{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/unc4736-lazarus-group/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UNC4736 (Lazarus Group)"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["drift-protocol","crypto-theft","north-korea","unc4736","lazarus-group","social-engineering","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 1st, 2026, the Solana-based trading platform, Drift Protocol, experienced a sophisticated attack resulting in the theft of over $280 million. Investigations by Elliptic and TRM Labs point to North Korean hackers, possibly UNC4736 (also known as AppleJeus and Labyrinth Chollima), a threat actor previously linked to Lazarus. The attackers cultivated a presence within the Drift ecosystem over six months, posing as a quantitative firm. They approached Drift contributors in person at multiple crypto conferences, building trust and rapport. Communications continued via Telegram, where they discussed trading strategies and potential vault integrations, demonstrating technical proficiency and familiarity with Drift\u0026rsquo;s operations. The Telegram group was deleted immediately after the theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance:\u003c/strong\u003e The threat actors posed as a quantitative firm to gather information about Drift Protocol and its contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIn-Person Engagement:\u003c/strong\u003e The actors attended multiple crypto conferences, engaging with specific Drift contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRelationship Building:\u003c/strong\u003e They communicated with targets via Telegram, discussing trading strategies and potential vault integrations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Compromise:\u003c/strong\u003e Two contributors were potentially compromised via a malicious code repository exploiting a VSCode/Cursor vulnerability allowing silent code execution, or via a malicious TestFlight application presented as a wallet product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attack allowed the hijacking of the Security Council administrative powers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAsset Draining:\u003c/strong\u003e The attackers drained user assets in approximately 12 minutes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Removal:\u003c/strong\u003e The Telegram group used for engaging contributors was deleted immediately after the theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFunds Laundering:\u003c/strong\u003e The stolen funds were likely transferred to attacker-controlled wallets and prepared for laundering, though the wallets have been flagged across exchanges and bridge operators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Drift Protocol suffered a loss of over $280 million, impacting users of the Solana-based trading platform. All Drift Protocol functions remain frozen, and the compromised wallets have been removed from the multisig process. The incident highlights the risks associated with social engineering and the importance of verifying the identities of individuals and organizations interacting with critical infrastructure. The attack has also raised concerns about the security practices within the cryptocurrency sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual network activity and potential exploitation of VSCode/Cursor vulnerabilities via \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003enetwork_connection\u003c/code\u003e logs using the \u0026ldquo;Detect Suspicious VSCode Code Execution\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious applications installed via TestFlight, especially those presented as wallet products, using \u003ccode\u003efile_event\u003c/code\u003e logs and the \u0026ldquo;Detect Suspicious TestFlight Application Installation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict identity verification procedures for individuals and organizations interacting with sensitive systems and data.\u003c/li\u003e\n\u003cli\u003eEducate employees about social engineering tactics and the risks of interacting with unknown individuals or organizations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:35:39Z","date_published":"2026-04-06T16:35:39Z","id":"/briefs/2026-04-drift-hack/","summary":"The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.","title":"Drift Protocol $280M Crypto Theft Linked to North Korean Hackers","url":"https://feed.craftedsignal.io/briefs/2026-04-drift-hack/"}],"language":"en","title":"CraftedSignal Threat Feed — UNC4736 (Lazarus Group)","version":"https://jsonfeed.org/version/1.1"}