A hacking group believed to be affiliated with North Korea has been revealed to have stolen $270 million from the cryptocurrency exchange Drift in an operation that lasted more than six months, employing an extremely sophisticated method that included conducting face-to-face meetings and depositing over $1 million of their own funds.

Decentralized exchange Drift was attacked, and it has been revealed that at least $270 million (approximately 43 billion yen) worth of cryptocurrency was stolen. The attackers are said to have been carrying out an elaborate plan for more than six months.

https://t.co/qYBMCup9i6

— Drift (@DriftProtocol) April 5, 2026

'We Are Ready to Speak': Drift Beckons North Korea-Linked Hackers Following $285M Exploit - Decrypt
https://decrypt.co/363260/we-are-ready-to-speak-drift-beckons-north-korea-linked-hackers-following-285m-exploit

Drift Protocol Warns of Potential Cybersecurity Exploit
https://cointelegraph.com/news/drift-protocol-pause-deposit-unusual-activity

The attack is believed to have been carried out by a hacker group known by names such as 'UNC4736' and 'AppleJeus.' This group is thought to be state-sponsored by North Korea and is also believed to be responsible for the 2024 attack on investment firm Radiant Capital.

In the fall of 2025, while the developers of Drift were attending a large cryptocurrency conference, they were contacted by a trading company interested in collaborating with Drift. The company's employees were technically mature, had solid work experience, and were well-versed in how Drift operates. A Telegram group was created at their first meeting, and discussions began about the possibility of integrating trading strategies and development tools.

Between December 2025 and January 2026, individuals claiming to be from trading companies called for the integration of Vault, a cryptocurrency storage service, on Drift, and deposited over $1 million (approximately 16 billion yen) of their own funds. Discussions about the integration continued, and Drift developers met with the trading company representatives in person, maintaining the relationship. A collaborative relationship was established over a total of six months.

However, on April 1, 2026, an incident occurred in which a large amount of cryptocurrency was stolen from Drift. Investigations revealed that the intrusion was most likely through the exchange company in question. Suspiciously, immediately after the attack, the Telegram chat group with the exchange company and the software provided by the exchange company were completely deleted.

The investigation concluded that one of the causes was that Drift's developers had cloned a repository shared by a trading company under the guise of deploying the system. This may have involved known vulnerabilities in VS Code and Cursor, allowing arbitrary code to be executed silently simply by opening a file, folder, or repository in the editor, without any notification, warning, click, or permission dialog to the user.

Furthermore, it has been discovered that another developer downloaded the TestFlight app, which the trading company presented as a wallet product. TestFlight is a platform for distributing pre-release versions of apps without undergoing security review by the App Store.

Drift stated, 'It has been discovered that the attackers deliberately sought out specific Drift developers at major conferences held in multiple countries and continued to make face-to-face contact with them. The individuals who appeared in person were third parties who were not North Korean nationals. The attackers' work history, qualifications, and professional network were perfectly constructed, and it appears they spent several months building their profile.'

Drift wants to talk to the attackers, but experts say that 'if North Korea is really behind it, it will be difficult to expect the items to be returned.' Another lawyer believes that 'this could have been prevented if Drift had followed standard security procedures, and it may constitute civil negligence.'

The price of the 'DRIFT' token issued by Drift fell by approximately 18% following news of the attack.