North Korean Hackers Use Six-Month Social Engineering Campaign to Steal $285M From Drift

Key Points

• Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, was targeted by North Korean hackers in a six-month social engineering campaign.
• The threat actors, tracked as UNC4736, drained $285 million in user assets in only 12 minutes after several months of posing as a legitimate quantitative trading company.
• IANS Faculty emphasize that social engineering has become a long-term intelligence gathering technique, requiring security teams to view trust as an attack surface.

North Korean Hackers Use Six-Month Social Engineering Campaign to Steal $285M From Drift

A North Korean hacking group stole over $285 million from Drift Protocol, a decentralized finance protocol on the Solana blockchain, after staging a six-month-long social engineering campaign.

Starting in the fall of 2025, the threat actors posed as representatives of a quantitative trading firm and approached Drift officials at a conference, using face-to-face interactions to build a relationship. Over the course of six months, Drift staff met with the fake representatives (whom Drift says had verifiable professional backgrounds) at conferences around the world.

The threat actors impersonated legitimate users seeking to open a vault on Drift, going so far as to deposit $1 million of their own capital. According to Drift’s incident report, the threat actors spent months “deliberately and patiently” building a trusted presence within Drift.

On April 1, 2026, the attackers executed their plan and managed to steal $285 million from user assets in just 12 minutes. Within hours, they successfully bridged most of the stolen funds to Ethereum.

Drift's forensic investigations identified that the attack was carried out by UNC4736, a hacking group linked to the Democratic People’s Republic of Korea (DPRK). The attackers spent weeks preparing on-chain activities, creating a false sense of legitimacy around fake tokens. This setup enabled them to deploy pre-signed transactions.

“The term 'sophisticated' has been overused when describing cyber threat actors but fully applies when it comes to North Korean tactics. They've repeatedly demonstrated that they know how to gain the trust of key individuals who have access to large amounts of cryptocurrency or key parts of the software supply chain.” Adrian Sanabria, IANS Faculty

Big Picture

Social engineering has evolved from obviously spoofed emails into more sophisticated, long-term tactics. Campaigns can unfold over weeks or months, blending into normal user behavior and lulling security teams into a sense of trust.

“Defending against this requires treating social engineering as an operational risk category, not a checkbox in annual compliance training." Jeff Brown, IANS Faculty

DPRK cyber strategy often relies on trust as a long-term attack surface. Actors like UNC4736 commonly use thousands of highly trained personnel to infiltrate and mislead organizations, often avoiding detection by standard security measures.

“Any organization or individual responsible for key open-source or web3 components must be vigilant for sophisticated social engineering attacks. These threat groups have mastered seeming competent without raising suspicion.” Adrian Sanabria, IANS Faculty.

Security teams -- especially at financial services firms or organizations with coveted IP -- should revise their social engineering threat modeling to address these sophisticated threats.

“Most social engineering training programs are still built around email phishing simulations and generic awareness modules. That's fine for commodity-level threats, but it won't prepare your team for a six-month relationship-building campaign run by a state intelligence apparatus.” Jeff Brown, IANS Faculty

“Much of this goes beyond training and is fundamentally a leadership and culture issue. Today, speed of delivery is still treated as the primary measure of success, often at the expense of security fundamentals. All senior leaders (not just cybersecurity ones) need to drive a culture where raising risk is expected and rewarded, supported by clear escalation paths and visible executive backing.” Lisa Perdelwitz, IANS Faculty

IANS Faculty Recommendations

• Align on risk reduction strategy: Center employee and vendor onboarding and offboarding processes on risk reduction with clear cross-functional alignment on the operating model that supports them.
• Verify identity before allowing access: Look for vendors attempting trust acceleration tied to access. Separate relationship from access.
• Enhance training/escalation structure: Treat any external-to-internal execution as high risk. Assume even credible partners can be adversarial. Make it culturally acceptable to pause work when something feels off. 

Lisa Perdelwitz, IANS Faculty

Authors & Contributors

Emily Dempsey, Author

Jeff Brown, IANS Faculty

Adrian Sanabria, IANS Faculty

Lisa Perdelwitz, IANS Faculty

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.