I just read a rather alarming analysis about what recently happened with Drift Protocol. It turns out that the $270 million exploit was not a random attack but a meticulously planned North Korean intelligence operation that lasted approximately six months.

The most concerning part is how they did it. A group affiliated with the North Korean state infiltrated the Drift ecosystem pretending to be a quantitative trading firm. To understand what Drift is and how it works, you need to know that it is a DeFi protocol that relies on multiple signatures for security. Well, these attackers were incredibly patient and sophisticated. First, they made contact around fall 2025 at a major cryptocurrency conference, presenting themselves as trading specialists. They had verifiable professional credentials, spoke the technical language of the protocol, and knew exactly what to say.

For months, they maintained substantial conversations about strategies and ecosystem vaults, something completely normal in how firms integrate into DeFi protocols. Between December 2025 and January 2026, they incorporated an Ecosystem Vault, held working sessions with Drift collaborators, deposited over one million dollars of their own capital, and established operational presence within the ecosystem. The boldest part was that they met in person with Drift teams at multiple major conferences during February and March. By April, when they launched the attack, the relationship had nearly half a year of history.

The infiltration occurred through two technical vectors. First, they downloaded a TestFlight app, Apple’s platform that distributes pre-release apps without security review, presenting it as their wallet product. Second, they exploited a known vulnerability in VSCode and Cursor, two of the most used code editors in development, where simply opening a file executed arbitrary code without warning. Once the devices were compromised, they obtained what was needed to acquire the two multisig approvals that enabled the April 1 attack, draining $270 million in less than a minute.

The investigators attributed all of this to UNC4736, also known as AppleJeus or Citrine Sleet, a group affiliated with the North Korean state. The interesting part is that the individuals who met in person were not North Korean citizens but intermediaries with fully fabricated identities, false work histories, and professional networks designed to pass any verification.

This exposes something uncomfortable for the entire DeFi industry: if attackers are willing to invest six months and a million dollars to build a legitimate presence, meet with teams in person, and wait patiently, what security model is truly designed to detect that? Drift now warns that the industry must audit access contracts and treat every device interacting with multisigs as a potential target. The underlying question is whether multisigs as the primary security model in DeFi are sufficient against adversaries of this level.