Drift Protocol hack: $285M lost via social engineering and multisig key theft

Drift Protocol reported a major Drift Protocol hack on April 1, saying attackers stole private keys through a months-long social engineering operation and triggered about $285M in losses. The protocol used multisignature (multisig) wallets and froze functions after discovery, but the compromised wallets were still removed from the multisig system while Mandiant launched an investigation. Mandiant links the incident to North Korea state-affiliated actors tracked as UNC4736 (AppleJeus/Citrine Sleet) with “moderate to high confidence,” supported by SEALS 911 findings, operational patterns, and on-chain funding trails tied to the earlier October 2024 Radiant Capital attack. The report also notes that in-person meetings via third-party intermediaries made detection harder for Drift. Key timeline: initial contact at a major crypto conference in fall 2025, repeated face-to-face meetings across countries for roughly six months, then integration into a Drift ecosystem vault through strategic submissions and work sessions, including over $1M in attacker capital. The exact moment of private-key compromise remains unclear; possible vectors include a malicious cloned repository (“frontend deployment”), a fake TestFlight wallet app, or a VSCode/Cursor repository-level attack using an unpatched editor vulnerability (Dec 2025–Feb 2026). Drift detected the breach only after funds were siphoned, with a lag of days to weeks. For traders, this Drift Protocol hack underlines smart-contract and counterparty risks across DeFi vaults, likely increasing near-term risk aversion toward exposed protocols.