The story of how North Korean state hackers drained $285 million from Drift Protocol on April Fool's Day 2026 doesn't begin with a line of malicious code. It begins at a crypto conference sometime in the fall of 2025, with a handshake.
That's the detail that makes this the most unsettling DeFi hack of the year and possibly the most sophisticated social engineering operation in crypto history. The attackers, attributed with medium-high confidence to a North Korean state group known as UNC4736 (also called AppleJeus or Citrine Sleet), didn't brute-force their way in. They spent six months building genuine human relationships inside Drift's team.
The playbook was meticulous. Posing as a legitimate quantitative trading firm, they approached Drift contributors at multiple major industry conferences in different countries throughout late 2025 and early 2026. They were technically fluent. They asked smart questions about trading strategies and protocol architecture. They deposited over $1 million of their own money to establish credibility. A Telegram group was set up, meetings happened in person, and over months of substantive conversations, they became from Drift's perspective trusted working partners.
Then came the quiet infection. Investigators identified two likely attack vectors: one contributor may have cloned a malicious code repository the group shared, disguised as a frontend tool for their vault. Another was reportedly tricked into downloading a wallet app through Apple's TestFlight a tool that, ironically, was also used to remove Bitchat from China this week. Simply opening a file in a VS Code folder was enough to silently execute code and give the attackers remote access. No warning. No prompt. Just a compromised device.
On April 1, using pre-signed multisig transactions that had been sitting dormant for over a week, the attackers executed the drain in roughly 12 minutes. $285 million gone. Most of it was bridged to Ethereum within hours. The DRIFT token collapsed over 40%. The Telegram group and all associated malware were immediately scrubbed. The "trading firm" vanished.
Security experts are blunt about what this means: DeFi's reliance on multisig governance, long considered a gold standard of security, may not be enough when the adversary is willing to spend six months and a million dollars becoming your colleague first. "Crypto teams are now facing adversaries that operate more like intelligence units than hackers," noted one blockchain security firm. It's an uncomfortable reality but one the industry needs to reckon with.