$285 Million Drift Hack: North Korea's UNC4736 Spent Six Months Building Trust Before Draining Everything in 10 Seconds - CyberTimes

TL;DR — 15 Second Read

→North Korean group UNC4736 spent six months building fake identities, meeting Drift staff in person at conferences, and depositing $1M+ of their own funds to establish trust
→On April 1, 2026, they executed 31 withdrawals in approximately 10 seconds using durable nonce pre-signed transactions — draining $285 million
→The attack exploited Drift's zero-timelock 2/5 multisig by tricking signers into pre-approving a fictitious CarbonVote Token used as fraudulent collateral
→This is the largest DeFi hack of 2026 and the latest in North Korea's $2 billion+ annual cryptocurrency theft operation

Severity🔴 CRITICAL

CVSS Score9.8/10

ExploitedYes — active

Fix StatusCheck required

DeFi platforms, crypto exchanges, Web3 organisations, and fintech companies that engage with external parties, accept third-party vault integrations, or have multisig security council configurations. Any organisation in the cryptocurrency sector is a potential UNC4736 target.

Drift Protocol, a Solana-based decentralised exchange, has published its post-mortem analysis of the April 1, 2026 attack that resulted in the theft of $285 million — the largest DeFi hack recorded in 2026. The cybersecurity and digital security implications reach far beyond the financial loss. Drift attributed the attack with medium confidence to UNC4736, a North Korean state-sponsored threat actor also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The attack was not a technical exploit of a smart contract vulnerability. It was the conclusion of a six-month social engineering operation in which fake identities met real Drift staff face-to-face at industry conferences, built genuine working relationships, and ultimately used that trust to gain the access needed to drain everything in under ten seconds.

Affected products

·Drift Protocol — Solana-based decentralised exchange, $285 million drained April 1, 2026
·Drift's zero-timelock 2/5 multisig Security Council configuration — exploited via pre-signed durable nonce transactions
·Borrow/lend functionalities, vault deposits, and trading funds — all impacted
·Stolen assets converted primarily to USDC and ETH, laundered through Solana DEX and bridged to Ethereum

How to Fix

Step-by-step remediation

1Audit all third-party integrations and ecosystem vault relationships immediately — verify the real-world identity of every counterparty through independent channels, not just the channels they provided to you
2Review your multisig configuration for zero-timelock settings — if your Security Council operates without withdrawal delays, add a timelock of at least 24 to 72 hours so anomalous transactions can be detected and cancelled before execution
3Implement independent verification for all pre-signed transactions — durable nonce attacks rely on signers approving transactions without fully understanding what they are signing. Require a secondary review process for all multisig approvals involving large or unusual asset movements
4Establish a formal counterparty due diligence process — verify employment histories and professional credentials through independent sources before any vault integration or large-scale engagement. Do not rely solely on information the counterparty provides about themselves
5Brief your team on in-person social engineering — UNC4736 specifically deployed real people to meet Drift staff face-to-face. Physical presence and personal rapport are now part of the DPRK attack toolkit. Meeting someone in person is no longer sufficient trust verification for a financial integration
6Monitor for Contagious Interview campaign indicators — UNC4736 used VSCode and Cursor editor vulnerabilities and file-sharing techniques to compromise credentials. Ensure all developer tools are patched and that team members do not open files or repositories from counterparties without sandbox isolation
7Flag your stolen asset addresses with centralised exchanges, bridges, and law enforcement immediately following any suspected compromise — speed of response in the first hours is critical to freezing laundered funds before they clear

What happened

The Drift attack represents a new high-water mark for the cybersecurity threat posed by North Korean state-sponsored cryptocurrency theft — not because of the technical sophistication of the final exploit, but because of the human intelligence operation that enabled it. The preparation began in the fall of 2025 when a group of individuals — not North Korean nationals but third-party intermediaries specifically deployed by UNC4736 for face-to-face relationship building — made initial contact with Drift contributors. These individuals were technically fluent, possessed verifiable professional backgrounds including employment histories and public-facing credentials built to withstand due diligence scrutiny, and were deeply familiar with how Drift operated. A Telegram group was established after the first meeting. Over the following months, the group engaged in substantive conversations about trading strategies and potential vault integrations — the kind of normal, professional dialogue that crypto organisations have with trading counterparties every day. They attended multiple industry conferences across different countries and met Drift staff in person repeatedly. They deposited more than $1 million of their own funds on Drift to establish credibility as real market participants.

