The $285 million stolen from Drift Protocol on April 1 did not come from a code vulnerability. It came from people. Real people, with fabricated professional histories, who shook hands with Drift contributors at crypto conferences across multiple countries for half a year before the exploit executed.
New details shared by Drift Protocol on X lay out what the investigation has uncovered so far. The operation began in Fall 2025, when a group presenting as a quantitative trading firm first approached Drift contributors at a major industry conference. What followed were months of deliberate contact, not digital outreach, but in-person meetings at multiple major events in multiple countries. As we previously reported, Mandiant and the SEALS 911 team have attributed this attack with medium-high confidence to UNC4736, also tracked as AppleJeus or Citrine Sleet, the same North Korean state-affiliated group behind the October 2024 Radiant Capital hack.
Face-to-Face for Six Months Before a Single Dollar Moved
The group was not sloppy. They were technically fluent, had verifiable professional backgrounds, and deposited over $1 million of their own capital into Drift’s ecosystem between December 2025 and January 2026. They filled out onboarding forms, ran working sessions with multiple contributors, and asked informed product questions. A Telegram group was set up from the first meeting, and months of substantive conversations around trading strategies and vault integrations followed.
Contributors met individuals from this group again, face-to-face, at multiple industry conferences through February and March 2026. By that point, the relationship was nearly six months old. These were not strangers. They were counterparties Drift contributors had worked alongside.
Three likely attack vectors emerged from the forensic review. One contributor may have been compromised after cloning a code repository the group shared under the cover of deploying a frontend for their vault. A second was induced to download a TestFlight app the group presented as their wallet product. For the repository vector, the investigation points to a known VSCode and Cursor vulnerability that security researchers flagged throughout December 2025 through February 2026. Opening a file or folder in the editor was enough to silently execute arbitrary code. No prompt. No click. No warning of any kind. The full technical disclosure is available here.
Right as the April 1 exploit happened, their Telegram chats and all malicious software had been completely wiped. Nothing left behind.
The People in the Room Were Not North Korean
One detail buried in Drift’s update changes how to read this entire operation. The individuals who appeared in person were not North Korean nationals. DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face work. The front-facing operatives build the trust. The hackers stay invisible.
Tim Ahhl shared on X that his previous employer had unknowingly interviewed a Lazarus operative.
“At a previous job, we interviewed someone who turned out to be a Lazarus operative. He did video calls and was extremely qualified. We invited him for in-person interviews and he ultimately declined to fly out, so we passed. Only later did we find his name in a Lazarus info dump. Years later and it seems Lazarus now has non-NK nationals working for them to con people in person.”
That pattern matches exactly what Drift’s investigation describes. The profiles used in this operation had fully constructed identities, including employment histories, public-facing credentials, and professional networks that held up during a months-long business relationship.
ZachXBT: The Industry Is Misreading These Threats
The broader misidentification problem was raised directly by on-chain researcher ZachXBT on X after Drift’s update. The term “Lazarus Group” gets applied to every DPRK cyber actor, but the complexity gap between subgroups is significant and teams keep getting it wrong.
“Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way sophisticated. The only thing about it is they’re relentless. If you or your team still falls for them in 2026 you’re very likely negligent.”
ZachXBT identified only two DPRK groups running truly sophisticated crypto attacks: TraderTraitor, responsible for Bybit and DMM, and AppleJeus, responsible for Radiant and now Drift. Every other DPRK subgroup running job posting or LinkedIn schemes is low-tier by comparison. He noted that companies regularly publicize stopping what they describe as an elaborate Lazarus attempt, and it turns out to be a basic attempt by a subgroup that lacks the operational depth of either AppleJeus or TraderTraitor.
ZachXBT also pointed to a GitHub research repository maintained by @tayvano_ as a comprehensive reference on DPRK-linked activity, compiled from research across multiple sources.
$285M and the Ongoing Investigation
As covered in our previous reporting on Circle’s inaction, over $232 million in stolen USDC moved through Circle’s cross-chain bridge during U.S. business hours without being frozen. Elliptic has tracked this as the eighteenth DPRK-linked attack in 2026 alone, with over $300 million stolen so far this year. The U.S. government has linked these funds directly to Pyongyang’s weapons program.
All protocol functions remain frozen. Compromised wallets have been removed from the multisig. Attacker wallets have been flagged across exchanges and bridge operators. Drift urged any team that believes it may have faced a similar approach to contact @SEAL911 immediately.
Full forensic analysis of affected hardware is still underway. More details will be shared as the investigation progresses, Drift said.
