Drift Protocol, a Solana-based decentralised exchange, has confirmed that the $285 million theft executed on 1 April 2026 was the culmination of a six-month targeted campaign attributed with medium confidence to UNC4736 — the North Korean-aligned threat group also tracked as Citrine Sleet, AppleJeus, Golden Chollima, and Gleaming Pisces. The attack combined patient social engineering against multisignature wallet signers with a technically novel durable nonce pre-signing technique that allowed authorised transactions to be staged months in advance and triggered without any further attacker presence.
How the Campaign Unfolded
Beginning in autumn 2025, individuals posing as institutional traders and potential protocol integration partners approached key Drift personnel through legitimate professional channels. Crucially, the individuals who made in-person contact were not North Korean nationals. DPRK threat actors operating at this level routinely deploy third-party intermediaries — individuals with verifiable employment histories, technically fluent backgrounds, and professional social media presence — to establish trust with targets in a way that defeats many identity verification controls.
Over subsequent months, those intermediaries cultivated relationships via Telegram, engaging in substantive and technically informed discussions about trading strategies and Drift’s governance architecture. This depth of engagement gradually furnished the attackers with an accurate understanding of how Drift’s multisig governance worked: which signers participated, how signing ceremonies were conducted, and where the protocol’s administrative controls were concentrated.
The Technical Execution
The attack was not the result of a smart contract vulnerability. Instead, the actors socially engineered multiple multisig signers into co-signing transactions whose full effect was obscured at the point of signing. These were structured as durable nonce transactions — a Solana mechanism designed for legitimate cold storage use cases where a transaction must be constructed offline and submitted later.
In parallel, the attackers executed a Security Council configuration change that set the protocol’s timelock parameter to zero. This timelock would ordinarily impose a mandatory delay on high-value governance changes, providing the broader community time to identify and veto malicious proposals before they execute. With the timelock removed, the pre-staged authorised transactions could be submitted and executed immediately, leaving no window for intervention.
Why This Matters Beyond Cryptocurrency
Several elements of this campaign map directly onto enterprise threat scenarios that security teams should be preparing for:
Long-duration social engineering. Six months of credible relationship building before any technical action. Standard phishing awareness training does not prepare personnel to recognise an adversary willing to invest this level of effort in building a trusted relationship.
Third-party intermediaries as cover. Using individuals with verifiable identities defeats many know-your-counterpart controls and creates substantial legal and attribution complexity. Enterprise environments are equally vulnerable to this technique wherever contractors, partners, or vendors are granted privileged access.
Pre-staged authorisations. Obtaining legitimate credentials or approvals that execute later — during a maintenance window, after the signing ceremony is complete, or after the approver has moved on — is a transferable technique. Security teams should consider whether any approval workflow in their environment could be exploited similarly.
Safety control removal as a terminal step. Eliminating the timelock immediately before executing the theft mirrors enterprise attack playbooks where threat actors disable logging, endpoint detection, or backup systems moments before ransomware deployment. Monitoring for unusual changes to safety or oversight controls is as important as monitoring for the payload itself.
Recommended Actions
For security teams advising organisations with multisig governance, crypto custody, or high-value approval workflows:
- Mandate independent transaction simulation and review before any signing request is approved, regardless of the apparent relationship with the requester. What is being signed must be fully understood by each signer.
- Treat any proposal to reduce or eliminate safety timers as high-risk. Governance proposals that reduce delay parameters warrant additional scrutiny, mandatory broader stakeholder notification, and a waiting period before approval.
- Implement structured verification for new institutional relationships that will result in access to governance processes — including background checking through independent channels, not just those provided by the counterparty.
- Conduct targeted personnel security briefings covering long-duration social engineering and third-party intermediary tactics. DPRK groups have a documented multi-year track record of this methodology across the crypto sector.
- Monitor for safety control changes as an active threat indicator, not merely a compliance concern.
The FBI and CISA have issued multiple prior advisories on North Korea’s sustained targeting of cryptocurrency and financial infrastructure. Organisations in this space should treat state-sponsored social engineering as a persistent operational reality, not an edge case.