North Korean Intelligence Operation Behind $270M Drift Crypto Exploit

A recent crypto exploit on Drift has shed light on the sophistication of state-sponsored cryptocurrency theft operations. According to an incident update from the protocol, the $270 million exploit was executed by UNC4736, a North Korean threat group also known as Citrine Sleet or AppleJeus.

The attackers posed as a quantitative trading firm and gained access to Drift's vaults through two vectors: a TestFlight application and a vulnerability in VSCode and Cursor. They deposited over $1 million of their own capital into an Ecosystem Vault, held working sessions with contributors across multiple countries, and waited nearly half a year before executing the attack.

The operation's scope and duration have significant implications for DeFi security. The standard checklist for smart contract audits is no longer sufficient to protect against adversaries operating on intelligence timelines rather than opportunistic ones.