The high-net-worth clients you meet at conferences could be “mercenaries” for North Korean hackers

Recently, Drift Protocol released the latest investigation results regarding the attack incident, indicating that this operation was carried out by the same threat actor as the October 2024 Radiant Capital hack, with highly consistent on-chain fund flows and operational methods. Security firm Mandiant had previously attributed the Radiant Capital attack to UNC4736, an organization linked to the North Korean government.

Following the Drift attack, the hacker has accumulated holdings of 130,293 ETH, valued at approximately $266 million. The incident affected up to 20 protocols, including Prime Numbers Fi, Gauntlet, Elemental DeFi, Project 0, among others. Among them, Prime Numbers Fi estimated losses exceeding $10 million, Gauntlet about $6.4 million, Neutral Trade about $3.67 million, and Elemental DeFi about $2.9 million. Elemental expressed hope to receive partial compensation from Drift.

In its statement, Drift stated that this attack was a meticulously planned six-month operation. In the fall of 2025, a group of individuals claiming to be from a quantitative trading firm approached Drift contributors at a major تشفير conference. Based on the timeline, major crypto conferences during that period included Korea Blockchain Week 2025 (September 22-28, 2025, held in Seoul), TOKEN2049 Singapore (October 1-2, held in Singapore), Binance Blockchain Week Dubai 2025 (October 30-31, held in Dubai), Solana Breakpoint Dubai (November 20-21, held in Dubai), etc.

Drift officials stated that they were technically skilled, had verifiable professional backgrounds, and were very familiar with Drift’s operations. A Telegram group was established between the two parties, followed by substantive discussions over several months regarding trading strategies and vault integration.

From December 2025 to January 2026, this group formally onboarded an ecosystem vault on Drift, filling out the required strategy details form. They held multiple working discussions with several contributors, raised detailed product questions, and deposited over $1 million of their own funds. Through patient and orderly operations, they established a fully functional business presence within the Drift ecosystem.

Integration discussions continued until March of this year. Several Drift contributors met these individuals face-to-face again at multiple international conferences. By this time, both parties had established a nearly six-month cooperative relationship; they were no longer strangers but partners who had worked together. During this period, the other party shared links to projects, tools, and applications they claimed to be building, which is a common practice among trading firms.

After the attack occurred on April 2nd, investigators conducted a comprehensive forensic review of known affected devices, accounts, and communication records. The interaction with this trading team became the most likely intrusion path. Simultaneously with the attack, the other party’s Telegram chat history and malware were completely wiped.

The investigation indicates that the attackers likely infiltrated Drift contributors’ devices through three methods. One contributor may have been compromised after cloning a code repository shared by the team, which was disguised as the frontend for deploying their vault. Another contributor was induced to download a TestFlight application, claimed by the other party to be their wallet product. Regarding the code repository infiltration path, the security community had issued multiple warnings between December 2025 and February 2026 about known vulnerabilities in VSCode and Cursor, where simply opening a file, folder, or repository in the editor could silently execute arbitrary code without user clicks or any prompts. A complete forensic analysis of the affected hardware is still ongoing.

This operation shares the same threat actor as the October 2024 Radiant Capital hack. Mandiant attributed the Radiant attack to UNC4736, a North Korean state-sponsored organization also known as AppleJeus or Citrine Sleet. Attribution is based on two aspects: on-chain fund flows show that funds used for planning and testing this operation can be traced back to the Radiant attacker; operationally, the false identities used in this campaign show identifiable overlap with known North Korea-linked activities.

Drift pointed out that the individuals who actually appeared at the offline meetings were not of North Korean nationality. Such high-level North Korean threat actors typically use third-party intermediaries for face-to-face relationship building.

UNC4736 is a threat actor cluster tracked by Mandiant, assessed with high confidence to be subordinate to the Reconnaissance General Bureau of North Korea. This group has persistently targeted the cryptocurrency and fintech industries since 2018, stealing digital assets through supply chain attacks, social engineering, malware delivery, and other methods.

