Months of Trust Building Led to a $285M Crypto Theft. Drift Attack Highlights the Real Entry Point
A $285 million cryptocurrency theft affecting Drift has been attributed to a months-long social engineering operation, according to the company’s investigation.
The attack, executed on April 1, 2026, was not the result of a single exploit.
It was the outcome of sustained access building over time.
Campaign Overview
Drift describes the incident as a structured operation spanning approximately six months.
The activity has been linked with medium confidence to a DPRK-aligned threat actor tracked as UNC4736, also associated with known clusters such as Golden Chollima.
The group has a documented history of targeting the cryptocurrency sector through financially motivated campaigns.
How the Attack Developed
The operation began in late 2025.
Threat actors approached Drift contributors through industry conferences, presenting themselves as a legitimate trading firm interested in integration.
Over time, they:
- built relationships with targeted individuals
- engaged in technical discussions
- established communication channels (including Telegram)
- deposited funds to gain credibility
This created a trusted presence inside the ecosystem.
Initial Compromise Vectors
The investigation suggests two likely entry points:
- a malicious code repository shared during collaboration
- a wallet application distributed via Apple TestFlight
One scenario involved a weaponized Visual Studio Code project.
The project leveraged a tasks.json configuration to execute malicious code automatically when opened.
This technique aligns with previously observed activity in campaigns such as Contagious Interview.
Post-Compromise Activity
Once access was established, the attackers:
- moved laterally within the environment
- interacted with cloud and development resources
- positioned themselves for financial extraction
The final stage involved the transfer of funds to attacker-controlled wallets.
On-chain analysis showed links to previously identified DPRK-related activity.
The Drift incident follows a familiar attack progression, but with a different entry point.
Instead of exploiting a vulnerability, the attackers spent months building trust before introducing malicious artifacts into the workflow.
Why This Matters
This attack illustrates a critical shift.
The entry point was not technical weakness.
It was trust.
Three key observations:
1. Social engineering is now long-term and operational
Not a single phishing email, but months of interaction.
2. Developer workflows are high-risk environments
Repositories, tools, and integrations become entry points.
3. Identity is the primary attack surface
Access is built through relationships, not exploits.
DIAMATIX Perspective
This case reflects a pattern that continues to grow.
The attacker does not start with malware.
They start with access.
And access is built through:
- trust
- interaction
- legitimacy
By the time malicious code is introduced, the environment already accepts it.
From an operational standpoint, this creates a different challenge.
Traditional controls focus on:
- malicious files
- known indicators
- external threats
But here:
- the interaction is legitimate
- the actors appear credible
- the activity blends into normal workflows
Organizations should adapt by:
- treating external collaboration as a potential attack surface
- validating code sources, even in trusted relationships
- monitoring developer environments and tool execution behavior
- recognizing that long-term social engineering can bypass technical controls
The breach does not begin when code executes.
It begins when trust is established.
Sources
Drift. Official incident analysis (April 2026)
CrowdStrike. Threat actor tracking (Golden Chollima)
DomainTools. DPRK malware ecosystem analysis
Chainalysis. Cryptocurrency attribution insights
This article is based on publicly available investigation and threat intelligence as of April 2026.
