Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A $285 Million Heist: Unraveling the Sophisticated Social Engineering Operation Behind Drift's Notorious Hack



A $285 million heist has been uncovered, revealing a sophisticated six-month social engineering operation by North Korean state-sponsored hackers that compromised Drift's security. The attack demonstrates the evolving tactics, techniques, and procedures employed by North Korea's cyber apparatus and highlights the need for heightened vigilance among cryptocurrency exchanges and other organizations vulnerable to such attacks.

  • A six-month social engineering operation, attributed to North Korean hackers, led to the $285 million hack on Drift's platform.
  • The attackers used sophisticated tactics, including creating verifiable professional backgrounds and building a Telegram group with contributors.
  • Two primary attack vectors are suspected: a contributor was cloned into deploying malware via a code repository, while another was tricked into downloading a wallet product via Apple's TestFlight.
  • The attackers used fully constructed identities to build trust with targets and evade scrutiny during business or counterparty relationships.
  • North Korea's cyber apparatus has evolved its tactics, techniques, and procedures (TTPs) to remain adaptable and improve its capabilities.
  • Social engineering and deception remain a key catalyst for many intrusions attributed to North Korean threat actors.



    • Drift, a prominent decentralized exchange (DEX) on the Solana blockchain, has revealed that its April 1, 2026, attack, which resulted in the theft of $285 million, was the culmination of a meticulously planned six-month social engineering operation undertaken by North Korean state-sponsored hackers. The sophisticated operation, attributed to a group dubbed UNC4736 and tracked under various pseudonyms, including AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces, demonstrated the evolving tactics, techniques, and procedures (TTPs) employed by North Korea's cyber apparatus in recent years.

    The operation began around fall 2025, when individuals posing as a quantitative trading company approached Drift contributors at major cryptocurrency conferences under the pretext of integrating their protocol. These individuals were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. A Telegram group was established upon the first meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations.

    The attackers engaged with multiple contributors, asking them "detailed and informed product questions" while depositing more than $1 million of their own funds. This calculated move aimed to build a functioning operational presence inside the Drift ecosystem. Integration conversations continued through February and March 2026, including sharing links for projects, tools, and applications claimed to be developed by the trading group.

    However, in an interesting twist, it has emerged that the interactions with the trading group may have acted as an initial infection pathway for the April 1 hack. The Telegram chats and malicious software associated with the attackers had been deleted around the time of the attack. Two primary attack vectors are suspected: one contributor may have been compromised after cloning a code repository shared by the group to deploy a frontend for their vault, while a second contributor was persuaded into downloading a wallet product via Apple's TestFlight to beta test the app.

    The investigation has revealed that the profiles used in this third-party targeted operation had fully constructed identities, including employment histories, public-facing credentials, and professional networks. The attackers appeared to have spent months building these profiles, which could withstand scrutiny during business or counterparty relationships. This level of sophistication highlights the evolving threat landscape, with North Korea's cyber apparatus continually adapting and improving its tactics.

    The disclosure comes as DomainTools Investigations (DTI) has disclosed that DPRK's cyber apparatus has evolved into a "deliberately fragmented" malware ecosystem. This shift is believed to be a response to law enforcement actions and intelligence disclosures about North Korean hacking campaigns. The malware development and operations are increasingly compartmentalized, both technically and organizationally, ensuring that exposure in one mission area does not cascade across the entire program.

    In this context, it is essential to recognize the significance of social engineering and deception as the main catalyst for many intrusions attributed to DPRK threat actors. The recent supply chain compromise of the popular npm package, Axios, and ongoing campaigns like Contagious Interview and IT worker fraud demonstrate the continued use of these tactics by North Korea's cyber apparatus.

    The Contagious Interview campaign involves an adversary approaching prospective targets and tricking them into executing malicious code from a fake repository as part of an assessment. Some efforts have used weaponized Node.js projects hosted on GitHub to deploy a JavaScript backdoor called DEV#POPPER RAT and an information stealer known as OmniStealer.

    On the other hand, DPRK IT worker fraud refers to coordinated efforts by North Korean operatives to land remote freelance and full-time roles at Western companies using stolen identities, AI-generated personas, and falsified credentials. Once hired, they generate steady revenue and leverage access to introduce malware and siphon proprietary and sensitive information. In some cases, the stolen data is used to extort money from businesses.

    The revelation of this sophisticated social engineering operation behind Drift's hack serves as a stark reminder of the evolving threat landscape and the need for heightened vigilance among cryptocurrency exchanges and other organizations vulnerable to such attacks. As the cyber apparatus continues to adapt and improve its tactics, it is crucial that stakeholders remain proactive in their defenses against these types of operations.

    In conclusion, the attack on Drift highlights the sophistication and scale of North Korea's cyber capabilities. The involvement of a six-month social engineering operation underscores the importance of robust security measures and a comprehensive threat intelligence strategy to prevent such attacks in the future.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-285-Million-Heist-Unraveling-the-Sophisticated-Social-Engineering-Operation-Behind-Drifts-Notorious-Hack-ehn.shtml

  • https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

  • https://stateofsurveillance.org/news/drift-protocol-285m-hack-north-korea-surveillance-state-funding-2026/

  • https://attack.mitre.org/groups/G1049/

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a

  • https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

  • https://incrypted.com/en/drift-reveals-details-280m-hack-six-month-operation-linked-north-korea/

  • https://cybersecuritynews.com/famous-chollima-apt-hackers-attacking-job-seekers/

  • https://infosectoday.com/cybersecurity-threats/well-known-chollima-apt-hackers-are-targeting-job-applicants-and-organizations-to-distribute-javascript-based-malware/

  • https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/

  • https://www.kucoin.com/news/flash/drift-protocol-attributes-april-1-attack-to-north-korea-backed-hacker-group-unc4736

  • https://medium.com/aardvark-infinity/comprehensive-list-of-north-korean-apt-groups-6c7ea8983104


    • Published: Sun Apr 5 14:46:23 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us