Back to Home

North Korean Hackers Steal $285M via Fake Crypto Identities

North Korean state-backed hackers infiltrated Drift Protocol over six months using fabricated identities and malicious tools, ultimately stealing $285 million. The attack highlights evolving threats where human trust—not just code—is the weakest link in crypto security.

The $285M Crypto Heist That Felt Like a Spy Movie
Advertisement 728x90

How North Korean Hackers Stole $285 Million by Pretending to Be Friendly Traders

A cryptocurrency trading platform lost $285 million not because of a broken lock—but because thieves spent six months pretending to be trusted neighbors before quietly walking off with the keys. This wasn’t a smash-and-grab; it was a carefully rehearsed con, and it reveals how cybercrime has evolved into something closer to spy fiction than tech trouble.

The Long Con Begins at a Conference

Last fall, people representing a supposed quantitative trading firm showed up at a major crypto event. They met developers from Drift Protocol—a decentralized exchange (or DEX) built on the Solana blockchain—and struck up conversations like any serious business partner would. They exchanged contacts, joined Telegram groups, and even made a $1 million deposit into Drift’s ecosystem to prove they were legitimate.

But none of it was real. According to Drift’s investigation, these individuals were part of UNC4736, a hacking group linked to North Korea. Their goal wasn’t just to steal—it was to blend in so completely that no alarm bells rang until it was too late.

Google AdInline article slot

How the Hack Actually Worked

The attackers didn’t crack passwords or guess secret codes. Instead, they used three sneaky tactics:

  • Fake developer tools: They created a malicious version of popular coding software (like VSCode or Cursor) that looked normal but secretly ran harmful code in the background.
  • Phony mobile apps: They distributed a fake TestFlight app—Apple’s system for testing pre-release software—that tricked users into installing malware.
  • A counterfeit code repository: Developers unknowingly pulled code from a lookalike source that included hidden backdoors.

Once inside, the hackers built what’s called an “Ecosystem Vault”—a special account meant for big partners—and used it to trigger the theft. Right after draining $285 million, they wiped every trace: Telegram chats disappeared, malware self-deleted, and their online personas vanished.

Why This Isn’t Just About One Platform

This attack fits a growing pattern. The same group—also known as AppleJeus or Citrine Sleet—is suspected in other major crypto heists, including the 2024 Radiant Capital breach. Security experts say North Korean-linked actors often use non-North Korean intermediaries for face-to-face meetings, making detection even harder.

Google AdInline article slot

Worse, this method bypasses traditional security. Even multisignature wallets—where multiple people must approve a transaction—failed here because the signers were tricked into approving something that looked harmless. As one expert put it: “The problem isn’t how many people sign—it’s whether they understand what they’re signing.”

What Does This Mean for Regular People?

If you use crypto apps—even indirectly through exchanges or wallets—you’re affected by this kind of threat. When hackers compromise the tools developers rely on, everyone downstream is at risk. It’s like if a chef unknowingly used poisoned ingredients: the meal looks fine, but it’s dangerous.

You don’t need to panic, but it’s a reminder that trust in digital spaces must be verified, not assumed. The safest systems now simulate transactions before they happen, showing exactly what will change on the blockchain—no matter how friendly the request seems.

Google AdInline article slot

Key Takeaways

  • North Korean hackers infiltrated Drift Protocol over six months using fake identities and in-person meetings.
  • They exploited trusted developer tools and apps to silently insert malicious code.
  • The $285 million theft succeeded because humans were socially engineered—not because of technical flaws alone.
  • Multisignature security can fail if users don’t understand what they’re approving.
  • The broader lesson: in crypto, seeing isn’t always believing—transactions must be independently verified.

— Editorial Team

Advertisement 728x90

Read Next

Partner News