A North Korea-linked group has been named as the culprit behind the hack of Drift Protocol, a Solana (SOL)-based decentralized exchange (DEX), which amounts to about 430 billion won. The incident is set to be recorded as an operation in which the perpetrators met Drift insiders in person over time, built trust, and then carried out the theft.
On Apr. 7, according to the virtual asset industry, the Drift operations team recently disclosed via its official X (formerly Twitter) account how $286 million (about 430 billion won) was drained. Citing similarities in activity patterns with North Korea-linked groups, the industry believes the group "UNC4736" is likely behind the incident. Blockchain data analytics corporations Chainalysis said that if the Drift hack proves to be the work of North Korea, total global virtual asset hacking losses attributable to North Korea would be at least 10.58 trillion won.
The hack is drawing attention because it used social engineering rather than exploiting technical vulnerabilities. The hackers posed as a quant trading (automated trading by computer programs) firm, met Drift insiders at multiple conferences over six months, and built trust. They also took part in the Drift ecosystem by depositing more than $1 million (1.5 billion won) or discussing product integrations.
However, the individuals who attended the conferences were found not to be North Korean nationals. The Drift operations team said, "It is common for attack groups at this level to use intermediaries with fabricated identities."
After building trust with the Drift operations team, the hackers approached as if for development collaboration and induced them to download program code files or install a test application (app). These contained malware, and control over the infected devices' access rights passed to the hackers.
Drift had required multiple signers' consent for any movement of funds, but hackers who secured multisig approval rights stole $286 million on the 1st in less than a minute. Multisig is a joint approval method in which a transaction is executed only with multiple signatures.
Virtual asset outlet CoinDesk reported, "If an attacker behaves like a real organization for six months, commits funds, and participates inside the ecosystem, it is virtually impossible for existing security frameworks to detect it."