This post was originally published on Coinspeaker
Drift Crypto Protocol has attributed a $270 million exploit executed on April 1, 2026 to a six-month intelligence operation conducted by UNC4736 – a North Korean state-affiliated threat group also tracked as Citrine Sleet or AppleJeus – in a detailed incident update published by the team on Sunday,
making it the largest native Solana decentralized application exploit on record. Attackers posed as a quantitative trading firm, deposited more than $1 million of their own capital into an Ecosystem Vault, held working sessions with contributors across multiple countries, and waited nearly half a year before executing a durable nonce attack that drained protocol vaults in under a minute.
The operation’s scope and duration distinguish it from prior DeFi exploits in ways that carry implications well beyond Drift’s immediate recovery.
We suspect this is less a measure of Drift’s specific security posture and more a calibrated signal about the maturity of state-sponsored cryptocurrency theft operations – one that renders the standard DeFi security checklist, smart contract audits included, structurally inadequate against adversaries operating on intelligence timelines rather than opportunistic ones.
I beg everyone in crypto to read this in full.
I expected this to be another case of social engineering,
— Read the rest of this post, which was originally published on Coinspeaker.
