The Drift cryptocurrency platform disclosed a months-long, in-person social engineering operation that culminated on April 1 with the theft of more than $280 million. The attackers—linked to North Korean state-affiliated UNC4736 and the AppleJeus/Citrine Sleet operation—used fabricated professional identities, Telegram communications, and likely malicious TestFlight and code-repository vectors to compromise contributors and exfiltrate funds. #Drift #AppleJeus
Keypoints
- Attackers posed as a quantitative trading firm and cultivated trust with Drift contributors across multiple industry conferences.
- Operators used fully constructed identities and face-to-face meetings with intermediaries to avoid obvious attribution.
- The exploit on April 1 resulted in a $280 million theft and the attackers scrubbed the Telegram chat after the breach.
- Possible infection vectors included a malicious TestFlight app and a compromised code repository shared by the trading group.
- Investigators linked the operation to UNC4736/AppleJeus, connected it to a prior $50 million Radiant Capital theft, and Drift is coordinating with Mandiant and law enforcement.
Read More: https://therecord.media/drift-crypto-theft-post-mortem-north-korea