The Drift cryptocurrency platform published its full post-mortem this week describing an extensive, months-long operation by North Korean hackers that culminated in the theft of more than $280 million. 

Drift officials said the operation began six months ago, when they were approached at a cryptocurrency conference by members of a company claiming to focus on quantitative trading. The company is never named in the post-mortem but was linked to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. 

The people who approached Drift workers were technically fluent, had a deep knowledge of Drift and had “verifiable professional backgrounds.” Drift said their investigation revealed that North Korean officials sought out Drift contributors “at multiple major industry conferences in multiple countries over the following six months.”

Drift said the individuals who met them in person were not North Korean. The country’s government allegedly used intermediaries to conduct face-to-face relationship building. 

“The investigation has shown so far that the profiles used in this third party targeted operation had fully constructed identities including employment histories, public-facing credentials and professional networks,” Drift said. 

“The people Drift contributors met in person appeared to have spent months building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship.”

Drift officials created a Telegram group after their first meeting with the alleged quantitative trading firm and had months of conversations around trading strategies and potential vault integrations — which they said is typical of how trading firms interact and onboard with Drift.

Drift officially onboarded the company in December 2025 and January 2026, engaging multiple alleged contributors and forcing them to fill out multiple forms detailing their strategy. The company deposited $1 million of their own capital into Drift. 

“Integration conversations continued through February and March 2026. Various Drift contributors met individuals from this group again, face-to-face, at multiple major industry conferences,” Drift explained. 

“By this point, the relationship was nearly half a year old. These were not strangers; they were people Drift contributors had worked with and met in person.”

The two sides continued to share information on projects and other apps they claimed to be building until April 1, when the $280 million theft was launched. Drift’s initial review of all affected devices led them back to their interactions with this trading group. 

One key piece of evidence is that the trading company scrubbed the entire Telegram chat with Drift after the exploit was launched. 

The investigation revealed several potential attack vectors. A contributor may have been compromised after copying a code repository shared by the trading firm. Another contributor was urged by the trading company to download a TestFlight application that may have been malicious. Drift shared a longer technical breakdown of the potential intrusion vectors. 

Drift said it is working with law enforcement and cybersecurity firm Mandiant on the investigation. 

All of the Drift’s functions have been frozen and the attacker’s wallets have been flagged across multiple exchanges and bridge operators. 

‘Like a spy novel’

Investigators linked the Drift attack to the October 2024 theft of $50 million from crypto firm Radiant Capital based on where the stolen funds were sent and the overlaps in personas used during the operations. 

Michael Barnhart, an expert on North Korean cyber operations, told Recorded Future News that the Drift incident is intertwined with several other Pyongyang-led schemes to generate revenue.

Barnhart, who spent years working on Mandiant’s investigation team and now leads nation-state threat intelligence at DTEX, said they have several people who were involved in the Drift investigation. 

“In this situation, we have three individuals that were duped, but one of them seems to be a little bit more malicious. They had the cutouts and three front guys, but what makes this one so interesting is that usually they would have front men — facilitators, laptop farmers, and people doing the analysis – typical things that a facilitator would do,” Barnhart said.

“Based on our connections that are close to the Drift findings, they seem to think that two of the three people didn't realize what they were getting into. One of the three likely infected [Drift] with the malicious code intentionally due to the fact that he wiped his Telegram accounts afterwards, which shows that he knew what he was doing, but the other two seemed to be unwitting participants.”

While Barnhart said the incident is “shocking to everyone,” the use of stand-ins and cutouts is in line with several previous North Korean operations. 

Barnhart compared the Drift operation to the 2017 assassination of Kim Jong-nam, the older half-brother of North Korean leader Kim Jong Un. Two women were duped into thinking they were participating in a prank show and agreed to spray liquid on Jong-nam’s face. The liquid was a VX nerve agent that ended up killing him about 30 minutes later. 

“We’ve seen cutouts but we’ve never seen the cutouts at this extreme, since North Korea has historically had their proxies do their dirty work,” he said. 

Barnhart noted that North Korea has become even more adept at schemes like that, often tricking Americans and other allies into participating in the long running IT worker scheme.

U.S. officials, Microsoft and Google have long warned of attacks launched by AppleJeus, and attributed several incidents to the operation. The supply chain attack on enterprise phone company 3CX in 2023 was also attributed to the same group. 

The Justice Department and FBI said in 2021 North Korea has used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware since at least 2018.

Google’s Threat Analysis Group published a report in 2022 on Operation AppleJeus, which involved the same exploit kit being used to target more than 85 users in the cryptocurrency and fintech industries.

In 2024, Microsoft said it saw Citrine Sleet, their name for AppleJeus, targeting the cryptocurrency industry with a zero-day affecting the Chromium browser.

The FBI has repeatedly said North Korea is earning billions through its targeting of the cryptocurrency industry, in some cases using the money stolen to fund its ballistics weapons program. North Korean groups stole more than $2 billion from crypto firms last year and netted $3 billion from attacks between 2017 and 2023, according to United Nations investigators. 

But unlike other operations, Barnhart called the Drift operation “the most sophisticated of all the situations” because it was such a long con. 

“The fact that the Drift incident is the magnitude that we're seeing is really interesting,” Barnhart said. “Because, I mean, it reads like a spy novel."