Real-World Impact

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift — a step that required them to engage with multiple contributors and ask detailed, informed product questions. Integration discussions continued through February and March 2026. By the time the attack executed, these were not strangers. They were people Drift participants had worked with and met in person across six months. Throughout this period, the group routinely shared files, links, and purported project resources — the exact delivery mechanism that ultimately led to credential compromise, though the precise point of initial infection has not been confirmed.

Technical Details

The technical execution centred on manipulating Drift's multisig security model. On March 27, 2026, Drift migrated its Security Council to a zero-timelock 2/5 multisig configuration, removing the withdrawal delay that would otherwise provide a detection window. The attackers had already prepared for this. They tricked signers into pre-signing approvals for a fictitious token called CarbonVote Token (CVT), which had been minted with seeded liquidity and wash-traded through Drift's oracles to appear as a legitimate asset. By treating CVT as collateral, the attackers enabled rapid withdrawals of real assets. Using durable nonce accounts — a Solana mechanism that allows transactions to be pre-signed and executed later — they staged the entire attack without triggering real-time detection. On April 1, 2026, they executed 31 withdrawals in approximately 10 to 12 minutes, with the major vaults emptied in a 10-second window. Assets were immediately converted to USDC and ETH and laundered through Solana DEX, then bridged to Ethereum using patterns consistent with previous DPRK-linked hacks including the $53 million Radiant Capital hack of October 2024. On-chain fund flows from the Drift attack trace back to the same Radiant Capital attackers, confirming UNC4736's involvement.

🛡️ Prevention Tips

The Drift hack is the definitive case study for why technical security controls alone cannot protect against state-sponsored social engineering at this level of sophistication. The multisig existed. The due diligence process existed. The counterparties passed scrutiny. The attack succeeded anyway because the relationship itself was the exploit. The computer security lesson is that trust must be earned through independent verification, not through the relationship the counterparty builds with you. For crypto organisations and DeFi platforms specifically — every external integration, vault partnership, and counterparty relationship should be treated as a potential social engineering vector regardless of how long it has been active or how well you think you know the people involved. Timelock configurations on multisig security councils are not optional for high-value protocols. A 24 to 72 hour withdrawal delay provides a critical detection window that zero-timelock configurations eliminate entirely. The data security recommendation for developer teams is equally direct — do not open files, repositories, or links from external counterparties without sandbox isolation, regardless of how trusted the relationship appears.

FAQs

What is a durable nonce attack and how was it used against Drift? A

A durable nonce is a Solana mechanism that allows transactions to be pre-signed and stored for later execution — normally used for legitimate purposes like offline transaction signing. UNC4736 exploited this by getting Drift's multisig signers to pre-approve transactions they believed were for a legitimate token (CVT) — which were actually designed to drain real assets when executed. The "durable" nature meant the attack could be staged weeks in advance and triggered instantly on April 1.

Why couldn't Drift detect the attack before the funds were drained?

The zero-timelock 2/5 multisig configuration Drift migrated to on March 27, 2026 removed the withdrawal delay that would normally provide a detection window. Combined with pre-signed durable nonce transactions that could execute instantly, the entire drain happened in approximately 10 seconds — too fast for any real-time monitoring system to intervene.

How did North Korean actors pass in-person due diligence checks?

UNC4736 deployed third-party intermediaries — not North Korean nationals — with fully constructed false identities including employment histories, professional networks, and public-facing credentials built to withstand scrutiny. These individuals attended real industry conferences, held months of substantive professional conversations, and deposited over $1 million of real funds on Drift. The identities were described as able to withstand normal business counterparty verification.

Is this connected to other North Korean crypto hacks?

Yes. On-chain fund flows from the Drift attack trace back to the same wallet infrastructure used by the Radiant Capital attackers in October 2024 — a $53 million hack also attributed to UNC4736. The same group is linked to the 3CX and X_TRADER supply chain breaches in 2023. North Korea's overall cryptocurrency theft operation netted a record $2 billion in 2025.

What should DeFi platforms do differently after this attack?

Three immediate changes — add a minimum 24-hour timelock to all multisig Security Council configurations, implement mandatory independent identity verification for all external vault integrations through channels the counterparty did not provide, and establish a formal review process requiring secondary approval for all large pre-signed transactions before they are cosigned.

Google's 24-Hour Android Sideloading Wait: What It Means for You and Why It Exists

axios · npm

North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor

npm · strapi

36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis and PostgreSQL to Deploy Persistent Implants and Reverse Shells

cve 2026 3055 · cve 2026 4368

CVE-2026-3055: Citrix NetScaler Critical Flaw Leaks Sensitive Memory — Patch Immediately Before Exploitation Begins

masjesu · xorbot