CRITICAL: Inside the $285 Million Drift Hack: North Korea's Six-Month Con Job

If you think social engineering means someone calling pretending to be IT support, North Korea would like a word. The Democratic People's Republic just pulled off a $285 million cryptocurrency heist, and they did not do it with malware alone. They did it with handshakes, small talk at conferences, and six months of relationship building that would make any sales team jealous.

Drift, a decentralized exchange built on the Solana blockchain, revealed Sunday that their April 1st breach was not some opportunistic smash-and-grab. It was the culmination of a meticulously planned intelligence operation that began in fall 2025. The attackers, attributed with medium confidence to a DPRK-sponsored group known as UNC4736 (also tracked as AppleJeus, Citrine Sleet, and Golden Chollima), spent half a year becoming part of Drift's ecosystem before making their move.

Here is where it gets interesting. The people who showed up at cryptocurrency conferences were not North Korean nationals. DPRK threat actors at this level deploy third-party intermediaries for face-to-face relationship building. The individuals who approached Drift contributors were technically fluent, had verifiable professional backgrounds, and knew exactly how the protocol operated. They claimed to represent a quantitative trading company interested in integrating with the platform.

What followed was months of substantive conversations about trading strategies and vault integrations. A Telegram group was established. Questions were asked, and they were good questions. The kind of informed, detailed queries that come from people who actually understand the technology. Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, depositing more than $1 million of their own money to build credibility. This was not expense money they were throwing around. This was establishing an operational presence inside the target environment.

The infection vectors are still under investigation, but two primary paths have emerged. One contributor may have been compromised after cloning a code repository that the trading group shared as part of deploying a frontend for their vault. This repository weaponized the tasks.json file in a Visual Studio Code project, triggering malicious code execution automatically when the project was opened. The technique exploits VS Code's "runOn: folderOpen" option, something North Korean actors have been using since at least December 2025. Microsoft has since introduced security controls in VS Code versions 1.109 and 1.110 to mitigate this attack pattern, but the damage was already done.

The second potential vector involved persuading a contributor to download a wallet product through Apple's TestFlight beta testing platform. This approach exploits the implicit trust that comes with the TestFlight brand. It is Apple, so it must be safe, right?

The timing is telling. Right around when the $285 million walked out the door on April 1st, the Telegram chat history and any malicious software were deleted. The attackers knew exactly when to clean house.

UNC4736 is not new to this game. They are connected to the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of Radiant Capital in October 2024. According to CrowdStrike, Golden Chollima operates as an offshoot of Labyrinth Chollima, primarily targeting small fintech firms across the United States, Canada, South Korea, India, and Western Europe. They maintain a consistent operational tempo of smaller-value thefts while occasionally going for bigger scores like this one.

Why does North Korea need to steal cryptocurrency? CrowdStrike puts it plainly. Despite improving trade relations with Russia, the DPRK requires additional revenue to fund ambitious military plans including new destroyers, nuclear-powered submarines, and reconnaissance satellites. When international sanctions cut off your normal funding sources, you get creative.

The Drift investigation also revealed details about the fake personas used in the operation. These were not hastily constructed cover stories. The profiles had fully constructed identities complete with employment histories, public-facing credentials, and professional networks built over months. The people that Drift contributors met in person had spent significant time creating personas that could withstand scrutiny during a business relationship.

This attack represents a troubling evolution in social engineering. It is not about quick tricks or urgent phone calls anymore. Nation-state actors are willing to invest six months, more than a million dollars in operational funds, and significant intelligence resources into building trust before exploiting it. They will attend conferences, create believable business entities, and engage in months of legitimate-seeming collaboration.

For organizations in the cryptocurrency space or any high-value target sector, the implications are significant. Your due diligence process needs to account for adversaries who are playing a much longer game than your typical threat actor. Verifiable credentials are not enough when nation-states can spend months constructing convincing cover identities. Face-to-face meetings do not establish trust when the person across the table is a paid intermediary.

Technical controls matter too. VS Code's new security features should be enabled immediately. Third-party applications, especially those distributed through beta channels like TestFlight, deserve extra scrutiny before installation on any system with access to sensitive resources. Code repositories from external parties should be reviewed in isolated environments before being opened in development tools.

But perhaps the most important takeaway is this: the human element remains the weakest link, and sophisticated adversaries know it. They are not trying to bypass your firewall. They are trying to become your trusted business partner first.

Drift is working with law enforcement and forensic partners to trace the stolen funds and piece together the complete picture of the attack. Given North Korea's track record, the money has likely already begun its journey through the elaborate cryptocurrency laundering infrastructure the DPRK has built over years of practice. Whether any of it can be recovered remains to be seen.