BlockThreat - Week 14, 2026

This week’s losses reached $290M across 14 incidents, with DPRK activity once again forcing defenders to rethink our threat models and confront just how dangerous our adversaries have become.

The Drift Protocol hack alone, at roughly $285M, exceeded the losses from the entire first quarter. This was not a quick smash and grab. It was a sophisticated social engineering campaign that unfolded over six months and involved fake identities, in person contact, a $1M investment to build credibility, and legitimate code contributions. Once enough trust had been established, the attackers went straight for the jugular: the project’s multisig. One signer was compromised through a malicious cloned repository, while another installed a fake mobile wallet app through TestFlight. After securing the 2/5 quorum, the attackers drained the protocol and laundered funds with almost mechanical efficiency.

If that sounds familiar, it is because we have seen versions of this before with Radiant Capital, Bybit, and other victims of a regime hellbent on extracting money from our industry. The North Korean group behind this operation is known by several names including UNC4736, AppleJeus, Citrine Sleet, and others. I talked about this group's tactics and capabilities in my The State of Defi Security talk.

We previously got a glimpse of this long game with the Nick L. Franklin operation that was unraveled precisely one year ago. But the Drift compromise pushed that tradecraft to a new level. Meeting targets in person at conferences, building rapport over months, contributing legitimate assets and code, and carefully positioning malware only after trust is established is the kind of operation one would expect against a nation state target, not a DeFi project. Even the timing was perfect. The attack landed on April 1, when defenders were primed to dismiss hack reports as pranks and many were distracted by EthCC conference.

And yet this is the reality now. Our threat models need to catch up.

The immediate step is to return to fundamentals and ask what technical controls could have made this attack harder to execute:

• A 2/5 multisig is not sufficient protection for a system facing existential risk.
• No timelock, and no separate guardian or emergency controls outside the same multisig, left little chance for last ditch recovery.
• Developers keeping signer access on daily use machines was a deadly mistake.
• Incident responders also appear to have wasted valuable time negotiating with attackers, fundamentally misunderstanding who they were dealing with.

To appreciate the scale of the adversary facing this industry, consider that while one team was executing the Drift hack, another group of operators were busy with a broad supply chain campaign targeting individual developers. The Axios supply chain attack last week followed the same pattern: a patient attacker building trust over time before convincing a developer to install malware through a backdoored cloned repository (more details in the news section). We know of at least one victim who lost $2.1M, and there are likely more.

The exact lessons and security controls (such as SEAL's excellent multisig framework) from these incidents will change as attack paths evolve. But the larger principle is becoming unavoidable:

They must be built to survive the compromise of multiple developers, parts of the codebase, and even some signing infrastructure without leading to catastrophic loss. If the compromise of one or two components can end your protocol, then your defenses are not built for the type of adversaries that we face in this industry.

This is another Bybit-like moment that should force the ecosystem to level up.

Beyond extensive coverage of those two incidents, this week’s edition also looks at a wave of DNS hijackings and what teams should do immediately, the latest on quantum risk, other notable supply chain attacks, a horrifying wrench attack in San Francisco, standout security talks from recent conferences, latest arrests of DeFi hackers and scammers, and, as always, a deep stack of research papers on bug hunting, writeups for the other 12 incidents from last week, and tools to help protect yourself before the next major hack.

Let’s dive into the news.