Drift Protocol Exploit: Why “Social Trust” Is the Newest Cybersecurity Gap
Drift Protocol Exploit: Why “Social Trust” Is the Newest Cybersecurity Gap
Publish Date: 2026-04-28 04:03:00
Source Domain: www.crowell.com
The recent $285 million theft from Drift Protocol serves as a high-stakes reminder that the human element remains one of the biggest cybersecurity gaps in any organization. This was not a “hack” in the traditional sense of breaking through a digital wallet. North Korean actors used sophisticated social engineering to exploit human trust ― highlighting what looks like a “hacking” risk into valuable lessons learned for cybersecurity oversight.
Background
On April 1, 2026, Drift Protocol, a decentralized perpetual futures exchange on the Solana blockchain, suffered a security incident resulting in the theft of approximately $285 million in digital assets. Drift subsequently attributed the operation to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.
Mandiant previously attributed the October 2024 Radiant Capital hack to UNC4736 ― in which threat actors stole approximately $50 million using a similar social engineering approach, posing as a known contact and delivering malware through a file shared via a messaging platform.
What Makes the Drift Exploit Unique
The Drift attack combined a sustained social engineering campaign with technical exploitation. The threat actors began cultivating in-person relationships with Drift personnel in fall 2025, presenting themselves as a legitimate quantitative trading firm. Over the following months, they attended major industry conferences in person, participated in working sessions, helped fix minor issues, and deposited over $1 million of their own capital into the platform ― building the kind of trust that makes their eventual requests appear routine.
The technical compromise was equally deliberate and unfolded in three stages:
Stage 1 – Device and credential compromise. The threat actors exploited a vulnerability to execute malicious code and distributed that code using a legitimate app store.
Stage 2 – Obtaining administrative control. The threat actors exploited…
