{"id":45154,"date":"2026-04-07T02:19:56","date_gmt":"2026-04-06T18:19:56","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/07\/north-korean-hackers-pose-as-trading-firm-to-steal-285m-from-drift\/"},"modified":"2026-04-07T02:19:56","modified_gmt":"2026-04-06T18:19:56","slug":"north-korean-hackers-pose-as-trading-firm-to-steal-285m-from-drift","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/07\/north-korean-hackers-pose-as-trading-firm-to-steal-285m-from-drift\/","title":{"rendered":"North Korean Hackers Pose as Trading Firm to Steal $285M from Drift"},"content":{"rendered":"\n

Drift Protocol reveals that a North Korean state-linked group<\/a> spent six months posing as a trading firm to execute a $285 million hack. Read about how the attackers managed to compromise the protocol without raising suspicion.<\/p>\n

When Drift Protocol was drained of $285 million (approximately \u00a3225 million) on 1 April 2026, many assumed it was a sudden technical glitch. However, new details from the firm show the attack was actually a meticulously planned operation that began with a simple handshake around six months back.<\/p>\n

Building a Six-Month Fake Friendship<\/strong><\/h3>\n

The breach prep, reportedly, started in late 2025 when a group of individuals approached Drift staff at a \u201cmajor crypto conference,\u201d presenting themselves as a professional “quantitative trading firm” looking to work together, Drift’s investigation revealed. These were not anonymous hackers hiding behind screens; they met Drift team members face-to-face at conferences in several different countries.<\/p>\n

To build trust, the group went so far as to deposit $1 million of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. This level of effort is rare, but it allowed the attackers to be seen as legitimate business partners rather than a threat.<\/p>\n

The Infiltration Methods<\/strong><\/h3>\n

While maintaining this professional relationship, the group quietly used social engineering<\/a> to trick staff into compromising their own security. As per Drift\u2019s official update<\/a> on X.com, the hackers gained access likely through three specific attack vectors:<\/p>\n

First, one staff member was persuaded to download a mobile app via TestFlight<\/a>, which is Apple\u2019s platform for testing new software, under the impression it was a new digital wallet product. In another instance, a contributor was induced to clone a malicious code repository (a collection of files) presented as a tool for building a website for the group\u2019s vault. Or, the hackers exploited a known vulnerability within VSCode <\/a>and Cursor, which are common tools developers use to write code.<\/p>\n

Between late 2025 and early 2026, simply opening a folder provided by the group was enough to let the hackers silently execute arbitrary code and hijack a computer without any warning or prompt. After compromising these devices, the attackers gathered the multisig<\/a> approvals needed to control the protocol. On April 1st, they used a method known as a durable nonce attack to bypass security and empty the vaults in under a minute.<\/p>\n

The Link to North Korea<\/strong><\/h3>\n

While the individuals met in person were likely third-party intermediaries, security experts at Mandiant and the SEALS 911 team have linked the attack to the North Korean hacking group UNC4736 (aka AppleJeus or Citrine Sleet). According to their research, the fund flows used to stage this operation were traced back to a previous hack of Radiant Capital<\/a> in October 2024.<\/p>\n