Threat Intelligence

Drift Protocol crypto heist pinned on North Korean APT

North Korean remote IT worker scam

The Hacker News reports that North Korean state-backed hacking operation UNC4736 was blamed for the Apr. 1 crypto heist against Solana-based decentralized finance exchange Drift Protocol, which resulted in the theft of $285 million.

Months-long planning has been conducted by UNC4736, also known as Citrine Sleet, AppleJeus, Gleaming Pisces, and Famous Chollima, ahead of the heist, with the DeFi exchange's contributors approached by individuals masquerading as a quantitative trading firm during cryptocurrency conferences last fall in the guise of integrating the protocol, according to an analysis from Drift. Onboarding of an Ecosystem Vault on Drift from December 2025 to January 2026 and continued engagements with contributors then helped facilitate the intrusion, which may have had a cloned code repository and a wallet product download as primary attack vectors.

"The investigation has shown so far that the profiles used in this third-party targeted operation had fully constructed identities including employment histories, public-facing credentials, and professional networks," said Drift.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds