Drift Hack Exposes $28.5 Million DPRK Social Engineering Campaign Initiated Six Months Ago
Published
Key Takeaways
- Drift hack execution: A highly sophisticated $28.5 million cryptocurrency theft compromised operational contributors and cloud assets following a prolonged infiltration.
- DPRK social engineering: State-sponsored North Korean threat actors executed a methodical six-month campaign starting in late 2025 to breach internal systems.
- Cybersecurity implications: This incident highlights severe vulnerabilities in the decentralized finance space.
The $28.5 million Drift hack that occurred on April 1, 2026, was recently traced to a sophisticated Democratic People's Republic of Korea (DPRK) social engineering operation reportedly orchestrated by UNC4736, which methodically compromised the protocol's infrastructure.
Security researchers asserted the six-month DPRK social engineering campaign debuted in the fall of 2025, specifically targeting core contributors and developers associated with the Drift protocol.
DPRK Social Engineering and Cryptocurrency Theft
By cultivating deceptive digital relationships and leveraging highly tailored phishing mechanisms, state-sponsored North Korean actors successfully compromised critical access credentials, according to a recent Drift announcement.
“With medium-high confidence supported by investigations done by the SEALS 911 team, this operation is assessed to have been carried out by the same threat actors responsible for the October 2024 Radiant Capital hack attributed by Mandiant to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet,” the X post said.
This systematic manipulation allowed the attackers to bypass standard perimeter defenses and seamlessly infiltrate the organization's cloud computing assets and administrative environments. Once the threat actors secured elevated privileges within the network, they mapped the internal infrastructure to identify high-value digital vaults.
The attackers systematically disabled security monitoring protocols before executing the unauthorized transfer of funds. This calculated maneuver resulted in a massive $28.5 million cryptocurrency theft, draining liquidity pools before automated failsafes could intercept the anomalous transactions.
Severe Cybersecurity Implications
The DPRK's operational sophistication demonstrated in this attack presents severe cybersecurity implications for the broader financial technology sector. Enterprise network administrators must implement zero-trust architectures, enforce rigorous identity access management (IAM), and conduct continuous behavioral monitoring to detect persistent threats.
Drift was involved in the 2025 Salesloft breach, which extended to other connected systems, with a wave of Salesforce-related breaches attributed to Scattered Spider (UNC3944) and ShinyHunters (UNC6040) impacting Palo Alto Networks, Cloudflare, Proofpoint, and Tenable, among others.
In other recent news, FortiGuard Labs discovered DPRK phishing campaigns that exploit GitHub C2 to target users in South Korea. Early this month, Google linked the Axios supply chain attack to the North Korea-affiliated hackers UNC1069.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular