized transactions remained inactive for over a week before execution on April 1, resulting in the extraction of $270 million within sixty seconds.

Cybersecurity analysts have connected the incident to UNC4736, a threat actor group also designated as AppleJeus or Citrine Sleet. Blockchain forensics revealed transaction patterns linking to the October 2024 Radiant Capital compromise, which investigators also attributed to North Korean actors. Notably, individuals who appeared physically at conferences were not North Korean citizens—DPRK-affiliated groups characteristically employ third-party proxies with elaborately fabricated identities.

Legal Ramifications and Security Failures

Cryptocurrency legal specialist Ariel Givner has indicated the incident potentially constitutes actionable civil negligence. She emphasized that fundamental security protocols—including maintaining signing keys on isolated, air-gapped systems and conducting thorough background verification of developers encountered at industry events—appear to have been inadequately implemented.

Drift’s security team has expressed “medium-high confidence” that identical threat actors executed the October 2024 Radiant Capital attack, where malicious software was distributed via Telegram from an individual impersonating a former contractor.

The post How North Korean Operatives Orchestrated a $270M Crypto Heist After Months of Patient Infiltration appeared first on Blockonomi.