$285 Million Drift Hack: Unveiling North Korea’s Six-Month Social Engineering Operation
On April 1, 2026, the Solana-based decentralized exchange Drift suffered a significant security breach, resulting in the theft of $285 million. Subsequent investigations have revealed that this attack was the culmination of a meticulously orchestrated six-month social engineering campaign attributed to the Democratic People’s Republic of Korea (DPRK).
The Attack’s Genesis
Drift’s analysis indicates that the breach was not a spontaneous act but the result of a prolonged and targeted operation. The exchange has attributed the attack, with medium confidence, to a North Korean state-sponsored hacking group known as UNC4736. This group is also identified by various aliases, including AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.
UNC4736 has a documented history of targeting the cryptocurrency sector for financial gain since at least 2018. Notable incidents include the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of the decentralized finance (DeFi) platform Radiant Capital in October 2024.
Drift’s investigation uncovered both on-chain and operational evidence linking the recent attack to UNC4736. On-chain analysis traced fund flows used in the operation back to the Radiant Capital attackers. Operationally, the personas deployed in this campaign exhibited identifiable overlaps with known DPRK-linked activities.
The Social Engineering Tactics
The attack’s success was largely due to an elaborate social engineering strategy that began in the fall of 2025. Individuals posing as representatives of a quantitative trading company approached Drift contributors at major cryptocurrency conferences. These interactions were not random; they were part of a deliberate effort to build rapport with specific Drift contributors over six months.
Drift noted that the individuals who engaged in person were not North Korean nationals. This aligns with DPRK’s known practice of deploying third-party intermediaries for face-to-face relationship-building. The impostors were technically proficient, had verifiable professional backgrounds, and were well-versed in Drift’s operations.
Following initial meetings, a Telegram group was established, leading to months of substantive discussions about trading strategies and potential vault integrations. Such interactions are typical in the industry, making the deception particularly insidious.
The Execution of the Attack
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift. This process involved filling out a form detailing their strategy and engaging with multiple contributors, asking detailed product questions, and depositing over $1 million of their own funds. This calculated move was designed to establish a functioning operational presence within the Drift ecosystem.
Integration conversations continued through February and March 2026, during which the group shared links to projects, tools, and applications they claimed to be developing. These interactions may have served as the initial infection pathway, as evidenced by the deletion of their Telegram chats and malicious software around the time of the attack.
Two primary attack vectors have been identified:
1. Repository-Based Intrusion: A contributor may have been compromised after cloning a code repository shared by the group as part of efforts to deploy a frontend for their vault.
2. Malicious Application Testing: Another contributor was persuaded to download a wallet product via Apple’s TestFlight to beta test the app.
The repository-based intrusion likely involved a malicious Microsoft Visual Studio Code (VS Code) project that exploited the tasks.json file to automatically execute malicious code upon opening the project in the IDE. This technique has been associated with North Korean threat actors since December 2025, prompting Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110 to prevent unintended execution of tasks when opening a workspace.
North Korea’s Evolving Cyber Tactics
The Drift incident underscores the DPRK’s evolving cyber tactics, characterized by a deliberately fragmented malware ecosystem that is mission-driven, operationally resilient, and resistant to attribution efforts. This shift is believed to be a response to law enforcement actions and intelligence disclosures about North Korean hacking campaigns.
Malware development and operations are increasingly compartmentalized, both technically and organizationally, ensuring that exposure in one mission area does not cascade across the entire program. This model maximizes ambiguity by separating tooling, infrastructure, and operational patterns along mission lines, complicating attribution and slowing defender decision-making.
The DPRK’s cyber operations are divided into three primary tracks:
1. Espionage-Oriented Malware: Chiefly associated with Kimsuky, focusing on intelligence gathering.
2. Revenue Generation: Led by the Lazarus Group, targeting financial institutions and cryptocurrency platforms to generate illicit revenue for the regime.
3. Disruptive Operations: Involving ransomware and wiper malware deployments for strategic signaling and showcasing capabilities, associated with Andariel.
The Role of Social Engineering
Social engineering remains a cornerstone of DPRK’s cyber operations. Campaigns like Contagious Interview and IT worker fraud exemplify this approach.
In the Contagious Interview campaign, adversaries approach prospective targets, tricking them into executing malicious code from fake repositories as part of an assessment. Some efforts have used weaponized Node.js projects hosted on GitHub to deploy malware such as DEV#POPPER RAT and OmniStealer.
The IT worker fraud involves North Korean operatives securing remote freelance and full-time roles at Western companies using stolen identities, AI-generated personas, and falsified credentials. Once hired, they generate steady revenue and leverage access to introduce malware and siphon proprietary information. In some cases, the stolen data is used to extort money from businesses.
This state-sponsored program deploys thousands of technically skilled workers in countries like China and Russia, who connect to company-issued laptops hosted at laptop farms in the U.S. and elsewhere. The scheme relies on a network of facilitators to receive work laptops, manage payroll, and handle logistics, often recruited through shell companies.
The process begins with recruiters identifying and screening potential candidates. Once accepted, IT workers undergo onboarding, where facilitators assign identities and profiles, guide them through resume updates, interview preparation, and initial job applications. Threat actors collaborate with collaborators to complete hiring requirements for full-time opportunities where strict identity verification policies are enforced.
Cryptocurrency plays a central role in funneling the wages generated by these IT worker schemes back to North Korea while evading international sanctions.
The cycle is constant and unending. North Korean IT workers understand that, sooner or later, they will either quit or be dismissed from any given role. As a result, they continually shift between jobs, identities, and accounts, never remaining in one position or using a single persona for very long.
Recent evidence has revealed the campaign’s efforts to recruit individuals from Iran, Syria, Lebanon, and Saudi Arabia, with at least two Iranians receiving formal offer letters from U.S. employers. There have been more than 10 instances of Iranian nationals being recruited by the regime.
Facilitators have also used LinkedIn to hire individuals from Iran, Ireland, and India, who are then coached to land jobs. These individuals, called callers or interviewers, impersonate the fabricated Western personas during interviews. When a caller fails an interview, the facilitator reviews the recording and provides feedback.
North Koreans are deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions. While the primary motivations appear to be financial, the deliberate targeting indicates that there may be other objectives at play as well.
The DPRK is not simply deploying its own nationals under false identities. It is building a multinational recruitment pipeline, drawing skilled developers from Iran, Syria, Lebanon, and Saudi Arabia into an infrastructure designed to infiltrate U.S. defense contractors, cryptocurrency exchanges, financial institutions, and enterprises of every size. The recruits are real software engineers, paid in cryptocurrency, coached through interviews, and slotted into fabricated Western personas.
