Jakarta, CNBC Indonesia - North Korea (North Korea) is once again in\nthe spotlight in the cybersecurity sector. A report from CoinDesk\nindicates that an intelligence operation over six months launched by a\ngroup affiliated with North Korea exploited the Drift Protocol to the\ntune of US$270 million (Rp4.6 billion).<\/p>\n
The attackers first made contact towards the end of 2025 at a major\ncrypto conference, introducing themselves as a quantitative trading\ncompany seeking to integrate with Drift.<\/p>\n
According to Drift, they were technically proficient, had verifiable\nprofessional backgrounds, and understood how the protocol worked. As a\nresult, a Telegram group was formed, and they engaged in substantive\nconversations over months regarding trading strategies and vault\nintegrations\u2014interactions standard for trading firms joining a DeFi\nprotocol.<\/p>\n
Between December 2025 and January 2026, the group integrated the\nEcosystem Vault into Drift, held several working sessions with\ncontributors, deposited over US$1 million of their own capital, and\nbuilt a functioning operational presence within the ecosystem.<\/p>\n
Drift contributors met in person with individuals from the group at\nseveral major industry conferences in various countries during February\nand March 2026. By the time the attack was launched on 1 April, the\nrelationship had been established for nearly half a year.<\/p>\n
The vulnerability appears to have occurred through two pathways.<\/p>\n
The second pathway involved downloading the TestFlight app, Apple\u2019s\nplatform for distributing pre-release applications that bypass App Store\nsecurity reviews.<\/p>\n
For the repository pathway, Drift points to a known vulnerability in\nVSCode and Cursor, two of the most widely used code editors in software\ndevelopment, which has been flagged by the security community since late\n2025.<\/p>\n
Once the devices were compromised, the attackers had the files they\nneeded to obtain two multisig approvals, enabling the nonce-resistant\nattack detailed by CoinDesk earlier this week.<\/p>\n
The pre-signed transactions remained dormant for more than a week\nbefore being executed on 1 April, draining US$270 million from the\nprotocol\u2019s vault in less than one minute.<\/p>\n
The allegations point to UNC4736, a North Korea state-affiliated\ngroup also tracked as AppleJeus or Citrine Sleet, based on on-chain fund\nflows traceable to the Radiant Capital attackers and operational\noverlaps with known North Korea-linked personas.<\/p>\n
The individuals present in person at the conferences were not North\nKorean nationals. North Korean threat actors at this level are known to\nuse third-party intermediaries with fully fabricated identities,\nemployment histories, and professional networks built to withstand due\ndiligence.<\/p>\n
Drift urges other protocols to audit access controls and treat any\ndevice connected to multisig as a potential target. The broader\nimplications are uncomfortable for an industry that relies on multisig\ngovernance as its primary security model.<\/p>\n
However, if attackers are willing to spend six months and one million\ndollars to build a legitimate presence within the ecosystem, meet the\nteam in person, contribute real capital, and wait, the question is what\nsecurity model is designed to catch that.<\/p>", "url": "https:\/\/jawawa.id\/newsitem\/rp-4-6-billion-vanishes-in-6-months-heres-how-it-happened-1775602304", "image": "" }, "sponsor": "Okusi Associates", "sponsor_url": "https:\/\/okusiassociates.com" }