$280 Million Crypto Heist from Drift Exposes Sophisticated North Korean Supply‑Chain Deception
What Happened — North Korean state‑affiliated hackers operating under the UNC4736 (AppleJeus/Citrine Sleet) umbrella created a fake quantitative‑trading firm, cultivated multi‑month relationships with Drift contributors at global conferences, and ultimately siphoned more than $280 million from the Drift cryptocurrency platform on April 1, 2026.
Why It Matters for TPRM —
- Adversaries can weaponize fully fabricated professional identities to infiltrate third‑party ecosystems.
- Supply‑chain attacks that target trust relationships, not technical vulnerabilities, can result in massive financial loss.
- Continuous vetting of partner personnel and post‑onboarding monitoring are essential controls for crypto‑related SaaS providers.
Who Is Affected — Crypto‑exchange platforms, fintech SaaS providers, and any organization that onboards third‑party trading or liquidity partners.
Recommended Actions —
- Re‑evaluate vendor onboarding processes: require independent background checks and biometric verification for high‑value partners.
- Implement real‑time transaction monitoring and anomaly detection for large fund movements.
- Enforce strict least‑privilege access for API keys and vault integrations; rotate credentials after any new partnership.
Technical Notes — The operation leveraged social engineering, deep‑fake professional histories, and likely compromised credentials of a Drift contributor to gain API‑level access to vaults. No public CVE was involved; the attack surface was the third‑party dependency and trust relationship. Source: The Record