Its known major attack incidents include the March 2023 3CX supply chain attack, the approximately $50 million theft from Radiant Capital in 2024, and the recent approximately $285 million theft from Drift. Based on available statistics, this organization has stolen approximately $335 million in total.

This cluster is widely considered a sub-cluster of the Lazarus Group, specializing in financially motivated cybercrime. The Lazarus Group stole approximately $1.5 billion in assets from Bybit in February 2025, the largest single theft in cryptocurrency history.

Image Source: SotaMedia

The Lazarus Group is a North Korean government-sponsored cyber threat actor cluster under the Reconnaissance General Bureau, comprising multiple sub-clusters such as UNC4736 (i.e., AppleJeus/Citrine Sleet) and TraderTraitor. According to Chainalysis statistics, North Korean hackers have cumulatively stolen approximately $6.75 billion in cryptocurrency through clusters like Lazarus, with over $2 billion stolen in 2025 alone.

The group has orchestrated multiple globally sensational attack incidents: the 2014 Sony Pictures Entertainment breach, the 2016 theft of $81 million from the Bangladesh central bank, the 2017 global WannaCry ransomware outbreak, the 2022 thefts of $620 million from Ronin Bridge and $100 million from Harmony Horizon Bridge, and the successive attacks on Atomic Wallet and Stake in 2023. In October 2024, UNC4736 attacked Radiant Capital, stealing $50 million; in February 2025, TraderTraitor stole a record-breaking $1.5 billion from Bybit; in April 2026, it completed the $285 million attack on Drift Protocol.

Lazarus has cumulatively driven North Korea’s cryptocurrency theft amount to $6.75 billion. Attack methods have evolved from early-stage breaches to long-term infiltration, social engineering, supply chain attacks, malicious smart contract / multi-signature infiltration, etc.

Drift’s statement notes that the investigation shows the identities used in the third-party targeted operation possessed complete personal and professional profiles, including work history, public credentials, and professional networks. The individuals met offline by Drift contributors spent months building identity dossiers capable of withstanding background checks for business partnerships.

Security researcher Taylor Monahan previously stated that North Korean IT workers have been infiltrating cryptocurrency companies and DeFi projects for at least seven years, with over 40 DeFi platforms having North Korean IT workers involved at different stages. The Drift incident further indicates that attackers have evolved from remote job application infiltration to offline, face-to-face, months-long targeted intelligence operations.

Drift stated it will continue to cooperate with law enforcement, forensic partners, and ecosystem teams. More details will be released upon completion of the investigation. All remaining protocol functions have been frozen, the compromised wallet has been removed from the multi-signature, and the attacker’s addresses have been flagged at various exchanges and cross-chain bridge operators.

هذا المقال مصدره من الانترنت: The high-net-worth clients you meet at conferences could be “mercenaries” for North Korean hackers

Related: Trade Everything, Never Close: RWA Perpetual Contracts — The Final Piece for DeFi to Devour Wall Street (Part 2)

III. Representative Projects and Architectural Trade-offs: Oracle Pricing + Liquidity Pool (Pool-based + Oracle pricing) vs. Order Book 3.3 Orderbook Representative: Hyperliquid HIP-3 Ecosystem In the order book (Orderbook) track, the Hyperliquid HIP-3 ecosystem occupies the vast majority of trading volume and open interest. Outside the Hyperliquid ecosystem, platforms like Lighter and Vest Markets are also competing. Data Source: https://dune.com/yandhii/rwa-perps Hyperliquid & HIP-3: Decentralized Nasdaq Infrastructure Through the HIP-3 upgrade, Hyperliquid has completed its strategic transformation from a single perpetual contract exchange to a “high-performance clearing and matching infrastructure layer.” Its core vision is to split the functions of DCM (Designated Contract Market) and DCO (Derivatives Clearing Organization) from traditional finance on-chain. Under this architecture, the Hyperliquid chain itself plays the role of a unified DCO, providing the underlying matching…