The preliminary investigation of the Drift hacker incident shows that team members were approached by a North Korean intermediary during a meeting

Drift Protocol posted on platform X that the preliminary investigation into the attack on April 1, 2026, shows that the operation was orchestrated by the North Korean government-supported hacker group UNC4736 (also known as AppleJeus or Citrine Sleet). This organization has been interacting face-to-face with Drift contributors for six months since the fall of 2025, by sending intermediaries to attend cryptocurrency conferences and establishing fake quantitative trading companies, and inducing them to download malicious code repositories or applications. Currently, Drift has frozen all protocol functions and removed the compromised wallets from multi-signature. Mandiant has been invited to participate in a deep forensic investigation. The investigation confirms that the on-chain fund flows used to test the operation can be traced back to the Radiant Capital attackers in October 2024.