Drift, a decentralized exchange operating on Solana, has confirmed that the attack resulting in a $285 million loss on April 1, 2026, was the outcome of an elaborate social engineering strategy by North Korean hackers. The operation, which started in late 2025, was attributed with medium confidence to a hacking group known as UNC4736, also identified by names like AppleJeus and Golden Chollima.
Background of the Attack
The North Korean group involved has a history of targeting cryptocurrency platforms for financial gain, dating back to 2018. Notable past incidents include the 2023 X_TRADER/3CX supply chain breach and a $53 million hack of Radiant Capital in 2024. Drift’s analysis indicates that both on-chain activities and operational behaviors link these attacks to the same threat actors.
According to a report by cybersecurity firm CrowdStrike, Golden Chollima is an offshoot of the Labyrinth Chollima group. It primarily focuses on cryptocurrency theft, targeting fintech firms across the U.S., Canada, South Korea, India, and Europe. Despite improving trade relations with Russia, North Korea continues to seek additional revenue to support its military ambitions.
Details of the Drift Breach
Drift, in collaboration with law enforcement, is investigating the attack that involved a sophisticated social engineering scheme. Beginning in fall 2025, individuals posing as representatives of a quantitative trading company engaged with Drift contributors at various cryptocurrency conferences. These interactions were part of a strategy to build rapport and integrate into the Drift ecosystem.
The attackers, though not North Korean nationals themselves, were technically adept and familiar with Drift’s operations. They established a Telegram group for ongoing discussions, which included sharing trading strategies and tools. In late 2025, they onboarded an Ecosystem Vault on Drift, a move that required strategic engagement with Drift contributors.
Investigation and Future Implications
The investigation has suggested two potential attack vectors. One involved a contributor cloning a malicious code repository, while another was persuaded to test a wallet product via Apple’s TestFlight. These techniques are consistent with methods used by North Korean hackers since December 2025, prompting software updates to counter such threats.
Drift’s findings indicate that the attackers constructed detailed identities to gain trust, further complicating attribution efforts. Meanwhile, North Korea’s malware ecosystem has become increasingly fragmented and compartmentalized, making it resilient against detection and attribution.
As the investigation continues, the broader implications for cybersecurity in the cryptocurrency sector are clear. Organizations must remain vigilant against advanced social engineering tactics and strengthen their defenses to protect against such sophisticated threats.
