The Drift cryptocurrency platform revealed its full autopsy this week describing an in depth, months-long operation by North Korean hackers that culminated within the theft of greater than $280 million.
Drift officers stated the operation started six months in the past, after they had been approached at a cryptocurrency convention by members of an organization claiming to concentrate on quantitative buying and selling. The corporate isn’t named within the autopsy however was linked to UNC4736, a North Korean state-affiliated group additionally tracked as AppleJeus or Citrine Sleet.
The individuals who approached Drift staff had been technically fluent, had a deep data of Drift and had “verifiable skilled backgrounds.” Drift stated their investigation revealed that North Korean officers sought out Drift contributors “at a number of main trade conferences in a number of international locations over the next six months.”
Drift stated the people who met them in particular person weren’t North Korean. The nation’s authorities allegedly used intermediaries to conduct face-to-face relationship constructing.
“The investigation has proven to this point that the profiles used on this third occasion focused operation had absolutely constructed identities together with employment histories, public-facing credentials {and professional} networks,” Drift stated.
“The folks Drift contributors met in particular person appeared to have spent months constructing profiles, each private {and professional}, that would face up to scrutiny throughout a enterprise or counterparty relationship.”
Drift officers created a Telegram group after their first assembly with the alleged quantitative buying and selling agency and had months of conversations round buying and selling methods and potential vault integrations — which they stated is typical of how buying and selling companies work together and onboard with Drift.
Drift formally onboarded the corporate in December 2025 and January 2026, partaking a number of alleged contributors and forcing them to fill out a number of varieties detailing their technique. The corporate deposited $1 million of their very own capital into Drift.
“Integration conversations continued via February and March 2026. Numerous Drift contributors met people from this group once more, face-to-face, at a number of main trade conferences,” Drift defined.
“By this level, the connection was almost half a yr previous. These weren’t strangers; they had been folks Drift contributors had labored with and met in particular person.”
The 2 sides continued to share data on initiatives and different apps they claimed to be constructing till April 1, when the $280 million theft was launched. Drift’s preliminary evaluate of all affected units led them again to their interactions with this buying and selling group.
One key piece of proof is that the buying and selling firm scrubbed your entire Telegram chat with Drift after the exploit was launched.
The investigation revealed a number of potential assault vectors. A contributor could have been compromised after copying a code repository shared by the buying and selling agency. One other contributor was urged by the buying and selling firm to obtain a TestFlight software which will have been malicious. Drift shared an extended technical breakdown of the potential intrusion vectors.
Drift stated it’s working with legislation enforcement and cybersecurity agency Mandiant on the investigation.
The entire Drift’s features have been frozen and the attacker’s wallets have been flagged throughout a number of exchanges and bridge operators.
‘Like a spy novel’
Investigators linked the Drift assault to the October 2024 theft of $50 million from crypto agency Radiant Capital primarily based on the place the stolen funds had been despatched and the overlaps in personas used in the course of the operations.
Michael Barnhart, an professional on North Korean cyber operations, advised Recorded Future Information that the Drift incident is intertwined with a number of different Pyongyang-led schemes to generate income.
Barnhart, who spent years engaged on Mandiant’s investigation staff and now leads nation-state menace intelligence at DTEX, stated they’ve a number of individuals who had been concerned within the Drift investigation.
“On this scenario, we now have three people that had been duped, however certainly one of them appears to be slightly bit extra malicious. They’d the cutouts and three entrance guys, however what makes this one so attention-grabbing is that normally they’d have entrance males — facilitators, laptop computer farmers, and folks doing the evaluation – typical issues {that a} facilitator would do,” Barnhart stated.
“Based mostly on our connections which are near the Drift findings, they appear to suppose that two of the three folks did not understand what they had been moving into. One of many three probably contaminated [Drift] with the malicious code deliberately as a result of the truth that he wiped his Telegram accounts afterwards, which exhibits that he knew what he was doing, however the different two gave the impression to be unwitting individuals.”
Whereas Barnhart stated the incident is “surprising to everybody,” using stand-ins and cutouts is in keeping with a number of earlier North Korean operations.
Barnhart in contrast the Drift operation to the 2017 assassination of Kim Jong-nam, the older half-brother of North Korean chief Kim Jong Un. Two ladies had been duped into considering they had been collaborating in a prank present and agreed to spray liquid on Jong-nam’s face. The liquid was a VX nerve agent that ended up killing him about half-hour later.
“We’ve seen cutouts however we’ve by no means seen the cutouts at this excessive, since North Korea has traditionally had their proxies do their soiled work,” he stated.
Barnhart famous that North Korea has grow to be much more adept at schemes like that, typically tricking People and different allies into collaborating within the lengthy working IT employee scheme.
U.S. officers, Microsoft and Google have lengthy warned of assaults launched by AppleJeus, and attributed a number of incidents to the operation. The availability chain assault on enterprise telephone firm 3CX in 2023 was additionally attributed to the identical group.
The Justice Division and FBI stated in 2021 North Korea has used web sites that appeared to host authentic cryptocurrency buying and selling platforms to contaminate victims with AppleJeus malware since no less than 2018.
Google’s Risk Evaluation Group revealed a report in 2022 on Operation AppleJeus, which concerned the identical exploit equipment getting used to focus on greater than 85 customers within the cryptocurrency and fintech industries.
In 2024, Microsoft stated it noticed Citrine Sleet, their identify for AppleJeus, focusing on the cryptocurrency trade with a zero-day affecting the Chromium browser.
The FBI has repeatedly stated North Korea is incomes billions via its focusing on of the cryptocurrency trade, in some instances utilizing the cash stolen to fund its ballistics weapons program. North Korean teams stole greater than $2 billion from crypto companies final yr and netted $3 billion from assaults between 2017 and 2023, based on United Nations investigators.
However not like different operations, Barnhart referred to as the Drift operation “probably the most subtle of all of the conditions” as a result of it was such an extended con.
“The truth that the Drift incident is the magnitude that we’re seeing is absolutely attention-grabbing,” Barnhart stated. “As a result of, I imply, it reads like a spy novel.”
