Drift Says $285 Million Hack Followed Six-Month DPRK Social Engineering Operation

Related

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

Order-Tracking App Shop Abused to Push Callback Phishing Attacks

What happened Threat actors are abusing Shop, Shopify’s order-tracking app,...

Polymarket Customers Lose $3 Million in Supply Chain Attack

What happened Polymarket said it will fully reimburse customers who...

Suspected Cyberattack Triggers False Emergency Alerts Across Brazil

What happened Brazil suspended its mobile phone emergency alert system...

Share

What happened

Drift said the $285 million hack disclosed on April 1 followed a six-month social engineering operation linked with medium confidence to a North Korean state-sponsored group tracked as UNC4736. The company said the campaign began in fall 2025, when individuals posing as a quantitative trading firm approached Drift contributors at major cryptocurrency conferences and built relationships over several months. According to Drift, the group later onboarded an Ecosystem Vault, deposited more than $1 million of its own funds, and continued integration discussions through February and March 2026. The company said the attackers likely used one of two infection paths: a malicious code repository shared with a contributor or a wallet product delivered through Apple TestFlight. Drift also said the operation involved fully constructed identities, verifiable professional backgrounds, and months of trust-building before the theft.

Who is affected

The direct impact falls on Drift and the cryptocurrency assets stolen in the April 1 attack. The reported operation also affected Drift contributors who were approached, engaged, and potentially compromised through the long-running social engineering campaign tied to the incident.

Why CISOs should care

This incident matters because it shows how a financially motivated intrusion can begin months before any theft occurs, with threat actors building credibility through in-person meetings, technical fluency, and sustained relationship development. It also highlights the risk that contributor ecosystems, beta testing, and code-sharing workflows can become entry points for highly targeted compromise.

3 practical actions

  1. Treat business development interactions as a security surface: Review how employees and contributors verify counterparties who engage through conferences, messaging groups, product discussions, and integration conversations over long periods.
  2. Harden repository and beta-test workflows: Tighten controls around shared code repositories, developer tools, and beta software testing because Drift said both a malicious repository and a wallet app delivered through Apple TestFlight are being examined as possible infection paths.
  3. Scope contributor trust as part of incident response: Include contractors, contributors, and partner-facing personnel in threat modeling where long-term relationship building could be used to prepare a later theft or compromise.

For more news about targeted intrusions tied to long-running social engineering operations, click Cyberattack to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.