Drift Protocol Exploit: Why “Social Trust” Is the Newest Cybersecurity Gap

The recent $285 million theft from Drift Protocol serves as a high-stakes reminder that the human element remains one of the biggest cybersecurity gaps in any organization. This was not a “hack” in the traditional sense of breaking through a digital wallet. North Korean actors used sophisticated social engineering to exploit human trust ―  highlighting what looks like a “hacking” risk into valuable lessons learned for cybersecurity oversight.

Background

On April 1, 2026, Drift Protocol, a decentralized perpetual futures exchange on the Solana blockchain, suffered a security incident resulting in the theft of approximately $285 million in digital assets. Drift subsequently attributed the operation to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.

Mandiant previously attributed the October 2024 Radiant Capital hack to UNC4736 ― in which threat actors stole approximately $50 million using a similar social engineering approach, posing as a known contact and delivering malware through a file shared via a messaging platform.

What Makes the Drift Exploit Unique

The Drift attack combined a sustained social engineering campaign with technical exploitation. The threat actors began cultivating in-person relationships with Drift personnel in fall 2025, presenting themselves as a legitimate quantitative trading firm. Over the following months, they attended major industry conferences in person, participated in working sessions, helped fix minor issues, and deposited over $1 million of their own capital into the platform ― building the kind of trust that makes their eventual requests appear routine.

The technical compromise was equally deliberate and unfolded in three stages:

Stage 1 - Device and credential compromise. The threat actors exploited a vulnerability to execute malicious code and distributed that code using a legitimate app store.

Stage 2 - Obtaining administrative control. The threat actors exploited Solana's “durable nonces” feature ― which allows transactions to be signed in advance and executed later and thus remain valid indefinitely, unlike standard Solana transactions that expire after roughly 90 seconds. Drift’s protocol was governed by a “Security Council”—a small group of trusted individuals (five in Drift’s case)—who held signing privileges and any action required at least two members to approve.  Using social engineering, the threat actors induced two members to unwittingly pre-sign transactions transferring administrative control of the platform.

Stage 3 - Draining funds. With administrative control obtained, the threat actors introduced a fake token as collateral, artificially inflated its value through wash trading, and used that manufactured position to withdraw substantial quantities of legitimate tokens. Because Drift is configured for instant execution, there was no emergency brake once the drain began ― a process they completed within minutes, with laundering operations continuing for several hours thereafter. Stolen assets were then rapidly converted into stablecoins, bridged across blockchain networks, and reconverted into more liquid assets. At least 20 other protocols report disruptions or losses as a result.

Familiar Pattern of DPRK Actors

The Drift incident fits within a sustained pattern of North Korea-linked financial crime. As described in our earlier client alert, DPRK nationals frequently pose as IT professionals to infiltrate U.S. companies as remote workers, including in the digital assets sector, sometimes using deepfake technology. The underlying methods are strikingly similar in both contexts: sustained efforts to appear legitimate, deceptive identities, trust-building over time, access acquisition, and rapid monetization. The U.S. Department of Justice (DOJ) has made this convergence explicit in prior enforcement actions, noting that North Korean remote IT workers have used insider access to steal funds, exfiltrate proprietary information, or extort victim organizations.

According to Drift, the individuals who appeared in person at industry conferences leading up to the Drift exploit did not have the hallmarks of North Korean operatives. DPRK-linked operations at this level of sophistication routinely deploy third-party intermediaries with fully constructed professional identities, employment histories, and public-facing credentials, usually fictitious, designed to withstand due diligence.

U.S. authorities have publicly attributed billions of dollars in cryptocurrency theft to North Korean actors, with proceeds assessed to support the regime's missile and nuclear weapons programs. The U.S. Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) March 2026 sanctions announcement further described North Korea’s remote IT worker schemes as a meaningful source of revenue for those programs. The same tactics are being applied across technology and other sectors that rely on remote workers, contractors, or lean approval structures.

Potential Mitigation Measures

The Drift incident is a reminder for companies — across sectors — to remain vigilant to both remote worker IT scams and in-person initiated exploits. Companies should consider the following:

• Treat high-risk approvals as a security control. Ensure personnel responsible for significant financial or administrative actions have complete, independently verified information about what they are authorizing before acting. Approval processes that depend primarily on familiarity or trust are vulnerable to the kind of manipulation that impacted Drift.
• Implement mandatory “cooling-off” periods. Where possible, adjust transaction processes to prevent major financial or administrative events from executing instantly (e.g., circuit breakers).. A mandatory 24-, 48-, or 72-hour delay between approval and execution allows security teams to review and, if necessary, halt suspicious activity.
• Reassess privileged access and concentration risk. Identify where a small number of approvals can produce outsized consequences. Companies should assess low threshold quorums for social engineering risks and consider multi-signature (multisig) or multiple approver thresholds where a majority (e.g., 3 of 5, 4 of 7) of signatures or approvals are required, adding redundancies into approval processes.
• Treat hiring and contractor onboarding as part of the security perimeter. HR and security functions should work cooperatively and avoid operating in silos. Implement robust identity verification at onboarding and maintain it throughout the engagement, treating behavioral red flags as escalation triggers. New York Department of Financial Services (NYDFS) guidance, which applies to certain major banks,  FinTechs, and crypto companies, recommends requiring video verification during hiring to help guard against identity concealment and deepfake risk.
• Apply zero-trust contributor vetting. Treat every external contributor — regardless of tenure or how they were introduced — with a zero-trust mindset. Code reviews and transaction audits should be performed by security teams or independent third parties.
• Integrate legal, compliance, security, and incident response functions. Pre-establish escalation paths and coordinated response protocols. Pre-emptively work with experienced cybersecurity counsel to conduct tabletops and be prepared to quickly activate counsel, incident response firms, and PR firms in the event of an incident.
• Evaluate sanctions exposure proactively. Assess whether screening and monitoring procedures are calibrated to the risk of inadvertently handling proceeds linked to sanctioned actors. Consider counsel with deep law enforcement contacts at the Federal Bureau of Investigation (FBI), DOJ, and other agencies who can quickly issue freeze letters or obtain seizure orders to prevent further asset dissipation.

How Crowell Can Help

Crowell offers market-leading cybersecurity, white-collar investigations, digital assets, and economic sanctions experience to assist clients in navigating the legal, regulatory, and operational issues raised by cybersecurity incidents, hacks, thefts, insider risk, and the broader North Korean cyber and remote IT worker threat landscape.

Our team routinely counsels clients on DPRK-related sanctions and enforcement risk, digital asset regulatory compliance, cybersecurity incident response, privileged internal investigations, and governance and insider risk mitigation.

Please contact any of the authors of this alert if you are interested in understanding the risks facing industry, potential assessments of exposure, or assistance on tabletops or incident response.