Key Findings

• North Korean state-sponsored hacking group UNC4736 orchestrated a six-month social engineering campaign against Drift, culminating in the theft of $285 million on April 1, 2026

• The operation began in fall 2025 with actors posing as a quantitative trading firm, using in-person meetings at cryptocurrency conferences across multiple countries to build trust with Drift contributors

• UNC4736 is also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces, with a documented history of cryptocurrency theft since 2018

• The attackers likely compromised contributors through two vectors: a malicious code repository and a fake wallet application on Apple's TestFlight

• On-chain forensics and operational patterns link this attack to the October 2024 Radiant Capital hack worth $53 million

Background

UNC4736 operates as an offshoot of Labyrinth Chollima, a North Korean-linked threat actor known for targeting cryptocurrency companies and fintech firms across the U.S., Canada, South Korea, India, and Western Europe. The group is infamous for the X_TRADER/3CX supply chain breach in 2023 and generates consistent revenue for the DPRK regime through smaller-value cryptocurrency thefts. These funds reportedly support North Korea's military expansion, including construction of new destroyers, nuclear-powered submarines, and reconnaissance satellites.

The Six-Month Operation

The attack began in or around fall 2025 when individuals posing as traders from a quantitative trading company approached Drift contributors at major cryptocurrency conferences. These weren't North Korean nationals but rather third-party intermediaries deployed by the regime to conduct face-to-face relationship-building. The individuals were technically sophisticated, maintained verifiable professional backgrounds, and demonstrated detailed knowledge of Drift's operations. This carefully crafted approach allowed them to establish credibility and build genuine rapport over several months across multiple international venues.

Building Trust and Access

Between December 2025 and January 2026, the group proceeded to onboard an Ecosystem Vault on Drift. They deposited over $1 million in their own funds and engaged multiple Drift contributors with detailed, informed product questions about trading strategies and vault integrations. This calculated move created a functioning operational presence within the Drift ecosystem while providing cover for further reconnaissance. The attackers maintained substantive conversations through February and March 2026, sharing links to projects, tools, and applications they claimed to be developing. Throughout this period, all communication occurred via a Telegram group established at their first meeting.

The Attack Vectors

The compromise likely occurred through two primary pathways. One Drift contributor may have been compromised after cloning a code repository the group shared as part of frontend deployment efforts for their vault. A second contributor was persuaded to download and beta test a wallet product through Apple's TestFlight. Both tactics exploited the normal technical interactions that occur between Drift contributors and trading partners. Notably, the attackers deleted their Telegram chats and malicious software around the time of the April 1 attack.

Attribution and Forensic Evidence

Drift's forensic investigation, conducted in coordination with law enforcement partners, attributed the attack to UNC4736 with medium confidence based on multiple factors. On-chain fund flows directly traced back to individuals involved in the October 2024 Radiant Capital hack, establishing a clear financial connection. Operational analysis revealed that the personas deployed across this campaign contained identifiable overlaps with known DPRK-linked activity. CrowdStrike's earlier assessment confirmed that Golden Chollima conducts structured intelligence operations targeting small fintech firms, employing malicious package distribution through fraudulent recruitment schemes to gain initial access before moving laterally through cloud environments to steal cryptocurrency assets.

Sources

• https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

• https://x.com/TheCyberSecHub/status/2040872143815365033