# North Korea Hacked Drift for $270M — Here's How They Did It

A North Korean state group pulled off the $270 million Drift Protocol exploit after spending six months building trust inside the ecosystem. They didn't just hack the code—they hacked the people.

The attackers first showed up at a crypto conference in fall 2025, posing as a legit quant trading firm. They had real backgrounds, knew the tech, and started months of normal conversations about vault integrations. By April 2025, they'd deposited over $1 million, attended multiple conferences, and met Drift contributors face-to-face.

The breach came through two clever vectors: a malicious VSCode plugin and a TestFlight app that bypassed Apple's security. Once inside, they grabbed multisig approvals and waited weeks before draining the vaults in under a minute.

This wasn't random. On-chain data links it to UNC4736, a North Korean group also behind the Radiant Capital hack. They use fake identities and real-world meetings to fool even careful teams.

The market takeaway? If attackers are willing to spend six figures and half a year for one exploit, no amount of code audits or multisig setups are enough. Security now means treating every device and relationship as a potential threat vector.

, ,