I just read the detailed report Drift published about the $270 million exploit, and frankly, it’s unsettling. We’re not talking about a conventional attack, but about a state intelligence operation that lasted almost six months.

The way everything unfolded is what draws my attention the most. According to Drift’s analysis, a group affiliated with the North Korean state presented itself at an important cryptocurrency conference around the fall of 2025 as a quantitative trading firm. This was not improvised. They had verifiable professional credentials, legitimate technical knowledge about how the protocol worked, and they knew exactly how to integrate into DeFi ecosystems.

In the months that followed, between December 2025 and January, the group incorporated a Bóveda del Ecosistema en Drift, held working sessions with collaborators, deposited more than one million dollars of their own capital, and positioned themselves as legitimate actors. They even met in person with the Drift team at multiple international conferences in February and March. By the time they carried out the attack on April 1, they’d been building this presence for nearly half a year.

The technical infiltration was sophisticated. They compromised devices through two main vectors. First, they distributed a fake TestFlight app, Apple’s platform that avoids App Store security review. Second, they took advantage of a known vulnerability in VSCode and Cursor that the security community had been reporting since the end of 2025. Simply opening a file in these editors allowed arbitrary code execution without any warnings.

Once they were inside, they got what they needed to secure the two multisig approvals. The pre-signed transactions stayed dormant for more than a week before being executed on April 1, draining $270 million from the protocol’s deposits in less than a minute.

Investigators attributed the attack to UNC4736, also known as AppleJeus or Citrine Sleet, based on on-chain fund flows and operational overlap with actors linked to North Korea. Although the individuals who presented themselves at conferences were not North Korean citizens, it’s standard practice that threat actors at that level use intermediaries with fully constructed identities and work histories designed to pass due diligence audits.

What Drift is highlighting is uncomfortable for the entire industry. If the attackers are willing to invest six months, one million dollars, and patience to build a legitimate presence within an ecosystem, what security model is actually designed to detect that? Protocols rely on multisig as their primary defense, but this operation exposes deep weaknesses in that model when facing state-sponsored adversaries with unlimited resources.

Drift is urging other protocols to audit access controls and treat every device that interacts with a multisig as a potential target. It’s a reminder that in DeFi, trust remains the most effective attack vector, even when you try to remove it from the equation.