DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
Summary
Hide ▲
Show ▼
The DPRK-linked cryptoasset theft campaign is continuing into 2026, keeping crypto and Web3 targets at risk of repeated theft and laundering activity. The operation uses social engineering, persuasive personas, and staged approvals to obtain access and move funds. It is associated with campaign names such as DangerousPassword and Contagious Interview. The campaign matters because it has been linked to more than $6.5 billion stolen in recent years and shows a sustained, well-resourced theft model.
Related Happenings
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
UNC1069 open-source maintainer social-engineering campaign
Campaign
First: 04.04.2026 23:30
Last: 04.04.2026 23:30
Sources 1
About this happening:
UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
UNC1069 open-source maintainer social-engineering campaign
CampaignAbout this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
Latest development: 06.04.2026 23:55
Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal Action
First: 18.03.2026 19:26
Last: 18.03.2026 19:26
Sources 1
About this happening:
**OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
OFAC sanctions DPRK IT worker scheme network
Regulatory/Legal ActionAbout this happening: **OFAC** sanctioned **Ryujong Credit Bank**, **KMCTC**, and **eight individuals** tied to **North Korean cryptocurrency laundering** and **fraudulent IT worker schemes**. The **U....
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Timeline
-
03.04.2026 11:35 2 articles · 1mo ago
DPRK-linked crypto theft campaign stages prep by March 23, 2026
Campaign Scope UpdatePreparations for the DPRK-linked cryptoasset theft campaign were already underway by March 23, 2026, indicating multi-week staging and the same social-engineering tradecraft later used against Solana-based decentralized exchange Drift.
Show sources
- Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — thehackernews.com — 03.04.2026 11:35
- Bybit Theft Drives Record-Breaking $2bn Haul for North Korea — www.infosecurity-magazine.com — 08.10.2025 12:15
-
03.04.2026 11:35 1 articles · 1mo ago
Drift attack drains about $285 million on April 1, 2026
Exploitation ObservedOn April 1, 2026, attackers gained unauthorized access to Solana-based decentralized exchange Drift through a durable nonce-enabled social-engineering operation, seized Security Council administrative powers, introduced a malicious asset, removed preset withdrawal limits, and drained about $285 million.
Show sources
- Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — thehackernews.com — 03.04.2026 11:35
-
03.04.2026 11:35 2 articles · 1mo ago
Elliptic and TRM Labs tie the Drift heist to DPRK tradecraft
Attribution UpdateOn April 3, 2026, Elliptic and TRM Labs reported on-chain indicators suggesting North Korean crypto thieves may be behind the Drift heist, citing Tornado Cash staging, cross-chain bridging patterns, rapid post-hack laundering, pre-signed hidden authorizations, and the broader DPRK cryptoasset theft campaign tracked as DangerousPassword and Contagious Interview.
Show sources
- Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — thehackernews.com — 03.04.2026 11:35
- Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK — thehackernews.com — 03.04.2026 11:35