North Korean hackers spent six months exfiltrating before exploiting $285 million

Solana-Based on Decentralized exchange Drift Protocol said on Sunday that the attack that drained nearly $285 million from the platform was a six-month-long organized intelligence operation by a North Korean state-affiliated threat group.

Attackers used fabricated professional identities, in-person conference meetings, and malicious developer tools to compromise contributors Implementation of dischargesaid the protocol in a Detailed incident update.

“Cryptocurrency teams now face adversaries who operate more like intelligence units than hackers, and most organizations are not structurally prepared for this level of threat,” said Michael Pearl, VP of Strategy at blockchain security firm Cyvers. Decryption.

Drift said the group first reached out to stakeholders at a major cryptocurrency conference last fall, presenting as a quantum trading company seeking integration with the protocol.

Over the course of months, the group built trust through in-person meetings, coordinated via Telegram, included an Ecosystem Vault on Drift, and deposited $1 million of its own capital, but it disappeared, with chats and malware completely “wiped” when the vulnerability occurred.

DEX said the intrusion may have included a malicious code repository, a fake TestFlight application, and a VSCode/Cursor vulnerability that allowed silent code execution without user interaction.

Drift attributed the attack with medium to high confidence to UNC4736, also tracked as AppleJeus or Citrine Sleet — the same North Korean state-affiliated group that cybersecurity firm Mandiant has linked to 2024. Radioactive Capital Breakthrough.

The individuals who met with the contributors in person were not North Korean citizens, Drift said, noting that DPRK-linked actors often rely on outside intermediaries for “face-to-face engagement.”

Onchain money flows and overlapping personalities point to DPRK-linked actors, according to SEAL 911 incident responders, though Mandiant has not yet confirmed attribution pending forensics, the platform noted.

Security researcher @tayvano_, one of the experts credited with helping identify the malicious actors, suggested that the exposure extends beyond this incident.

In a tweetthe expert listed dozens of Decentralized finance Protocols, claiming that “IT workers in the Democratic People’s Republic of Korea have built the protocols you know and love, all the way to the Summer Challenge.”

Industry impacts

“Drift and Bybit highlight the same pattern, where the two sites were not directly compromised at the protocol level, but rather were tricked into agreeing to malicious transactions,” Pearl noted. “The fundamental issue is not the number of signatories, but a lack of understanding of the intent of the deal.”

He said that Multi-signature wallets,Although the improvement in single key control, now creates a,false sense of security, introducing a “paradox” where shared,responsibility reduces cross-signer auditing.

“Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution,” Pearl said, adding that once attackers have control over what users see, the only effective defense is validation of what the transaction actually does, regardless of the interface.

Regarding developer tools as an attack surface, Lavid said the assumption has to change from the ground up.

“You have to assume the endpoint has been compromised,” he said. Decryptionciting IDEs, code repositories, mobile applications, and signing environments as increasingly popular entry points.

“If these underlying tools are weak, anything visible to the user — including transactions — can be manipulated,” the expert said, noting that this “fundamentally violates traditional security assumptions,” leaving teams unable to trust “the interface, the device, or even the signature flow.”