North Korea Spent Six Months Pretending to Be a Trading Firm to Steal $270M From Drift
TL;DR
North Korean state hackers (UNC4736/Citrine Sleet) spent six months posing as a legit quant trading firm — attending conferences, building Telegram groups, depositing $1M of real capital — before draining $270M from Drift Protocol on April 1, 2026.
North Korea didn’t hack Drift. They befriended Drift. For six months. Then stole $270M.
That’s the headline from today’s disclosure. On April 5, Drift Protocol published a post-mortem confirming what Mandiant and SEAL911 had suspected: the April 1 exploit was a meticulously planned, state-backed intelligence operation — not an opportunistic code exploit — attributed with medium-high confidence to UNC4736, also known as Citrine Sleet, the same North Korean group behind the 2024 Radiant Capital hack.
This is the 18th suspected DPRK crypto attack in 2026. They’re getting better.
Six Months. Three Vectors. $270M.
Starting in Fall 2025, attackers posing as a legitimate quantitative trading firm began approaching Drift Protocol contributors at major crypto conferences. Over the following months, they:
- Built real professional relationships via Telegram over months of sustained contact
- Discussed trading strategies convincingly enough to earn trust
- Deposited over $1M of real capital into a Drift Ecosystem Vault to appear legitimate
- Used third-party intermediaries (not DPRK nationals) for in-person meetings across multiple countries — specifically to avoid easy attribution
Then, on April 1, 2026, they executed across three simultaneous attack vectors:
- A cloned code repository exploiting a silent code execution vulnerability in VSCode/Cursor. Opening the file was enough — no additional user interaction required.
- A malicious TestFlight app distributed as a “wallet product.”
- Compromise of administrator private keys, enabling unauthorized vault withdrawals directly.
The result: ~$155M in JLP tokens drained from the JLP Delta Neutral vault, plus SOL, BTC, USDC, cbBTC, and wBTC from Super Staking vaults. Total: $270M–$286M (Elliptic’s on-chain analysis puts it at $286M; Drift’s own disclosure uses $270M).
The Escape Route
Within hours, the stolen assets were being laundered at industrial scale:
- Tokens swapped to USDC via Solana DEXes
- $232M bridged to Ethereum via Circle’s Cross-Chain Transfer Protocol (CCTP) across 100+ transactions
- Converted to ETH on the other side
Circle had a six-hour window during U.S. business hours to freeze those transfers. It didn’t. That controversy — which ZachXBT documented in detail on April 2–4 — is a separate story we’ve already covered, but it’s worth noting: Circle had previously frozen USDC balances for 16 unrelated wallets in a sealed civil case just nine days earlier. The capability exists. The will, apparently, didn’t.
This Is North Korea’s Job Now
The DPRK’s Lazarus Group / UNC4736 isn’t some opportunistic hacker crew. It’s a state revenue-generation operation. According to U.S. and UN estimates, North Korea has stolen over $6.5 billion in crypto to fund its weapons program. In 2024 alone, DPRK-linked groups stole an estimated $1.34B. The 2026 pace is accelerating.
The Drift attack shows a clear evolution: they’re no longer just hunting smart contract bugs. They’re running long-form social engineering campaigns — months of relationship-building, real capital deployment, insider access cultivation. It’s closer to a corporate espionage operation than a hack.
Mandiant and SEAL911 are assisting law enforcement. Recovery prospects are slim.
Why This Matters for Crypto Jobs
This attack is a hiring signal — and not just for security engineers.
Immediate demand surge areas:
- Smart contract auditors who also understand social engineering attack surfaces (supply chain attacks via dev tooling are now a primary vector)
- Operational security (OpSec) specialists — protocols now need people who can detect and counter multi-month infiltration campaigns, not just code reviews
- Incident response and forensics — on-chain investigation firms (Mandiant, Elliptic, SEAL911, Chainalysis) are all scaling headcount as state-backed attacks increase
- Developer tooling security — the VSCode/Cursor silent-execution vulnerability used here is a category of attack that basically no DeFi protocol has a dedicated defense for
- Insider threat detection — if attackers can pose as legitimate contributors for six months and earn multisig access, protocols need people building trust frameworks and access controls, not just firewalls
The broader signal: DeFi security is no longer just a “smart contract audit + bug bounty” problem. It requires counterintelligence thinking. That’s a skill set almost no one in crypto currently has — and protocols are about to start paying serious money to find it.
Looking for your next role in crypto security? The job market for Web3 security professionals has never been hotter — and the skillset gap is enormous. Browse open roles at cryptogrind.com and find where your skills fit.
