‘It reads like a spy novel’: $280 million theft from Drift involved North Korean fake companies, cutouts

Steven

‘It reads like a spy novel’: $280 million theft from Drift involved North Korean fake companies, cutouts

Summary

Drift published a full post-mortem revealing a months-long, highly targeted operation that ended with more than $280 million stolen from the protocol. Attackers — tied to UNC4736/AppleJeus (also tracked as Citrine Sleet) — posed as a quantitative trading firm and built believable, scrutinable identities to cultivate trust over roughly six months at conferences and via ongoing communications.

The fake firm was onboarded in late 2025 and early 2026, deposited $1m and engaged multiple contributors. Conversations continued until 1 April 2026, when the exploit was executed. Drift’s investigation points to several likely intrusion vectors (including a copied code repository and a potentially malicious TestFlight app). The attackers scrubbed Telegram chats after the theft; investigators linked the operation to previous North Korean crypto heists and are working with Mandiant and law enforcement. Drift’s functions have been frozen and attacker wallets flagged across exchanges and bridges.

Key Points

  • The operation was a long con: attackers cultivated trust in person at conferences and online over about six months.
  • Actors used fully built fake identities and front companies to appear legitimate and pass scrutiny.
  • Drift onboarded the group (they deposited $1m) and integrated them before the April 1 exploit.
  • Possible compromise vectors include a shared code repository and a malicious TestFlight app; the attackers deleted Telegram history after the theft.
  • Investigators link the theft to UNC4736/AppleJeus (Citrine Sleet) and to prior incidents, including the $50m Radiant heist.
  • Drift is working with Mandiant and law enforcement; platform functions are frozen and suspect wallets flagged across multiple venues.
  • Experts call this one of the most sophisticated North Korean operations seen — notable for the depth of the social-engineering effort and use of cutouts.

Content summary

The post-mortem describes how the attackers approached Drift staff at industry conferences, presented believable professional backgrounds and maintained months of contact through Telegram and in-person meetings. The fake trading firm completed onboarding steps and provided code and a deposit, which created a web of trust. On 1 April the attackers executed the exploit and immediately scrubbed chat logs.

Drift’s technical review identified multiple likely vectors and traces pointing back to the onboarding interactions. Attribution work ties the operation to UNC4736/AppleJeus, a North Korean-linked group with a history of targeting crypto firms. Authorities, security firms and exchanges have moved to freeze functions and flag wallets while the incident remains under investigation.

Context and relevance

This incident sits squarely in a pattern of increasing North Korean activity against the crypto sector — both technical malware campaigns and elaborate social-engineering operations. The attackers combined classic supply-chain and software compromise techniques with in-person grooming and long-term relationship-building, illustrating how human trust can be weaponised as effectively as any zero-day.

For security teams, projects and investors, the Drift case underlines two trends: (1) conferences and face-to-face onboarding are now attack vectors requiring stricter vetting, and (2) nation-state groups are maturing their use of cutouts and front companies to launder large thefts. It also reinforces long-standing warnings from Microsoft, Google and US agencies about AppleJeus-style campaigns and the role stolen crypto plays in funding sanctioned programmes.

Why should I read this?

Because it’s part caper, part cautionary tale. If you work in crypto, security, or trust other teams you meet at conferences, this breakdown shows exactly how a convincing long con can bypass normal safeguards. Short version: don’t assume face-to-face equals safe — read the details so you don’t get duped next time.

Source

Source: https://therecord.media/drift-crypto-theft-post-mortem-north-korea