## Months-Long Infiltration Leads to Massive Crypto Heist **Drift** officials detailed how the operation began six months prior to the theft, when they were approached at a cryptocurrency conference by individuals claiming to represent a quantitative trading firm. This firm, linked to **UNC4736**, a North Korean state-affiliated group also known as **AppleJeus** or **Citrine Sleet**, initiated a carefully crafted relationship. These individuals, described as technically fluent with deep knowledge of **Drift**, had "verifiable professional backgrounds." Investigations revealed that North Korean operatives targeted **Drift** contributors at multiple major industry conferences across several countries over the following months. Crucially, the individuals who met **Drift** personnel in person were not North Korean nationals, with the government allegedly using intermediaries to build trust and rapport. According to **Drift**, these third-party operatives had meticulously constructed identities, including employment histories, public credentials, and professional networks, designed to withstand scrutiny. **Drift** contributors engaged in months of conversations with the supposed trading firm via a **Telegram** group, discussing trading strategies and potential vault integrations. This interaction mirrored typical onboarding procedures for trading firms on the **Drift** platform. The company even deposited $1 million of their own capital into **Drift** as a sign of good faith. Integration discussions continued for months, with face-to-face meetings at industry conferences further solidifying the relationship. By April 1, the hackers launched their attack, stealing $280 million. An internal review of affected devices traced the intrusion back to interactions with the deceptive trading group. One telling sign was the trading company's deletion of the entire **Telegram** chat history with **Drift** immediately after the exploit. Investigations revealed potential attack vectors, including a compromised contributor who copied a malicious code repository shared by the trading firm, and another who was urged to download a potentially malicious **TestFlight** application. **Drift** is currently collaborating with law enforcement and cybersecurity firm **Mandiant** on the ongoing investigation. All of **Drift's** functions have been frozen, and the attacker's wallets have been flagged across multiple exchanges and bridge operators. ## Echoes of Past Attacks Investigators have linked the **Drift** attack to the October 2024 theft of $50 million from crypto firm **Radiant Capital**, citing similarities in fund destinations and personas used during both operations. Michael Barnhart, an expert on North Korean cyber operations at **DTEX**, noted the incident's connection to other revenue-generating schemes orchestrated by Pyongyang. Barnhart highlighted the use of stand-ins and cutouts, a tactic reminiscent of previous North Korean operations, including the 2017 assassination of Kim Jong-nam. Barnhart emphasized that North Korea has become increasingly adept at these schemes, often deceiving individuals into participating in their long-running IT worker scheme. ## The AppleJeus Connection Barnhart traced the origins of **AppleJeus** back to North Korea’s **APT38**, which splintered after a high-profile heist from Bangladesh’s central bank in 2016. U.S. officials, **Microsoft**, and **Google** have issued repeated warnings about attacks attributed to **AppleJeus**. The 2023 supply chain attack on enterprise phone company **3CX** was also linked to the same group. The Justice Department and **FBI** have stated that North Korea has been using websites masquerading as legitimate cryptocurrency trading platforms to infect victims with **AppleJeus** malware since at least 2018. In 2024, **Microsoft** observed **Citrine Sleet** targeting the cryptocurrency industry with a zero-day vulnerability affecting the **Chromium** browser. The **FBI** has repeatedly stated that North Korea generates billions through its cryptocurrency targeting, using the stolen funds to finance its ballistic weapons program. According to United Nations investigators, North Korean groups stole over $2 billion from crypto firms last year and $3 billion between 2017 and 2023. Barnhart characterized the **Drift** operation as the "most sophisticated of all the situations" due to its extended timeline and elaborate deception. "The fact that the **Drift** incident is the magnitude that we're seeing is really interesting," Barnhart concluded. "Because, I mean, it reads like a spy novel."