North Korean Hackers Pose as Trading Firm to Steal $285M from Drift

Summary

UNC4736, a North Korean state-linked hacking group, infiltrated Drift Protocol over six months by posing as a legitimate quantitative trading firm, building trust through in-person meetings and depositing $1M into ecosystem vaults. The attackers used social engineering to compromise developer devices via malicious TestFlight apps, poisoned code repositories, and VSCode/Cursor vulnerabilities, eventually stealing $285M on April 1, 2026 via a durable nonce attack. The attack demonstrates sophisticated operational security and highlights the growing threat of North Korean hackers targeting the crypto and blockchain sectors.

Full text

Security Cyber Attacks Scams and FraudNorth Korean Hackers Pose as Trading Firm to Steal $285M from Drift North Korean hackers (UNC4736) posed as a trading firm for six months to infiltrate Drift Protocol, using social engineering tactics to steal $285M without suspicion. byDeeba AhmedApril 6, 20263 minute read Drift Protocol reveals that a North Korean state-linked group spent six months posing as a trading firm to execute a $285 million hack. Read about how the attackers managed to compromise the protocol without raising suspicion. When Drift Protocol was drained of $285 million (approximately £225 million) on 1 April 2026, many assumed it was a sudden technical glitch. However, new details from the firm show the attack was actually a meticulously planned operation that began with a simple handshake around six months back. Building a Six-Month Fake Friendship The breach prep, reportedly, started in late 2025 when a group of individuals approached Drift staff at a “major crypto conference,” presenting themselves as a professional “quantitative trading firm” looking to work together, Drift’s investigation revealed. These were not anonymous hackers hiding behind screens; they met Drift team members face-to-face at conferences in several different countries. To build trust, the group went so far as to deposit $1 million of their own money into a Drift Ecosystem Vault between December 2025 and January 2026. This level of effort is rare, but it allowed the attackers to be seen as legitimate business partners rather than a threat. The Infiltration Methods While maintaining this professional relationship, the group quietly used social engineering to trick staff into compromising their own security. As per Drift’s official update on X.com, the hackers gained access likely through three specific attack vectors: First, one staff member was persuaded to download a mobile app via TestFlight, which is Apple’s platform for testing new software, under the impression it was a new digital wallet product. In another instance, a contributor was induced to clone a malicious code repository (a collection of files) presented as a tool for building a website for the group’s vault. Or, the hackers exploited a known vulnerability within VSCode and Cursor, which are common tools developers use to write code. Between late 2025 and early 2026, simply opening a folder provided by the group was enough to let the hackers silently execute arbitrary code and hijack a computer without any warning or prompt. After compromising these devices, the attackers gathered the multisig approvals needed to control the protocol. On April 1st, they used a method known as a durable nonce attack to bypass security and empty the vaults in under a minute. The Link to North Korea While the individuals met in person were likely third-party intermediaries, security experts at Mandiant and the SEALS 911 team have linked the attack to the North Korean hacking group UNC4736 (aka AppleJeus or Citrine Sleet). According to their research, the fund flows used to stage this operation were traced back to a previous hack of Radiant Capital in October 2024. Drift has since frozen all protocol functions and removed the compromised wallets from the system. The team thanked experts like @tayvano_, @tanuki42_, @pcaversaccio, and @bax1337 for their help in identifying the attackers. This incident is shocking because it shows that nowadays, even a face-to-face partnership cannot be trusted. Drift’s full response: Drift’s full response (Screenshot via X) Drift’s full response (Screenshot via X) Drift’s full response (Screenshot via X) Drift’s full response (Screenshot via X) Drift’s full response (Screenshot via X) Drift’s full response (Screenshot via X) The latest cyberattack attributed to North Korean hackers came just days after another North Korean-linked group, UNC1069, was named in a large-scale campaign using fake LinkedIn and Slack profiles to target Node.js maintainers. The increasing activity of North Korean government-backed hackers shows a well-planned and sophisticated strategy targeting the crypto, blockchain, and software development sectors. Therefore, companies need to train their employees not only to recognize phishing attempts but also to identify social engineering scams. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BlockchainCryptoDriftDrift ProtocolFraudNorth KoreaScamUNC4736 Leave a Reply Cancel reply View Comments (0) Related Posts Malware Security Technology Researcher finds pre-installed keylogger in hundreds of HP laptops When it comes to pre-installed malicious software, HP (Hewlett-Packard) has a thing for them. In May this year,… byUzair Amir Security Leaks Google Plus hit by another breach – Data of 52.5M users exposed Google Plus has been hit by yet another bug forcing the company to shut down the social media… byWaqas Read More Security Malware New XWorm 7.1 and Remcos RAT Attacks Abuse Windows Tools to Evade Detection New XWorm 7.1 and Remcos RAT campaigns abuse trusted Windows tools to evade detection. The attacks exploit a WinRAR flaw and use process hollowing to spy on victims. byDeeba Ahmed News Security Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs The flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum. byWaqas

Entities