🛡️ SecOps

North Korea's UNC4736 Spent Six Months Infiltrating Drift Protocol Before Stealing $285 Million

North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.

4 min read
#north-korea#unc4736#defi#crypto#social-engineering#solana#supply-chain#financial-crime

The $285 million theft from Drift Protocol on 1 April 2026 was not an opportunistic exploit of a smart contract flaw. It was the final 12-minute execution of a six-month infiltration campaign by North Korean state-sponsored hackers — a case study in patience, social engineering, and the exploitation of governance mechanisms rather than code vulnerabilities.

The Attacker: UNC4736

The attack has been attributed with medium confidence to UNC4736, a North Korean advanced persistent threat group also tracked under the aliases AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The group operates under the Lazarus umbrella and has been responsible for at least 17 other cryptocurrency thefts that Elliptic has documented in 2026 alone, making the Drift hack the 18th tracked DPRK-linked crypto event this year.

How the Attack Worked

Rather than finding a bug in Drift’s on-chain code, UNC4736 exploited the human and governance layer of the protocol.

Phase 1 — Establishing credibility (October 2025 – January 2026): The group created a fictitious ecosystem vault on Drift, deposited over $1 million of their own funds to demonstrate legitimacy, and engaged with Drift contributors with “detailed and informed product questions.” This was a calculated trust-building operation — expensive in capital and time, designed to look exactly like a serious institutional participant.

Phase 2 — Integration access (February – March 2026): The attackers continued conversations with Drift contributors, navigating integration discussions that gave them deeper context on how Drift’s Security Council governance worked and which council members had signing authority.

Phase 3 — The pre-signed transaction trap: The attackers deposited 500 million CVT — a token they fabricated — as collateral. They then used Solana’s “durable nonces” feature to request that Security Council members sign what appeared to be routine administrative transactions. The nonce mechanism means signatures are valid regardless of when the transaction is broadcast. The council members, believing they were signing legitimate operational transactions, unknowingly pre-authorised the transfer of admin control.

Phase 4 — Execution (1 April 2026, 12 minutes): Once all required signatures were in hand, the attackers broadcast the pre-signed transactions, gained admin control of the vault, and withdrew $285 million in USDC, SOL, and ETH within 12 minutes. The fabricated CVT tokens provided the collateral cover that made the transactions appear compliant with protocol rules until it was too late.

Significance

This is the largest DeFi exploit of 2026 and the second-largest in Solana’s history, behind the $326 million Wormhole bridge hack in 2022. More significantly, it demonstrates that North Korea’s crypto theft operations have moved beyond technical exploits and into sophisticated long-game social engineering — a capability that represents a step change in threat level for any organisation managing multi-signature governance over high-value assets.

What This Means for Enterprise Security Teams

While the immediate victim is a DeFi protocol, the attack pattern is directly relevant to enterprise security practitioners:

  • Multi-signature and governance processes are social engineering targets. Any process that requires multiple people to sign or approve high-value transactions needs controls against pre-signed approval abuse, regardless of the underlying technology.
  • Long-dwell infiltration before execution means indicators of compromise may be minimal until the moment of attack. North Korea’s willingness to spend six months and $1 million on a single operation demands threat modelling over longer timeframes than most incident response plans assume.
  • Fabricated credentials and entities — the fake CVT token, the constructed trading persona — are the same techniques used in business email compromise and vendor fraud. Validate the identity of any counterparty independently before granting access or signing any high-impact authorisation.
  1. Review multi-sig and governance approval workflows for any system managing high-value assets. Audit what pre-signed or durable authorisations exist and revoke any that are not immediately required.
  2. Implement out-of-band verification for all governance-level transactions — council members should verify transaction intent via a separate, authenticated channel before signing.
  3. Screen all new integration requests against threat intelligence databases. UNC4736’s infrastructure and personas have been documented by Elliptic, TRM Labs, and Chainalysis.
  4. Treat cryptocurrency custody processes with the same threat modelling rigour applied to wire transfer fraud — the social engineering playbook is identical.
  5. Monitor blockchain analytics tools for wallet addresses linked to UNC4736 and refuse transactions that would interact with known DPRK-linked infrastructure.