Just read through Drift's incident report on that $270 million exploit from April, and honestly, the level of sophistication here is kind of wild. This wasn't some random hack—we're talking about a six-month intelligence operation by a North Korean state-linked group that basically embedded themselves inside the protocol before pulling off the attack.

So here's how it went down. Around fall 2025, these actors showed up at a major crypto conference posing as a quant trading firm. They had the technical chops, legitimate-looking backgrounds, and actually understood Drift's protocol. Over the next few months, they went through what looked like a totally normal onboarding process—set up a Telegram group, had real conversations about trading strategies and vault integrations, deposited over $1 million of their own money, and even met Drift contributors face-to-face at multiple conferences across different countries through February and March.

By the time they executed the exploit on April 1, they'd been building this relationship for nearly six months. That's the kind of patience most attackers don't have.

The actual compromise came through two clever vectors. First, they got people to download a fake wallet app through TestFlight, which bypasses Apple's security review process. Second, they exploited a known vulnerability in VSCode and Cursor that the security community had been warning about since late 2025—basically, just opening a file in the editor could silently execute arbitrary code with zero warnings.

Once devices were compromised, they had access to obtain the multisig approvals they needed. Pre-signed transactions sat dormant for over a week before executing on April 1, draining $270 million in under a minute.

Investigators traced this back to UNC4736, also known as AppleJeus or Citrine Sleet—the same group behind the Radiant Capital attack. Interestingly, the people who actually showed up at conferences weren't North Korean nationals. These actors deploy fully constructed third-party identities with employment histories and professional networks built to survive due diligence checks.

What's really unsettling about this is the broader question it raises for DeFi. If attackers are willing to spend six months and a million dollars building legitimate presence, meeting teams in person, contributing real capital, and just waiting for the right moment—what security model actually catches that? Drift is warning other protocols to audit access controls and treat every device touching a multisig as a potential target. But the uncomfortable truth is that multisig governance, which most of the industry relies on as its primary security model, might have some deep structural weaknesses when facing this level of sophistication.

This is the kind of incident that makes you rethink what "secure" even means at scale.