TechFlow News: On April 5, Drift Protocol announced on X that its preliminary investigation into the April 1, 2026 attack revealed the operation was orchestrated by UNC4736—a North Korea–backed hacking group also known as AppleJeus or Citrine Sleet. Since autumn 2025, the group has engaged Drift contributors in face-to-face interactions over a six-month period—by sending intermediaries to attend cryptocurrency conferences and establishing fake quantitative trading firms—to induce them to download malicious code repositories or applications.
Drift has now frozen all protocol functionality and removed compromised wallets from its multisig. Mandiant has been invited to conduct an in-depth forensic investigation. The investigation confirmed that on-chain funds used to test this operation trace back to the attackers behind the October 2024 Radiant Capital breach.
