$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation

Published:

5 april 2026 om 18:25:00

Alert date:

5 april 2026 om 20:00:56

Source:

thehackernews.com

Data Breach & Exfiltration, Supply Chain & Dependencies, Ransomware & Malware

The Drift decentralized exchange suffered a $285 million theft on April 1, 2026, which was traced to a sophisticated six-month social engineering operation conducted by North Korea (DPRK). The attack began in fall 2025 and represents a meticulously planned, targeted campaign against the Solana-based platform. This incident highlights the advanced persistent threat capabilities of DPRK actors in conducting long-term social engineering operations against cryptocurrency platforms. The substantial financial loss and extended timeline demonstrate the sophistication of state-sponsored attacks on DeFi infrastructure.

Technical details

The attack was a six-month social engineering operation where attackers posed as a quantitative trading company and approached Drift contributors at cryptocurrency conferences. Two primary attack vectors were identified: 1) A malicious Microsoft Visual Studio Code project that weaponizes the 'tasks.json' file using 'runOn: folderOpen' option to automatically execute malicious code when opening the project in the IDE, and 2) A compromised wallet product distributed via Apple's TestFlight for beta testing. The attackers onboarded an Ecosystem Vault on Drift, depositing over $1 million to build credibility, and maintained months of substantive conversations about trading strategies. Evidence shows connections to previous attacks including fund flows tracing back to the Radiant attackers, and the use of fully constructed fake identities with employment histories and professional networks.

Mitigation steps:

Microsoft introduced new security controls in VS Code versions 1.109 and 1.110 to prevent unintended execution of tasks when opening a workspace. Organizations should be cautious of unsolicited contact from trading companies or recruiters, especially those requesting to clone repositories or test applications. Implement strict identity verification for new hires and be aware of North Korean IT worker infiltration schemes. Monitor for suspicious cryptocurrency transactions and verify the authenticity of professional contacts through multiple channels before engaging in business relationships.

Affected products:

Drift Protocol
Solana-based decentralized exchange
Microsoft Visual Studio Code
Apple TestFlight
Radiant Capital
X_TRADER/3CX
Axios npm package
Node.js projects
GitHub repositories

Related links:

Related CVE's:

Related threat actors:

IOC's:

DEV#POPPER RAT JavaScript backdoor, OmniStealer information stealer, Malicious Python packages, Weaponized tasks.json files in VS Code projects, Fraudulent TestFlight wallet applications, Fund flows connected to Radiant Capital attackers

This article was created with the assistance of AI technology by Perceptive.