North Korean state-sponsored hackers spent six months building trust with Drift contributors before stealing $285 million through sophisticated social engineering and malware deployment.
North Korean hackers have stolen $285 million from the Solana-based decentralized exchange Drift in a meticulously planned social engineering operation that spanned six months, according to a detailed investigation by the exchange.
Six Months of Trust-Building Before the Attack
The attack, which occurred on April 1, 2026, was the culmination of a sophisticated campaign that began in fall 2025. The Democratic People's Republic of Korea (DPRK) threat actor, identified with medium confidence as UNC4736 (also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces), approached Drift contributors at major cryptocurrency conferences under the guise of a quantitative trading company.
"The individuals who appeared in person were not North Korean nationals," Drift explained. "DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building."
These intermediaries were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. The attackers established a Telegram group and engaged in months of substantive conversations about trading strategies and potential vault integrations.
The Attack Vector: From Trust to Compromise
The hackers' strategy involved multiple sophisticated steps:
- Building Operational Presence: Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, depositing over $1 million of their own funds to establish credibility
- Technical Engagement: They engaged with multiple contributors, asking detailed product questions and sharing links for projects, tools, and applications they claimed to be developing
- Malware Deployment: The attack likely involved two primary vectors:
- A contributor compromised after cloning a malicious Microsoft Visual Studio Code project
- Another persuaded to download a wallet product via Apple's TestFlight
The VS Code attack weaponized the "tasks.json" file to automatically trigger malicious code execution upon opening the project, a technique adopted by North Korean threat actors since December 2025.
North Korea's Evolving Cyber Strategy
This attack highlights the DPRK's evolving approach to cybercrime, which cybersecurity firm DomainTools Investigations describes as a "deliberately fragmented" malware ecosystem designed to maximize operational resilience and complicate attribution efforts.
According to DomainTools, North Korea's cyber apparatus has evolved into three distinct tracks:
- Espionage-oriented malware primarily associated with Kimsuky
- Financial theft operations led by Lazarus Group for sanctions evasion
- Disruptive operations involving ransomware and wiper malware associated with Andariel
The Broader Context: Contagious Interview and IT Worker Fraud
The Drift attack is part of a larger pattern of North Korean social engineering campaigns. The "Contagious Interview" campaign, active since December 2025, involves approaching targets with fake repositories as part of assessment processes, deploying JavaScript backdoors and information stealers.
Additionally, North Korea operates extensive "IT worker fraud" schemes, deploying thousands of technically skilled workers from countries like China and Russia to land remote positions at Western companies. These workers use stolen identities, AI-generated personas, and falsified credentials to generate revenue and introduce malware.
"North Koreans are deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions," security researchers noted. "While the primary motivations appear to be financial, the deliberate targeting evidenced from their documents indicates that there may be other objectives at play as well."
Attribution and Historical Context
The UNC4736 group has a documented history of cryptocurrency theft since at least 2018, including the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of DeFi platform Radiant Capital in October 2024. The connection to the Drift attack is based on both on-chain fund flows and operational overlaps with known DPRK-linked activity.
CrowdStrike's January 2026 assessment described Golden Chollima as an offshoot of Labyrinth Chollima, primarily targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe. The group conducts smaller-value thefts at consistent operational tempo, suggesting responsibility for ensuring baseline revenue generation for the DPRK regime.
Implications for the Cryptocurrency Industry
This attack demonstrates the evolving sophistication of state-sponsored cybercrime and the particular vulnerability of the cryptocurrency sector to long-term social engineering operations. The six-month timeline shows that attackers are willing to invest significant time and resources in building trust before executing high-value heists.
For cryptocurrency exchanges and DeFi protocols, this incident underscores the importance of rigorous security practices, including:
- Careful vetting of third-party integrations
- Enhanced scrutiny of code repositories shared by external partners
- Regular security training for team members
- Implementation of multi-factor authentication and other security controls
The Drift hack serves as a stark reminder that in the world of cryptocurrency, the human element remains one of the most critical attack vectors, and state-sponsored actors are increasingly willing to play the long game to achieve their objectives.
Related Security News:
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks
- TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
- Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams
- Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
Comments
Please log in or register to join the discussion