Drift Says $285 Million Hack Followed Six-Month DPRK Social Engineering Operation

What happened

Drift said the $285 million hack disclosed on April 1 followed a six-month social engineering operation linked with medium confidence to a North Korean state-sponsored group tracked as UNC4736. The company said the campaign began in fall 2025, when individuals posing as a quantitative trading firm approached Drift contributors at major cryptocurrency conferences and built relationships over several months. According to Drift, the group later onboarded an Ecosystem Vault, deposited more than $1 million of its own funds, and continued integration discussions through February and March 2026. The company said the attackers likely used one of two infection paths: a malicious code repository shared with a contributor or a wallet product delivered through Apple TestFlight. Drift also said the operation involved fully constructed identities, verifiable professional backgrounds, and months of trust-building before the theft.

Who is affected

The direct impact falls on Drift and the cryptocurrency assets stolen in the April 1 attack. The reported operation also affected Drift contributors who were approached, engaged, and potentially compromised through the long-running social engineering campaign tied to the incident.

Why CISOs should care

This incident matters because it shows how a financially motivated intrusion can begin months before any theft occurs, with threat actors building credibility through in-person meetings, technical fluency, and sustained relationship development. It also highlights the risk that contributor ecosystems, beta testing, and code-sharing workflows can become entry points for highly targeted compromise.

3 practical actions

1. Treat business development interactions as a security surface: Review how employees and contributors verify counterparties who engage through conferences, messaging groups, product discussions, and integration conversations over long periods.
2. Harden repository and beta-test workflows: Tighten controls around shared code repositories, developer tools, and beta software testing because Drift said both a malicious repository and a wallet app delivered through Apple TestFlight are being examined as possible infection paths.
3. Scope contributor trust as part of incident response: Include contractors, contributors, and partner-facing personnel in threat modeling where long-term relationship building could be used to prepare a later theft or compromise.

For more news about targeted intrusions tied to long-running social engineering operations, click Cyberattack to read more.