DRIFT has revealed that the April 1, 2026 attack that saw the theft of $285 million was the culmination of a months-long, targeted social engineering operation attributed with medium confidence to a North Korean state-sponsored group dubbed UNC4736. The operation began in the fall of 2025 and involved intrusions aimed at building an operational presence inside Drift through face-to-face engagements at multiple cryptocurrency conferences, with attackers reportedly using third-party intermediaries.
Drift’s analysis notes two potential infection vectors tied to a compromised contributor and a malicious wallet beta test delivered via Apple’s TestFlight, and says the Telegram chats and malware were deleted around the time of the attack. The broader context includes DomainTools Investigations describing DPRK malware development as deliberately fragmented to complicate attribution, with Golden Chollima cited as an offshoot focused on cryptocurrency theft.
The campaign is linked, by Drift and others, to a pattern of social engineering and IT worker fraud used by DPRK actors to access targeted organisations, with contemporary references to Contagious Interview and related schemes.