Friday, July 17, 2026
No Result
View All Result
Bitcoin News Update
  • Home
  • Bitcoin
  • Crypto Updates
    • Crypto Updates
    • Ethereum
    • Altcoin
    • Crypto Exchanges
  • Blockchain
  • NFT
  • Web3
  • DeFi
  • Metaverse
  • Analysis
  • Regulations
  • Scam Alert
Marketcap
  • Home
  • Bitcoin
  • Crypto Updates
    • Crypto Updates
    • Ethereum
    • Altcoin
    • Crypto Exchanges
  • Blockchain
  • NFT
  • Web3
  • DeFi
  • Metaverse
  • Analysis
  • Regulations
  • Scam Alert
Marketcap
Bitcoin News Update
No Result
View All Result

North Korean Hackers Spent Six Months Infiltrating Drift Before $285M Exploit

by Bitcoin News Update
April 6, 2026
in Web3
Reading Time: 4 mins read
0 0
0
Home Web3
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter



In brief

Drift Protocol has attributed the recent $285 million attack on its DEX with “medium-high confidence” to UNC4736, a North Korean state-affiliated hacker group.
Attackers deposited over $1 million of their own capital and built a functioning vault inside the ecosystem before executing the exploit.
The bad actors erased traces instantly, with Telegram chats and malware “completely scrubbed” after execution.

Solana-based decentralized exchange Drift Protocol said on Sunday the attack that drained roughly $285 million from the platform was a structured six-month intelligence operation by a North Korean state-affiliated threat group.

The attackers used fabricated professional identities, in-person conference meetings, and malicious developer tools to compromise contributors before executing the drain, the protocol said in a detailed incident update.

“Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat,” Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt.

Drift said the group first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm seeking to integrate with the protocol.

Over months, the group built trust through in-person meetings, Telegram coordination, onboarded an Ecosystem Vault on Drift, and made a $1 million vault deposit of their own capital, only to vanish, with chats and malware “completely scrubbed” when the exploit hit.

The DEX said the intrusion may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that enabled silent code execution without user interaction.

Drift attributed the attack with “medium-high confidence” to UNC4736, also tracked as AppleJeus or Citrine Sleet—the same North Korean state-affiliated group that cybersecurity firm Mandiant linked to 2024’s Radiant Capital hack.

Drift said the individuals who met contributors in person were not North Korean nationals, noting that DPRK-linked actors often rely on third-party intermediaries for “face-to-face engagement.”

Onchain fund flows and overlapping personas point to DPRK-linked actors, according to incident responders SEAL 911, though Mandiant has yet to confirm attribution pending forensics, the platform noted.

Security researcher @tayvano_, one of the experts whom Drift credited for assistance in identifying the malicious actors, suggested the exposure extend well beyond this incident.

In a tweet, the expert listed dozens of DeFi protocols, alleging that “DPRK IT workers built the protocols you know and love, all the way back to defi summer.”

Industry implications

“Drift and Bybit highlight the same pattern — signers were not directly compromised at the protocol level, they were tricked into approving malicious transactions,” Pearl noted. “The core issue is not the number of signers, but the lack of understanding of transaction intent.”

He said that multisignature wallets, while an improvement over single-key control, now create a false sense of security, introducing “a paradox” where shared responsibility lowers scrutiny across signers.



“Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution,” Pearl said, adding that once attackers control what users see, the only effective defense is validating what a transaction actually does, regardless of the interface.

On developer tools as an attack surface, Lavid said the assumption has to change from the ground up.

“You have to assume the endpoint is compromised,” he told Decrypt, pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points.

“If these foundational tools are vulnerable, anything shown to the user—including transactions—can be manipulated,” the expert said, noting this “fundamentally breaks traditional security assumptions,” leaving teams unable to trust “the interface, the device, or even the signing flow.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

Tags: 285MDriftexploitHackersInfiltratingKoreanMonthsNorthSpent
Previous Post

How James Wynn From $100M to $90

Next Post

Will Solana rally to $93 despite mixed derivatives sentiment

Related Posts

Leaks Reveal Suno Fed Thousands of Hours of Deezer, YouTube and Pond5 Data Into Its AI
Web3

Leaks Reveal Suno Fed Thousands of Hours of Deezer, YouTube and Pond5 Data Into Its AI

July 16, 2026
Why Analysts Aren’t Worried About Coinbase’s 30% Drop
Web3

Why Analysts Aren’t Worried About Coinbase’s 30% Drop

July 15, 2026
Sony’s stablecoin plan sends PlayStation crypto rumors racing ahead of the facts
Web3

Sony’s stablecoin plan sends PlayStation crypto rumors racing ahead of the facts

July 15, 2026
Stop Over-Prompting: OpenAI’s New GPT-5.6 Guidelines Change Everything
Web3

Stop Over-Prompting: OpenAI’s New GPT-5.6 Guidelines Change Everything

July 13, 2026
Ripple CEO says SEC suit nearly pushed company to shut down
Web3

Ripple CEO says SEC suit nearly pushed company to shut down

July 13, 2026
How to Make Product Ads With AI for TikTok and YouTube—For (Almost) Free
Web3

How to Make Product Ads With AI for TikTok and YouTube—For (Almost) Free

July 12, 2026
Next Post
Will Solana rally to  despite mixed derivatives sentiment

Will Solana rally to $93 despite mixed derivatives sentiment

CLARITY Act Nears Key Deal as Pepeto Gains Ground Over Ethereum and XMR

CLARITY Act Nears Key Deal as Pepeto Gains Ground Over Ethereum and XMR

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

World markets by TradingView
Facebook Twitter Instagram Youtube RSS
Bitcoin News Update

Your trusted source for breaking Bitcoin news and live crypto prices. Bitcoin News Updates keeps you informed and ahead of the market curve.

CATEGORIES

  • Altcoin
  • Analysis
  • Bitcoin
  • Blockchain
  • Crypto Exchanges
  • Crypto Updates
  • DeFi
  • Ethereum
  • Metaverse
  • NFT
  • Regulations
  • Scam Alert
  • Uncategorized
  • Web3

SITEMAP

  • About us
  • Advertise with us
  • Disclaimer 
  • Privacy Policy
  • DMCA 
  • Cookie Privacy Policy
  • Terms and Conditions
  • Contact us

Copyright © 2026 Bitcoin News Update.
Bitcoin News Update is not responsible for the content of external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • bitcoinBitcoin(BTC)$63,265.00-2.48%
  • ethereumEthereum(ETH)$1,841.09-4.26%
  • tetherTether(USDT)$1.000.00%
  • binancecoinBNB(BNB)$570.67-2.28%
  • usd-coinUSDC(USDC)$1.000.02%
  • rippleXRP(XRP)$1.09-2.63%
  • solanaSolana(SOL)$74.95-2.91%
  • tronTRON(TRX)$0.321806-0.67%
  • Figure HelocFigure Heloc(FIGR_HELOC)$1.02-1.67%
  • HyperliquidHyperliquid(HYPE)$59.07-11.42%
No Result
View All Result
  • Home
  • Bitcoin
  • Crypto Updates
    • Crypto Updates
    • Ethereum
    • Altcoin
    • Crypto Exchanges
  • Blockchain
  • NFT
  • Web3
  • DeFi
  • Metaverse
  • Analysis
  • Regulations
  • Scam Alert

Copyright © 2026 Bitcoin News Update.
Bitcoin News Update is not responsible for the content of external sites.