// #unc4736
2 articles
North Korea's UNC4736 Spent Six Months Infiltrating Drift Protocol Before Stealing $285 Million
North Korean state hackers (UNC4736/AppleJeus) executed a meticulously planned six-month social engineering operation against Drift Protocol, culminating in a $285 million theft from the Solana DeFi platform on 1 April 2026. The attack leveraged fabricated tokens and pre-signed transactions to hand attackers admin control — the largest DeFi exploit of 2026 and the second-largest in Solana's history.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.