← Back
Lazarus Hack — Drift Protocol Incident, $285M, April 5, 2026

Hello,

On April 1, 2026, Drift Protocol suffered an exploit of approximately $285 million. However, this attack did not begin that day. The preliminary investigation revealed that this was a structured intelligence operation requiring institutional backing, significant resources, and months of deliberate preparation.

In the fall of 2025, a group of individuals approached the Drift team at a major crypto conference. They introduced themselves as a quantitative trading firm looking to integrate with the protocol. They were technically highly proficient, had verifiable professional backgrounds, and demonstrated deep familiarity with how Drift operated. At the first meeting, a Telegram group was created, and months of extensive technical discussions began.

Over the following six months, these individuals met face-to-face with Drift team members repeatedly at major industry conferences across multiple countries. This was not a random internet scam; it was a targeted, patient, and professionally executed relationship-building process.

Between December 2025 and January 2026, this group created an Ecosystem Vault on Drift. They deposited their own funds into the Vault and conducted real trading activity. The purpose was clear: to concretely convey the message "We are serious, we are putting our money in." This move significantly increased their credibility in the eyes of the team.

This is where the most technically critical part of the case begins. After the trust relationship had sufficiently matured, the attackers began sharing code with Drift developers under the guise of "collaboration" and "integration testing." However, the shared projects were exploiting a security vulnerability in popular code editors such as Visual Studio Code and Cursor.

The vulnerability worked as follows: VSCode has a security layer called "Workspace Trust." This feature aims to prevent automatic code execution when working with code from unknown sources. However, the vector exploited by the attackers was triggered through .vscode/tasks.json and .vscode/settings.json files. When a developer opened the project, or even just dragged the folder into the editor, these configuration files would silently run in the background and execute the malicious code. The user received no warning whatsoever.

The Cursor editor was also vulnerable to the same flaw since it is built on VSCode. The attackers deliberately targeted this, as Cursor's adoption rate among crypto developers had been rapidly increasing.

The deployed malware silently installed itself on the developers' devices, gaining access to private keys, wallet credentials, and multisig signing processes.

When the exploit was triggered on April 1, the attackers' Telegram conversations and malware had already been completely wiped. Through the compromised devices, they gained authorized access to Drift's smart contracts and drained the funds. They withdrew without leaving a trace.

Supported by the SEAL 911 team's investigation, it is assessed with moderate-to-high confidence that this operation was carried out by the North Korean state-linked group UNC4736 (Lazarus/AppleJeus/Citrine Sleet). This attribution is based on two key pieces of evidence: on-chain evidence (fund flows traced back to the 2024 Radiant Capital attackers) and operational evidence (the fake identities used overlapping with known DPRK activities).

A notable detail: the individuals who appeared face-to-face at conferences were not North Korean nationals. The Lazarus group is a known threat actor that uses third-party proxies to establish in-person relationships in operations of this caliber. The investigation revealed that the fake profiles used, including employment histories, publicly available identity information, and professional networks, were entirely fabricated identities meticulously constructed over months.

This case is not a classic "hack." Neither a smart contract vulnerability was discovered and exploited, nor was a brute-force attack carried out. The attackers patiently built trust over 6 months, deposited real money, attended conferences, and ultimately achieved their objective by leveraging a security vulnerability in developer tools.

This incident once again proves that the weakest link in cybersecurity is always the human factor. The protocol has currently frozen all of its functions, the investigation is being conducted by Mandiant, and the attacker wallets have been flagged across exchanges.