North Korean State Actors Linked to $270M DeFi Hack Exposed

A recent cyberattack on Drift Protocol has exposed the vulnerabilities of the decentralized finance (DeFi) ecosystem. A six-month infiltration campaign by North Korea-linked actors has been linked to the $270 million hack.

The attackers, allegedly tied to UNC4736, a group associated with North Korean cyber operations, began building trust within the community in fall 2025. They posed as legitimate quantitative trading firms and embedded themselves within the ecosystem through fake relationships, capital commitments, and face-to-face interactions.

This sophisticated social-engineering-driven exploit highlights weaknesses in multisig-based security models. The attackers gained access to contributor devices using a malicious TestFlight application and exploited a known vulnerability in development environments like VSCode and Cursor.