Back to News
Cyber Attack

Six Month DPRK Social Engineering Led to $285M Drift DeFi Heist

CyberSecurityWaala 6 days ago Apr 6, 2026
Six Month DPRK Social Engineering Led to $285M Drift DeFi Heist

Drift says the April 1 theft of $285 million was no smash-and-grab. It was the endgame of months of careful deception. The Solana-based exchange described it as “an attack six months in the making,” and attributed it with medium confidence to a North Korean state-backed group tracked as UNC4736.

What researchers say

Drift said the threat actor is known by many names. Security firms track it as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. Drift linked on-chain fund flows and operational overlaps to previous incidents, including the October 2024 Radiant Capital breach. “The basis for this connection is both on-chain and operational,” Drift said.

CrowdStrike added context about the actor family. In a January assessment, CrowdStrike said Golden Chollima appears tailored to cryptocurrency theft and targets small fintech firms across the U.S., Canada, South Korea, India, and Western Europe. “The adversary typically conducts smaller-value thefts at a more consistent operational tempo,” CrowdStrike said. That steady revenue generation is, the firm wrote, a funding mechanism for DPRK programs.

How the operation worked

Drift laid out a patient playbook. The campaign began in fall 2025, organizers said. People posing as a quantitative trading firm met Drift contributors at major crypto conferences. They built rapport in person. A Telegram group followed. The interactions looked normal at first. They discussed trading strategies and vault integrations. They asked detailed product questions. They deposited more than $1 million into an Ecosystem Vault to create operational cover.

“The individuals who appeared in person were not North Korean nationals,” Drift said. It added that DPRK actors often use third-party intermediaries for face-to-face work. “The profiles used in this third-party targeted operation had fully constructed identities including employment histories, public-facing credentials, and professional networks,” Drift said.

Technical attack vectors

Investigators point to two likely technical entry points. One vector involved a shared code repository. A contributor cloned the repo to deploy a frontend and may have triggered malicious code embedded in the project. The malicious component weaponized Visual Studio Code automation by abusing a tasks.json setting. The repository used the runOn: folderOpen option to execute code automatically when the workspace opened. Security advisories and researchers noted Microsoft added controls in VS Code versions 1.109 and 1.110 to limit unintended task execution.

The second vector involved a TestFlight wallet. One contributor was persuaded to beta test a wallet app served via Apple TestFlight. The app was later removed and Telegram chats were deleted around the time of the attack, Drift said. Full forensic analysis of affected hardware remains underway.

Broader DPRK operations and fragmentation

DomainTools Investigations said DPRK cyber operations have evolved into a “deliberately fragmented” malware ecosystem. DTI said malware development and operations are compartmentalized to limit exposure and frustrate attribution. The report links different tracks to distinct goals. Kimsuky focuses on espionage, Lazarus on illicit revenue and sanctions evasion, and Andariel on disruptive ransomware and wipers, DTI said.

Social engineering remains central. Researchers warn of campaigns such as Contagious Interview and IT worker fraud. Flare and IBM X-Force described a cycle of hired identities and shifting personas used to maintain revenue streams. “The cycle is constant and unending. North Korean IT workers understand that, sooner or later, they will either quit or be dismissed from any given role,” Flare and IBM X-Force said.

Industry response and next steps

Drift froze remaining protocol functions and engaged law enforcement and forensic partners. Attacker wallets have been flagged with exchanges and bridge operators. Drift thanked outside researchers who helped identify malicious actors and encouraged other teams to review custody, access controls, and dependencies.

Security researcher Armaniferrante urged a full audit. “You can’t grow if you’re hacked,” he wrote on X. Drift also asked any team that may have been targeted by the same group to contact SEAL911.

This incident underlines a clear lesson. Sophisticated social engineering can be as dangerous as any exploit. Teams must vet counterparties closely. They must treat face-to-face rapport as one part of risk assessment, not proof of trust.

#DriftHack #DPRKCyber #DeFiSecurity #SocialEngineering #UNC4736 #CryptocurrencySecurity