Drift Protocol suffered a $280 million exploit on April 1, 2026. Investigators link the attack to the UNC4736 group using sophisticated social engineering.

The hacking attack against Drift on April 1, 2026, which saw $280 million stolen, initially caused surprise due to its timing. What some dismissed as a potential April Fools’ joke was later confirmed as one of the most serious security breaches in decentralized finance this year.

How the Hack Unfolded

The attackers established initial contact as early as the fall of 2025 at a major crypto conference, posing as a quantum trading company. They demonstrated a high technical level, convincing professional profiles, and a deep understanding of the protocol, which led to the establishment of communication and subsequent professional interactions.

Between December 2025 and January 2026, the group integrated themselves into the Drift ecosystem, creating their own vault, participating in developer meetings, and depositing over $1 million of their own capital. Their presence was further solidified through face-to-face meetings at industry events in several countries.

The Attack: A Mix of Social Engineering and Technical Exploits

The compromise was carried out through two primary vectors. One involved exploiting a vulnerability in popular development environments such as Visual Studio Code and Cursor, where opening a file could lead to the immediate execution of malware without warning.

The second vector involved an application distributed through TestFlight, presented as a crypto wallet, which bypassed standard App Store checks.

After compromising the devices, the attackers managed to obtain the necessary approvals for multi-sig transactions. Pre-signed operations remained dormant for more than a week before being executed on April 1, draining the funds in less than a minute.

The investigation links the attack to the UNC4736 group, also known as AppleJeus or Citrine Sleet, based on blockchain analysis and operational similarities with previous attacks.

Interestingly, the participants who met the team in person were not North Korean citizens. Such groups often use intermediaries with established fake identities and professional histories capable of withstanding background checks.

Drift warned that any access to multi-sig infrastructure must be viewed as a potential attack point. The case highlights a broader issue for the industry—whether current security models are sufficient against adversaries willing to invest time, resources, and trust to achieve a breach.