North Korean Drift contributor targeting campaign
Campaign
Summary
Hide ▲
Show ▼
A North Korean targeting campaign against Drift Protocol contributors ran for at least six months before the later theft, increasing the attackers' access and credibility inside the ecosystem. The group met targets in person at major crypto conferences across multiple countries and kept up contact through Telegram. The sustained engagement helped build a pre-attack relationship that mattered because it supported the broader compromise that followed.
Related Happenings
UAE and Gulf cyberattack surge after Iran conflict escalation
Target Trend
First: 06.05.2026 08:30
Last: 06.05.2026 08:30
Sources 1
About this happening:
Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
UAE and Gulf cyberattack surge after Iran conflict escalation
Target TrendAbout this happening: Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal Action
First: 04.05.2026 08:59
Last: 04.05.2026 08:59
Sources 1
About this happening:
The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal ActionAbout this happening: The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
Approval phishing crypto wallet fraud campaign
Campaign
First: 13.04.2026 11:00
Last: 13.04.2026 11:00
Sources 1
About this happening:
**Approval phishing** fraud networks were identified at scale, with **more than 20,000 victims** and at least **$33m** in additional stolen crypto tied to the operation. The fraud...
Approval phishing crypto wallet fraud campaign
CampaignAbout this happening: **Approval phishing** fraud networks were identified at scale, with **more than 20,000 victims** and at least **$33m** in additional stolen crypto tied to the operation. The fraud...
Drift Protocol hit by cyberattack
Incident
First: 02.04.2026 22:03
Last: 02.04.2026 22:03
Sources 1
How related:
On April 1st, the Solana-based trading platform detected unusual activity that was followed by confirmation that funds had been lost in a sophisticated attack that allowed hijacking of the Security Council administrative powers.
About this happening:
**Drift Protocol** disclosed a **security-council takeover** that drained **at least $280 million** and left its protocol functions essentially frozen. The attacker used **durable...
Drift Protocol hit by cyberattack
IncidentHow related: On April 1st, the Solana-based trading platform detected unusual activity that was followed by confirmation that funds had been lost in a sophisticated attack that allowed hijacking of the Security Council administrative powers.
About this happening: **Drift Protocol** disclosed a **security-council takeover** that drained **at least $280 million** and left its protocol functions essentially frozen. The attacker used **durable...
Latest development: 06.04.2026 19:35
Elliptic and TRM Labs attributed the $280+ million theft from Drift Protocol to North Korean hackers, and Drift said its findings point with medium-high confidence to UNC4736 (AppleJeus/Labyrinth Chollima). The investigation also said the attackers spent at least six months building a functioning operational presence inside the Drift ecosystem, posing as a quantitative firm, meeting Drift contributors at crypto conferences in multiple countries, and continuing discussions over Telegram.
Middle East retaliatory hacktivist DDoS campaign
Campaign
First: 04.03.2026 19:21
Last: 04.03.2026 19:21
Sources 1
About this happening:
A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
Middle East retaliatory hacktivist DDoS campaign
CampaignAbout this happening: A **retaliatory hacktivist DDoS campaign** has surged across the **Middle East**, creating broad disruption risk for **government** and **public-infrastructure** targets. Research...
Timeline
-
06.04.2026 19:35 1 articles · 1mo ago
Drift Protocol detects unusual activity and confirms stolen funds
Initial DisclosureOn April 1, the Solana-based trading platform detected unusual activity and then confirmed that funds had been lost in a sophisticated attack that hijacked Security Council administrative powers and drained user assets in about 12 minutes.
Show sources
- Drift $280M crypto theft linked to 6-month in-person operation — www.bleepingcomputer.com — 06.04.2026 19:35
-
06.04.2026 19:35 2 articles · 1mo ago
North Korean group’s six-month Drift contributor campaign comes into focus
Campaign Scope UpdateOn April 6, Drift said the attackers had spent at least six months posing as a quantitative firm, meeting specific Drift contributors in person at multiple major industry conferences in multiple countries and continuing contact on Telegram about trading strategies and potential vault integrations; Elliptic and TRM Labs attributed the heist to North Korean hackers, Drift assessed UNC4736 with medium-high confidence, and the platform kept all functions frozen while removing compromised wallets from the multisig process and flagging attacker wallets across exchanges and bridge operators.
Show sources
- Drift $280M crypto theft linked to 6-month in-person operation — www.bleepingcomputer.com — 06.04.2026 19:35
- Drift $280M crypto theft linked to 6-month in-person operation — www.bleepingcomputer.com — 06.04.2026 19:35