Rp 4.6 Billion Vanishes in 6 Months: Here's How It Happened

Jakarta, CNBC Indonesia - North Korea (North Korea) is once again in the spotlight in the cybersecurity sector. A report from CoinDesk indicates that an intelligence operation over six months launched by a group affiliated with North Korea exploited the Drift Protocol to the tune of US$270 million (Rp4.6 billion).

The attackers first made contact towards the end of 2025 at a major crypto conference, introducing themselves as a quantitative trading company seeking to integrate with Drift.

According to Drift, they were technically proficient, had verifiable professional backgrounds, and understood how the protocol worked. As a result, a Telegram group was formed, and they engaged in substantive conversations over months regarding trading strategies and vault integrations—interactions standard for trading firms joining a DeFi protocol.

Between December 2025 and January 2026, the group integrated the Ecosystem Vault into Drift, held several working sessions with contributors, deposited over US$1 million of their own capital, and built a functioning operational presence within the ecosystem.

Drift contributors met in person with individuals from the group at several major industry conferences in various countries during February and March 2026. By the time the attack was launched on 1 April, the relationship had been established for nearly half a year.

The vulnerability appears to have occurred through two pathways.

The second pathway involved downloading the TestFlight app, Apple’s platform for distributing pre-release applications that bypass App Store security reviews.

For the repository pathway, Drift points to a known vulnerability in VSCode and Cursor, two of the most widely used code editors in software development, which has been flagged by the security community since late 2025.

Once the devices were compromised, the attackers had the files they needed to obtain two multisig approvals, enabling the nonce-resistant attack detailed by CoinDesk earlier this week.

The pre-signed transactions remained dormant for more than a week before being executed on 1 April, draining US$270 million from the protocol’s vault in less than one minute.

The allegations point to UNC4736, a North Korea state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on on-chain fund flows traceable to the Radiant Capital attackers and operational overlaps with known North Korea-linked personas.

The individuals present in person at the conferences were not North Korean nationals. North Korean threat actors at this level are known to use third-party intermediaries with fully fabricated identities, employment histories, and professional networks built to withstand due diligence.

Drift urges other protocols to audit access controls and treat any device connected to multisig as a potential target. The broader implications are uncomfortable for an industry that relies on multisig governance as its primary security model.

However, if attackers are willing to spend six months and one million dollars to build a legitimate presence within the ecosystem, meet the team in person, contribute real capital, and wait, the question is what security model is designed to catch that.