North Korean Group UNC4736 Executes $280M Crypto Heist on Drift Protocol via In‑Person Social Engineering
What Happened — The Solana‑based Drift Protocol lost over $280 million in crypto after a six‑month operation that involved attackers posing as a quantitative trading firm, meeting key contributors at global conferences, and delivering malicious code (a VSCode/Cursor exploit) and a rogue TestFlight wallet app. Within 12 minutes the threat actors hijacked Security Council admin privileges and drained user assets.
Why It Matters for TPRM —
- Shows how adversaries can infiltrate a vendor’s ecosystem through physical‑world networking, bypassing typical digital defenses.
- Highlights the danger of third‑party code and tooling that may contain hidden exploits.
- Demonstrates the financial fallout when a single protocol’s admin controls are compromised, affecting downstream partners and customers.
Who Is Affected — Crypto‑trading platforms, DeFi protocol providers, financial‑services firms that integrate with Drift or similar on‑chain services, and any third‑party vendors supplying development tools or SDKs.
Recommended Actions —
- Conduct a full audit of all third‑party code repositories and build pipelines.
- Enforce zero‑trust onboarding: require multi‑factor authentication, hardware‑based key storage, and strict role‑based access for admin functions.
- Monitor on‑chain activity for abnormal withdrawals and freeze assets proactively.
- Vet all in‑person engagements with external contributors; enforce documented security briefings for conference interactions.
Technical Notes — Attack vectors included social engineering at conferences, a malicious VSCode/Cursor vulnerability enabling silent code execution, and a compromised TestFlight application masquerading as a wallet. Attribution points to North Korean UNC4736 (AppleJeus/Labyrinth Chollima), a Lazarus‑linked group known for supply‑chain and zero‑day exploits. Source: BleepingComputer