North Korean UNC4736 Steals $285M from Drift Protocol in Cryptocurrency Heist

The North Korean state-sponsored hacking group UNC4736, also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces, executed a $285 million cryptocurrency theft from Drift Protocol, a Solana-based decentralized exchange, on April 1, 2026. The attack was the result of a meticulously planned six-month social engineering operation, demonstrating the group's patience and sophistication in targeting high-value cryptocurrency targets. UNC4736 has a well-documented history of targeting the cryptocurrency sector for financial theft to fund North Korea's weapons programs. The group has also been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks against South Korean organizations, distributing obfuscated Windows shortcut (LNK) files via phishing emails. This incident underscores the persistent and sophisticated threat posed by DPRK-affiliated actors to the cryptocurrency ecosystem. Recommended mitigations: Cryptocurrency platforms should implement multi-signature authorization for large transactions, conduct thorough background checks on contractors and new hires, implement strict code review processes, and monitor for social engineering attempts targeting employees.