Drift has revealed that the April 1, 2026 attack, which led to the theft of $285 million, was the culmination of a months-long targeted and carefully planned social engineering operation conducted by the Democratic People’s Republic of Korea (DPRK), which began in the fall of 2025.
The Solana-based decentralized exchange described it as a “six-month-long attack” and blamed a North Korean state-sponsored hacking group. unc4736Which is also tracked under aliases such as Applegeous, Citrine Sleet, Golden Chollima and Gleaming Pisces.
Threat actors have a history of targeting the cryptocurrency sector for financial theft dating back to at least 2018. It is known for the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of decentralized finance (DeFi) platform Radiant Capital in October 2024.
“The basis for this connection is both on-chain (the fund flows used to stage and test this operation reached the Radiant attackers) and operational (the individuals deployed in this operation have identifiable overlaps with known DPRK-linked activity),” Drift said in a Sunday analysis.
In an assessment published in late January 2026, cybersecurity company CrowdStrike described Golden Chollima as an offshoot of Labyrinth Chollima that is designed to steal cryptocurrency primarily targeting small fintech firms in the US, Canada, South Korea, India and Western Europe.
“The adversary typically steals smaller amounts of value at a more consistent operating pace, suggesting a responsibility to ensure baseline revenue generation for the DPRK regime,” CrowdStrike said. “Despite improving trade relations with Russia, the DPRK needs additional revenues to finance ambitious military plans that include building new destroyers, building nuclear-powered submarines and launching additional reconnaissance satellites.”
In at least one incident observed in late 2024, UNC4736 distributed malicious Python packages to a European fintech company through a fraudulent recruitment scheme. Upon gaining access, the threat actor moved to the victim’s cloud environment to access IAM configuration and related cloud resources, and ultimately diverted cryptocurrency assets to an adversary-controlled wallet.
How Drift Attack Potentially Unfolded
Drift, which is working with law enforcement and forensic partners to piece together the sequence of events that led to the hack, said it was the goal of a “structured intelligence operation” that required months of planning.
In or around early 2025, individuals posing as a quantitative trading company contacted Drift contributors at a major cryptocurrency conference and international crypto conferences under the pretext of integrating the protocol. It has since emerged that this was a deliberate approach, where members of this trade group contacted and built relationships with specific Drift contributors at various major industry conferences held in multiple countries over a six-month period.
“The individuals who came forward were not North Korean citizens,” Drift reported. “DPRK threat actors operating at this level are known to deploy third-party intermediaries to establish face-to-face relationships.”
“They were technically adept, had verifiable professional backgrounds, and were familiar with how Drift operates. The first meeting led to the establishment of a Telegram group, and what followed was several months of substantive conversations about trading strategies and potential Vault integration. These conversations are typical of how trading companies interact with and engage with Drift.”
Then, between December 2025 and January 2026, the group worked on an ecosystem vault on Drift, a step that required filling out a form with strategy details. As part of this process, the individuals are said to have connected with multiple contributors, asking them “detailed and informed product questions”, while raising over $1 million of their own funds.
This was a deliberate move, Drift said, designed to create a working operational presence inside the Drift ecosystem, with integration conversations continuing with contributors through February and March 2026. This included sharing links to projects, devices and applications that the company claimed to be developing.
The possibility that these conversations with the trade group could serve as an initial transition path has become important in the wake of the April 1 hack. But as Drift revealed, their Telegram chats and the malicious software were removed right around the time the attack occurred.
It is suspected that there may be two primary attack vectors –
- A contributor may have been compromised after the group cloned a shared code repository as part of their efforts to deploy a frontend for their Vault.
- A second contributor was persuaded to download the Wallet product through Apple’s TestFlight to beta test the app.
The repository-based intrusion vector is predicted to involve a malicious Microsoft Visual Studio Code (VS Code) project that weaponizes the “task.json” file to automatically trigger execution of malicious code on the project in the IDE using the “RunOn:FolderOpen” option.
It’s worth noting that this technique has been adopted by North Korean threat actors associated with the infectious interview campaign since December 2025, prompting Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110 to prevent unintended execution of tasks when opening a workspace.
“The investigation to date has revealed that the profiles used in this third-party targeted operation were fully deidentified, including employment history, public-facing credentials, and professional networks,” Drift said. “It appears that the people the Drift contributors met in person spent months building both personal and professional profiles that could withstand scrutiny during business or counterparty relationships.”
