On 1 April 2026, the Solana-based decentralized exchange Drift suffered a theft of approximately $285 million, in what now appears to be the culmination of a multi‑stage operation attributed to the Democratic People’s Republic of Korea (DPRK). According to Drift’s incident analysis, the attackers spent at least six months preparing, combining long‑term social engineering with a highly targeted compromise of developer tooling.
Multi‑stage North Korean operation against Solana DeFi protocol Drift
Drift assesses with a medium level of confidence that the hack was carried out by UNC4736, a North Korean threat cluster also tracked as AppleJeus, Golden Chollima, Citrine Sleet and Gleaming Pisces. This group is widely considered part of the broader Lazarus ecosystem, which has systematically targeted the cryptocurrency sector since at least 2018.
UNC4736 has been linked to the compromise of the X_TRADER / 3CX software supply chain in 2023 and to the $53 million theft from DeFi platform Radiant Capital in 2024. Public reporting from the UN Panel of Experts and firms such as Chainalysis has repeatedly highlighted how Lazarus‑aligned operations generate hundreds of millions of dollars in cryptocurrency to help the DPRK circumvent international sanctions.
Long‑term social engineering: fake quant traders inside the Drift ecosystem
A defining element of the Drift hack was long‑horizon social engineering. Beginning in autumn 2025, individuals posing as representatives of a quantitative trading fund started approaching Drift contributors at major cryptocurrency conferences in multiple countries. Their stated goal was to discuss integrating proprietary trading strategies into the Drift protocol.
Consistent with known DPRK tradecraft, the people conducting in‑person meetings were not North Korean citizens but third‑country nationals acting as intermediaries. According to Drift, they displayed credible technical expertise, provided verifiable professional histories and showed detailed knowledge of the protocol’s inner workings—key factors that helped them pass trust checks that would usually filter out basic scams.
Following initial meetings, the actors created a Telegram chat where they maintained active contact for months, discussing risk management, strategy design and integration options. Between December 2025 and January 2026, the “traders” opened an Ecosystem Vault on Drift, submitting a thoroughly documented strategy proposal and engaging multiple contributors to clarify complex product details.
To deepen trust, the group deposited more than $1 million of their own funds into the vault and continued intensive communication through March 2026, regularly sharing links to “in‑development” tools and projects. Investigators now believe this trust‑building phase was primarily intended to create a legitimate channel for delivering a malicious development project.
Developer tools as an initial access vector: malicious Visual Studio Code projects
Abusing VS Code tasks.json and the “Contagious Interview” campaign
Shortly before the theft, both the relevant Telegram history and malware samples were deleted, complicating forensics. However, one of the leading hypotheses is a compromise via a Visual Studio Code (VS Code) project repository supplied by the attackers.
Drift and independent analysts believe the adversaries may have provided a VS Code workspace in which the tasks.json configuration was modified to automatically execute malicious code when the project folder was opened, using the runOn: folderOpen setting. Since late 2025, North Korean operators have been observed abusing this feature in a campaign known as “Contagious Interview”, where job candidates receive booby‑trapped repositories as supposed coding assignments.
In response to such abuse, Microsoft has added additional safeguards in VS Code versions 1.109 and 1.110, constraining the automatic execution of tasks on workspace open. Nonetheless, the Drift incident underscores a broader trend: developer tools and IDE configurations have become full‑fledged initial access vectors on par with phishing and zero‑day exploitation.
Fragmented DPRK cyber program: Lazarus, Kimsuky and Andariel
Research by DomainTools Investigations and others indicates that DPRK cyber operations have evolved into a deliberately fragmented ecosystem, where tooling and infrastructure are separated by mission set. This compartmentalization reduces the risk that a single compromise will expose the entire program and makes attribution more difficult, as different units exhibit distinct tactics, techniques and procedures.
Analysts typically distinguish three main lines of effort: Kimsuky, focused on espionage and information theft; Lazarus / UNC4736, responsible for revenue‑generating financial operations that help the regime bypass sanctions; and Andariel, associated with disruptive intrusions, ransomware and destructive wiper malware. Together, these units provide intelligence, financing and coercive capabilities to support DPRK strategic objectives.
North Korean IT worker fraud and the central role of cryptocurrency
From fake technical interviews to remote work under stolen identities
Social engineering remains the catalyst for many DPRK campaigns. Alongside Contagious Interview and software supply‑chain attacks—such as compromises of popular open‑source packages—North Korea has expanded its “IT worker fraud” program: placing DPRK developers and engineers into Western companies under stolen or fabricated identities.
According to investigations by Flare, IBM X‑Force and others, thousands of technical specialists operate from China, Russia and additional jurisdictions through networks of intermediaries and “laptop farms” located in the US and Europe. These middlemen receive and forward corporate hardware, manage payments and logistics, and hire “callers” from countries such as Iran, Ireland and India to pass technical interviews while impersonating pre‑built Western personas.
Cryptocurrency is a critical enabler of this ecosystem. Chainalysis has reported that a significant share of DPRK’s illicit revenue—whether from IT‑worker schemes or direct hacks of exchanges, bridges and DeFi protocols—is ultimately laundered through digital assets before being funneled back to North Korea. Recent cases also suggest broader recruitment, with specialists from Iran, Syria, Lebanon and Saudi Arabia drawn into related operations.
The Drift hack illustrates how the line between “classic” state‑backed APT activity and financially motivated cybercrime has effectively disappeared. For organizations in the crypto industry and beyond, this means that due diligence on partners, rigorous identity verification of remote staff and contractors, strong multi‑factor authentication, isolated and monitored developer environments, and strict control over source code and IDE extensions are now baseline requirements. Companies that proactively review onboarding processes, enforce least‑privilege access and treat social engineering and developer‑tool supply chains as primary threat vectors—not edge cases—will be far better positioned to avoid becoming the next link in a multi‑stage operation.
