Drift just dropped a bombshell — that $270M exploit was no random hack. It was a six-month North Korean intelligence operation, state-backed and highly coordinated.

The attackers didn’t just break in — they infiltrated. They posed as a legit quant trading firm, attended major crypto conferences, met Drift’s team in person, and even deposited over $1M of their own capital. For months, they played the long game, gaining trust and access.

The breach happened through social engineering and software exploits. One vector was a malicious VSCode/Cursor plugin that ran code silently just by opening a file. The other was a fake TestFlight wallet app that bypassed Apple’s security. Once inside, they got the two multisig approvals needed to drain the vaults in under a minute.

Drift traced the attack to UNC4736, a known North Korean APT group also called AppleJeus or Citrine Sleet. The in-person contacts weren’t North Korean — they were hired proxies with fake identities, a common tactic for DPRK ops.

This isn’t just a protocol issue — it’s an industry wake-up call. If attackers are willing to spend months, money, and effort to build trust before striking, then traditional multisig security might not be enough.

Protocols need to rethink access controls, audit every device touching governance, and treat long-term infiltration as a real threat. The bar for security just got higher.

, ,