North Korea’s fragmented malware ecosystem
The revelations come as DomainTools Investigations (DTI) revealed that the DPRK’s cyber apparatus has evolved into an “intentionally fragmented” malware ecosystem that is mission-driven, operationally flexible, and resistant to attribution efforts. The change is believed to be a response to law enforcement actions and intelligence disclosures regarding North Korean hacking campaigns.
“Malware development and operations are being increasingly compartmentalized technically and organizationally, ensuring that exposures in one mission area do not spread throughout the program,” the DTI said. “Importantly, this model also maximizes ambiguity. By separating tooling, infrastructure, and operational patterns along mission lines, the DPRK complicates attribution and slows protector decision making.”
To that end, DomainTools notes that the DPRK’s espionage-oriented malware track is primarily linked to Kimsuki, while Lazarus Group leads efforts to generate illicit revenue for the regime, turning it into a “central pillar” to evade sanctions. The third track revolves around deploying ransomware and wiper malware for the purposes of strategic signaling and drawing attention to its capabilities. This disintegrative branch is associated with Andriel.
The social engineering behind contagious interview and IT worker fraud
Social engineering and fraud remain the main catalysts for many of the intrusions that have been attributed to DPRK threat actors. This includes the hugely popular NPM package, Axios’s recent supply chain compromise, as well as ongoing campaigns like infectious interviewing and IT worker fraud.
Infectious interviews are the nickname assigned to a long-running threat in which the adversary approaches potential targets and tricks them into executing malicious code from a fake repository as part of an assessment. Some of these efforts have used weaponized Node.js projects hosted on GitHub to deploy a JavaScript backdoor called DEV#POPPER RAT and an information stealer called OmniStealer.
DPRK IT worker fraud, on the other hand, refers to coordinated efforts by North Korean operators to obtain remote freelance and full-time roles at Western companies using stolen identities, AI-generated personas, and fake credentials. Once hired, they generate steady revenue and leverage access to introduce malware and siphon proprietary and sensitive information. In some cases, stolen data is used to extort money from businesses.
The state-sponsored program deploys thousands of technically skilled workers in countries such as China and Russia, who connect them to company-issued laptops hosted at laptop farms in the US and elsewhere. The scheme also relies on a network of facilitators to obtain work laptops, manage payroll and handle logistics. These facility providers are recruited through shell companies.
The process begins with recruiters identifying and screening potential candidates. Once accepted, IT workers enter an onboarding phase, where facilitators assign identities and profiles, and guide them through resume writing, interview preparation, and initial job applications. Threat actors also work with associates to meet recruiting requirements for full-time opportunities where strict identity verification policies are enforced.
As Chainalysis notes, cryptocurrencies play a central role in funneling most of the wages generated by these IT worker schemes back to North Korea while avoiding international sanctions.
“The cycle is continuous and endless. North Korean IT workers understand that, sooner or later, they will either leave any role or be fired,” Flair and IBM X-Force said in a report last month. “As a result, they are constantly switching between jobs, identities, and accounts – never staying in one position or using the same persona for very long.”
New evidence discovered by Flair reveals the campaign’s efforts to actively recruit individuals from Iran, Syria, Lebanon, and Saudi Arabia, with at least two Iranians receiving formal offer letters from American employers. More than 10 cases of Iranian citizens being recruited by the regime have been reported.
Facilitators have also been found using LinkedIn to hire individuals from Iran, Ireland and India, who are then trained to get jobs. These individuals, called callers or interviewers, talk to American hiring managers on the phone, pass technical interviews, and impersonate a real or fake Western persona created by them. When a caller fails to make an interview, the facilitator reviews the recording and provides feedback.
“The North Koreans are deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions,” Flair said. “While the primary motivations appear to be financial, the deliberate targeting evidenced by their documents suggests there may have been other motives.”
“The DPRK is not simply deploying its citizens under false identities. It is building a multinational recruiting pipeline, attracting skilled developers from Iran, Syria, Lebanon, and Saudi Arabia into an infrastructure designed to infiltrate U.S. defense contractors, cryptocurrency exchanges, financial institutions, and enterprises of every size. The recruiters are real software engineers, paid in cryptocurrency, trained through interviews, and fabricated He is placed among the great Western personalities.”
