Drift Protocol published a detailed incident update on April 5 revealing that the attack which drained approximately $270 million from its vaults was the result of a structured six-month intelligence operation, not a spontaneous exploit.

The operation began in fall 2025, when individuals posing as a quantitative trading firm approached Drift contributors at a major crypto conference. Over the following months, they held working sessions, onboarded an Ecosystem Vault, deposited over $1 million of their own capital, and met Drift developers face-to-face at multiple industry events across several countries. By April 1, the relationship was nearly half a year old.

The Technical Vectors

Drift identified two likely compromise vectors. The first involved a GitHub repository shared by the group — appearing to be a frontend for their vault — which exploited a known vulnerability in VSCode and Cursor. Between December 2025 and February 2026, simply opening a file or folder in either editor was sufficient to silently execute arbitrary code with no prompt, warning, or permissions dialog of any kind.

The second vector was a TestFlight application the group presented as their wallet product.

Once developer machines were compromised, the attackers obtained two multisig approvals enabling a durable nonce attack. The pre-signed transactions sat dormant for over a week before draining the protocol in under a minute on April 1.

Attribution

Drift attributes the attack with medium-high confidence to UNC4736 (also tracked as AppleJeus or Citrine Sleet), a North Korean state-affiliated group also responsible for the October 2024 Radiant Capital hack. Crucially, the individuals who appeared in person were not North Korean nationals — DPRK uses third-party intermediaries with fully constructed identities.

Mandiant has been engaged for full forensic analysis. Drift urges any team that may have been targeted to contact SEAL-911 immediately.