A Six-Month Long Con
Cryptocurrency platform Drift published a comprehensive post-mortem this week detailing how North Korean hackers executed a meticulously planned, months-long operation that ended with the theft of more than $280 million. The campaign began approximately six months before the exploit was triggered, when individuals posing as representatives of a quantitative trading firm approached Drift employees at a cryptocurrency conference.
The trading company is never identified by name in the post-mortem, but Drift's investigation linked it to UNC4736, a North Korean state-affiliated threat actor also tracked under the names AppleJeus and Citrine Sleet. The individuals who made contact were described as technically fluent, deeply familiar with the Drift platform, and in possession of what appeared to be verifiable professional backgrounds.
Fully Constructed Identities
Drift's investigation concluded that North Korean operatives deliberately sought out Drift contributors "at multiple major industry conferences in multiple countries over the following six months." Crucially, the people who appeared in person were not North Korean nationals — Pyongyang allegedly deployed intermediaries to handle all face-to-face relationship building.
"The investigation has shown so far that the profiles used in this third party targeted operation had fully constructed identities including employment histories, public-facing credentials and professional networks," Drift stated in its post-mortem.
According to Drift, the individuals behind those profiles appeared to have spent months cultivating both personal and professional personas capable of withstanding due-diligence scrutiny in a genuine business relationship.
Onboarding, Trust Building, and Millions Deposited
Following the initial conference encounter, Drift created a Telegram group with the purported trading firm and engaged in months of conversations covering trading strategies and potential vault integrations — interactions entirely consistent with how legitimate trading firms onboard with the platform. Drift formally onboarded the company in December 2025 and January 2026, requiring multiple contributors to complete forms detailing their strategy. The company even deposited $1 million of its own capital into Drift to reinforce the illusion of legitimacy.
Integration discussions continued through February and March 2026, and Drift contributors met members of the group again, face-to-face, at multiple major industry conferences during that period.
"By this point, the relationship was nearly half a year old. These were not strangers; they were people Drift contributors had worked with and met in person," Drift explained.
April 1 Attack and Key Evidence
The two sides continued to exchange information about projects and applications they claimed to be developing until April 1, when the $280 million theft was launched. Drift's immediate review of all affected devices traced the intrusion back to interactions with the trading group.
One particularly telling piece of evidence emerged after the exploit: the trading company deleted the entire Telegram chat history with Drift, a move that investigators say indicates at least one participant was fully aware of the operation's true purpose.
Potential Attack Vectors
The investigation identified several possible intrusion methods:
- A contributor may have been compromised after copying a code repository shared by the trading firm.
- Another contributor was encouraged by the trading company to download a TestFlight application that may have been malicious.
Drift released a detailed technical breakdown of the potential intrusion vectors alongside the post-mortem. The company confirmed it is cooperating with law enforcement and cybersecurity firm Mandiant on the ongoing investigation. All Drift platform functions have been frozen, and the attacker's wallets have been flagged across multiple exchanges and bridge operators.
Connections to the Radiant Capital Theft
Investigators linked the Drift attack to the October 2024 theft of $50 million from crypto firm Radiant Capital, based on overlapping fund flows and shared personas used across both operations.
'The Most Sophisticated of All the Situations'
Michael Barnhart, an expert on North Korean cyber operations who spent years on Mandiant's investigation team and now leads nation-state threat intelligence at DTEX, told Recorded Future News that the Drift incident is intertwined with multiple other Pyongyang-led revenue-generation schemes.
Barnhart described a layered structure involving three individuals who interacted with Drift, only one of whom appears to have acted with full knowledge of the operation.
"Based on our connections that are close to the Drift findings, they seem to think that two of the three people didn't realize what they were getting into. One of the three likely infected [Drift] with the malicious code intentionally due to the fact that he wiped his Telegram accounts afterwards, which shows that he knew what he was doing, but the other two seemed to be unwitting participants," Barnhart said.
Barnhart drew a striking historical parallel, comparing the use of unknowing intermediaries to the 2017 assassination of Kim Jong-nam, the older half-brother of North Korean leader Kim Jong Un. Two women were tricked into believing they were participating in a prank television show and agreed to spray liquid on Jong-nam's face; the substance was the nerve agent VX, which killed him approximately 30 minutes later.
"We've seen cutouts but we've never seen the cutouts at this extreme, since North Korea has historically had their proxies do their dirty work," Barnhart said.
AppleJeus: A Long and Dangerous History
Barnhart explained that AppleJeus grew out of North Korea's APT38, which split into two distinct factions following the high-profile heist from Bangladesh's central bank in 2016. The group has been a persistent threat ever since:
- The U.S. Justice Department and FBI stated in 2021 that North Korea had been using websites mimicking legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware since at least 2018.
- Google's Threat Analysis Group published a report in 2022 on Operation AppleJeus, documenting the use of the same exploit kit against more than 85 users in the cryptocurrency and fintech industries.
- The devastating supply chain attack on enterprise phone company 3CX in 2023 was attributed to the same group.
- In 2024, Microsoft reported that Citrine Sleet — its name for AppleJeus — was targeting the cryptocurrency sector using a zero-day vulnerability in the Chromium browser.
Billions Stolen, Weapons Funded
The FBI has repeatedly warned that North Korea is generating billions of dollars through its systematic targeting of the cryptocurrency industry, with some of those funds allegedly channeled into its ballistics weapons program. According to United Nations investigators, North Korean groups stole more than $2 billion from crypto firms last year and accumulated $3 billion from attacks between 2017 and 2023.
Despite the staggering scale of North Korea's overall crypto-theft enterprise, Barnhart singled out the Drift operation as uniquely sophisticated.
"The fact that the Drift incident is the magnitude that we're seeing is really interesting. Because, I mean, it reads like a spy novel," Barnhart said.
The combination of fabricated identities, in-person relationship building across multiple countries and conferences, unwitting human intermediaries, and a half-year runway before the exploit was deployed marks the Drift heist as a new benchmark in state-sponsored financial cybercrime.
Source: The Record