North Korean Hackers Spent Six Months Infiltrating The Drift Before Spending $285M

Solana– fixed central exchange Drift Protocol said on Sunday that the attack that took $285 million from the platform was a six-month-long operation by a terrorist group affiliated with the North Korean government.

The attackers used fake information, one-on-one conference calls, and malicious tools to mislead former contributors. to drainprotocol stated in a detail events.

“Crypto communities are now facing adversaries that operate as smarter units than hackers, and many organizations are ill-prepared to deal with these threats,” Michael Pearl, VP of Strategy at blockchain security firm Cyvers, said. Decrypt.

Drift said the group first met with its sponsors at a major crypto conference last fall, presenting it as a marketing company looking to integrate with the protocol.

For several months, the group gained confidence through personal meetings, telegraph communication, climbed the Ecosystem Vault on Drift, and invested $ 1 million of their capital, but it disappeared, and chats and malware were “destroyed” when they happened.

DEX said the intrusion may have involved a malicious code repository, a fake TestFlight program, and a VSCode/Cursor vulnerability that allowed code to be silently cached without use.

Drift said the attack was carried out with “moderate confidence” in UNC4736, which was also modeled as AppleJeus or Citrine Sleet – the same North Korean government-linked group that the Mandiant cybersecurity firm was linked to in 2024’s. Changes in the value of Radiant Capital.

Drift said the people who met with the individual contributors were not North Korean citizens, noting that players who have ties to the DPRK often rely on third-party intermediaries to “meet face-to-face.”

The emergence of the Onchain fund and the integration of people pointing to actors connected to the DPRK, according to those who responded to SEAL 911, although Mandiant has not yet confirmed the expected legal action, the platform said.

Security researcher @tayvano_, one of the experts that Drift credited to help identify the perpetrators, said the disclosure goes beyond that.

In a tweetThe expert listed the details DeFi protocols, saying that “the DPRK IT staff developed the protocols you know and love, until late summer.”

The results of the industry

“Drift and Bybit review the same process – the signers were not directly compromised at the protocol level, they were tricked into agreeing to a malicious transaction,” Pearl said. “The main problem is not the number of signatories, but the lack of understanding of the purpose of the transaction.”

He said that multisignature walletswhile the change to the single secret rule, now creates a false sense of security, presenting a “paradox” when shared responsibility reduces the scrutiny of signatories.

“Security must shift to the verification of transactions before they start working on the blockchain, where the transactions are independently tested and verified before they take place,” said Pearl, adding that when attackers control what users see, the only effective defense is to verify transactions, regardless of form.

For building materials like attack sites, Lavid said the idea must change from the ground up.

“You have to think that the end is messed up,” he said Decryptpointing to IDEs, databases, mobile applications, and sign-in sites as common entry points.

“If these basic devices are vulnerable, everything that is shown to the user – including events – can be changed,” said the expert, noting that “it violates the security concept,” leaving groups independent of “the interface, the device, or even the signature.”