North Korean Hackers Steal $285 Million from Drift in Months-Long Social Engineering Attack
On April 1, 2026, decentralized exchange (DEX) Drift suffered a $285 million theft, the result of a six-month-long social engineering operation orchestrated by North Korea’s state-sponsored hacking group UNC4736 (also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces). The attack, which began in fall 2025, was meticulously planned, leveraging third-party intermediaries to build trust with Drift contributors before executing the breach.
The Attack: A Structured Intelligence Operation
UNC4736, active since at least 2018, has a history of targeting cryptocurrency platforms, including the 2023 X_TRADER/3CX supply chain breach and the $53 million Radiant Capital hack in October 2024. The Drift attack followed a similar playbook:
- Initial Contact (Fall 2025) – Operatives posing as a quantitative trading firm approached Drift contributors at major crypto conferences worldwide, establishing rapport over months.
- Onboarding & Trust-Building (Dec 2025–Mar 2026) – The group deposited over $1 million into Drift’s ecosystem, engaging in detailed technical discussions to appear legitimate.
- Compromise (Early 2026) – Two likely infection vectors were identified:
- A malicious VS Code repository shared under the guise of a vault frontend, exploiting the "tasks.json" file to execute code upon opening.
- A weaponized wallet app distributed via Apple’s TestFlight, tricking a contributor into downloading it.
By the time of the attack, Telegram chats and malware were deleted, obscuring the exact intrusion method.
North Korea’s Cyber Operations: A Fragmented, Resilient Threat
The Drift breach underscores North Korea’s evolving cyber strategy, which has shifted toward compartmentalized, mission-driven operations to evade attribution. According to DomainTools Investigations (DTI), the regime’s malware ecosystem is now divided into three key tracks:
- Espionage (Kimsuky) – Focused on intelligence gathering.
- Financial Theft (Lazarus Group) – Primary revenue source for sanctions evasion.
- Disruptive Attacks (Andariel) – Ransomware and wiper malware for strategic signaling.
This fragmented approach ensures that exposure in one operation does not compromise others, complicating defense efforts.
Social Engineering & IT Worker Fraud: The Human Factor
UNC4736’s success relied heavily on deception, including:
- Contagious Interview – A long-running campaign where targets are tricked into executing malicious code from fake repositories (e.g., DEV#POPPER RAT, OmniStealer).
- IT Worker Fraud – North Korean operatives infiltrate Western companies using stolen identities, AI-generated personas, and falsified credentials, often through third-party recruiters in China and Russia. Once hired, they siphon funds, deploy malware, and exfiltrate data.
Recent investigations by Flare and IBM X-Force reveal the scheme’s global expansion, with Iranian, Syrian, Lebanese, and Saudi nationals now being recruited. Facilitators use LinkedIn to hire "callers" individuals trained to impersonate Western personas during interviews. The regime’s primary targets include U.S. defense contractors, crypto exchanges, and financial institutions, suggesting both financial and strategic motives.
Cryptocurrency: The Lifeline for North Korea’s Regime
Chainalysis reports that cryptocurrency remains central to North Korea’s revenue streams, with IT worker schemes funneling wages back to Pyongyang while bypassing sanctions. The Drift hack alone demonstrates the scale and sophistication of these operations, reinforcing North Korea’s position as a top-tier cyber threat.
Source: https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html
Drift, a Salesloft company cybersecurity rating report: https://www.rankiteo.com/company/drift
"id": "DRI1775442259",
"linkid": "drift",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cryptocurrency/FinTech',
'name': 'Drift',
'type': 'Decentralized Exchange (DEX)'}],
'attack_vector': ['Social Engineering',
'Malicious VS Code Repository',
'Weaponized Wallet App (Apple TestFlight)'],
'date_detected': '2026-04-01',
'description': 'On April 1, 2026, decentralized exchange (DEX) Drift suffered '
'a $285 million theft, the result of a six-month-long social '
'engineering operation orchestrated by North Korea’s '
'state-sponsored hacking group UNC4736 (also known as '
'AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming '
'Pisces). The attack began in fall 2025 and involved '
'third-party intermediaries building trust with Drift '
'contributors before executing the breach.',
'impact': {'brand_reputation_impact': 'Severe',
'financial_loss': '$285 million',
'operational_impact': 'Significant financial theft and '
'reputational damage',
'revenue_loss': '$285 million',
'systems_affected': ['Drift DEX platform']},
'initial_access_broker': {'entry_point': ['Malicious VS Code repository',
'Weaponized wallet app (Apple '
'TestFlight)'],
'high_value_targets': 'Drift contributors and '
'platform infrastructure',
'reconnaissance_period': 'Fall 2025 - March 2026'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The attack highlights the sophistication of North Korea’s '
'cyber operations, including compartmentalized threat '
'groups, reliance on social engineering, and the use of '
'third-party intermediaries to build trust before '
'executing breaches. The incident underscores the need for '
'enhanced vetting of external collaborators and stricter '
'controls over development tools and third-party '
'applications.',
'motivation': ['Financial Gain', 'Sanctions Evasion'],
'post_incident_analysis': {'root_causes': ['Prolonged social engineering '
'campaign to build trust with '
'Drift contributors',
'Exploitation of development tools '
'(VS Code) and third-party testing '
'platforms (Apple TestFlight)',
'Lack of stringent vetting for '
'external collaborators']},
'recommendations': ['Implement stricter vetting processes for third-party '
'collaborators and contributors.',
'Enforce code repository and development tool security '
'policies to prevent malicious file execution.',
'Monitor and restrict the use of third-party testing '
'platforms (e.g., Apple TestFlight) for sensitive '
'applications.',
'Enhance employee training on social engineering tactics '
'and IT worker fraud schemes.',
'Adopt multi-factor authentication and behavioral '
'analytics to detect anomalous access patterns.'],
'references': [{'source': 'DomainTools Investigations (DTI)'},
{'source': 'Chainalysis'},
{'source': 'Flare and IBM X-Force'}],
'threat_actor': 'UNC4736 (AppleJeus, Citrine Sleet, Golden Chollima, Gleaming '
'Pisces)',
'title': 'North Korean Hackers Steal $285 Million from Drift in Months-Long '
'Social Engineering Attack',
'type': 'Financial Theft',
'vulnerability_exploited': ['tasks.json file execution',
'Malicious TestFlight app']}