AppleJeus Goes Long: How North Korea Dated Drift Protocol for Six Months Before the $285M Breakup

Solana-based decentralized exchange Drift Protocol revealed on Sunday that the attack draining roughly $285 million from the platform was a structured six-month intelligence operation by a North Korean state-affiliated threat group. In what can only be described as the most committed pump-and-dump scheme in history, the DPRK decided to skip the meme coin rug pull entirely and go straight for the real estate—the protocol itself.

The attackers used fabricated professional identities, in-person conference meetings, and malicious developer tools to compromise contributors before executing the drain, the protocol said in a detailed incident update. Forget phishing emails from fake princes—this was phishing with PowerPoint decks and business cards.

"Crypto teams are now facing adversaries that operate more like intelligence units than hackers, and most organizations are not structurally prepared for that level of threat," Michael Pearl, VP of Strategy at blockchain security firm Cyvers, told Decrypt. Turns out, when your competition has a nuclear program and an unlimited budget for LinkedIn Premium, maybe a Discord moderator with a anime pfp isn't enough to keep the bad actors out.

Drift said the group first approached contributors at a major crypto conference last fall, presenting as a quantitative trading firm seeking to integrate with the protocol. Over months, the group built trust through in-person meetings, Telegram coordination, onboarded an Ecosystem Vault on Drift, and made a $1 million vault deposit of their own capital—only to vanish, with chats and malware "completely scrubbed" when the exploit hit. They didn't just ghost their Telegram chats—they performed a digital vanishing act that would make Houdini weep with joy.

The DEX said the intrusion may have involved a malicious code repository, a fake TestFlight app, and a VSCode/Cursor vulnerability that enabled silent code execution without user interaction. Your IDE is now a threat vector. That feeling when your code editor decides to actually execute your side project—except this time it's not just spaghetti code, it's a backdoor to your entire treasury.

Drift attributed the attack with "medium-high confidence" to UNC4736, also tracked as AppleJeus or Citrine Sleet—the same North Korean state-affiliated group that cybersecurity firm Mandiant linked to 2024's Radiant Capital hack. AppleJeus really said: why steal $50 million when you can go for the $285 million upgrade?

Decentralized finance project Radiant Capital has claimed that groups analyzing its breach earlier this week "believe this was one of the most sophisticated hacks ever recorded in DeFi" and that "many protocols are at risk." Radiant and Web3 auditor Hacken estimated the approximate scale of the theft at $50 million, with USDT, USDC, and ARB tokens stolen. Sophisticated enough to makeBankless hosts actually agree on something—that's saying something.

Multiple pools were fully drained, including USDC, USDT, wbETH, bBTC, wBNB, WETH, WBTC, ARB, and wstETH. If you had a position in any of these, sorry for your losses—maybe the airdrop will hit eventually, right? Right?

Drift noted that the individuals who met contributors in person were not North Korean nationals, pointing out that DPRK-linked actors often rely on third-party intermediaries for "face-to-face engagement." The Kim Jong-un of it all is that they never even had to leave the country. That's some next-level delegation.

Onchain fund flows and overlapping personas point to DPRK-linked actors, according to incident responders SEAL 911, though Mandiant has yet to confirm attribution pending forensics. They're still running the numbers, but the blockchain doesn't lie—at least not this time.

Security researcher @tayvano_, one of the experts credited for assistance in identifying the malicious actors, suggested the exposure extends well beyond this incident. In a tweet, the expert listed dozens of DeFi protocols, alleging that "DPRK IT workers built the protocols you know and love, all the way back to defi summer." Degen summer just got a lot less fun. Imagine finding out that your favorite yield farm was actually a state-sponsored job program the whole time.

"Drift and Bybit highlight the same pattern—signers were not directly compromised at the protocol level, they were tricked into approving malicious transactions," Pearl noted. "The core issue is not the number of signers, but the lack of understanding of transaction intent." The multisig was fine. The humans behind it? Not so much.

He said that multisignature wallets, while an improvement over single-key control, now create a false sense of security, introducing "a paradox" where shared responsibility lowers scrutiny across signers. It's like that one group project where everyone assumes someone else read the instructions—except instead of a bad grade, you lose $285 million.

"Security must shift to pre-transaction validation at the blockchain level, where transactions are independently simulated and verified before execution," Pearl said, adding that once attackers control what users see, the only effective defense is validating what a transaction actually does, regardless of the interface. Stop clicking approve like it's a Tinder match. Actually read what you're signing. Yes, even that one. Especially that one.

On developer tools as an attack surface, the expert said the assumption has to change from the ground up. "You have to assume the endpoint is compromised," pointing to IDEs, code repositories, mobile apps, and signer environments as increasingly common entry points. "If these foundational tools are vulnerable, anything shown to the user—including transactions—can be manipulated," the expert noted, calling this a fundamental break in traditional security assumptions, leaving teams unable to trust "the interface, the device, or even the signing flow." Your laptop is now a threat model. Time to go back to pen and paper—or at least a dedicated air-gapped machine for signing. Call it paranoid. Call it "never getting rugged."

Finding the group that stole $285 million from Drift may be a tough task in the real world, but the team behind the Solana-based DEX knew exactly where to find its attackers on-chain. On Friday, Drift said in a post on X that it had sent messages on Ethereum's network to four wallets holding massive amounts of stolen crypto, which several security experts have begun linking to the Democratic People’s Republic of Korea. Sliding into DMs—on-chain. The most honest blockchain interactions might just be between victims and their attackers at this point. At least the messages are immutable.