What Ho! North Korea Nabs $270M in Crypto Caper – Jolly Good Show!

by

By Jove, the chaps at Drift Crypto Protocol have let the cat out of the bag, revealing a most audacious exploit of $270 million, executed with the precision of a Jeeves-planned tea party on April 1, 2026. According to their rather spiffing incident update, this financial fandango was the handiwork of UNC4736 – a North Korean state-affiliated threat group, also known as Citrine Sleet or AppleJeus, dashed clever sorts, what?

This little escapade, old boy, marks the largest native Solana decentralized application exploit on record. The blighters posed as a quantitative trading firm, plonked down over $1 million of their own dough into an Ecosystem Vault, and even held jolly working sessions with contributors across the globe. Then, after a spot of patience that would make a saint blush, they executed a durable nonce attack, draining the protocol vaults quicker than Bertie Wooster downs a pink gin.

The scope and duration of this operation, I say, are enough to make one’s head spin like a top. It’s not just a spot of bother for Drift, but a jolly serious signal about the maturity of state-sponsored cryptocurrency theft operations. The standard DeFi security checklist, smart contract audits and all, seems as useful as a chocolate teapot against these chaps operating on intelligence timelines.

“I say, everyone in crypto ought to give this a read, what? Thought it’d be another case of social engineering, likely some recruiter/job offer rot. Was dashed wrong, I was. The depth of the operation and personas makes one think they’ve got multiple other teams on lock. 😳”

– Tay 💖 (@tayvano_) April 5, 2026

DISCOVER: Meme coin supercycle: Top performers this week

UNC4736’s Jolly Good Show: Six-Month Timeline, Dual Intrusion Vectors, and the Durable Nonce Execution

According to Drift’s rather detailed update, the first contact occurred in the autumn of 2025 at a major crypto conference, where these chaps presented themselves as a technically fluent quant trading firm seeking vault integration. Dashed smooth operators, they followed the usual DeFi onboarding rigmarole – a Telegram group, chats about trading strategies, and whatnot – nothing to raise an eyebrow, really.

Between December 2025 and January 2026, they onboarded an Ecosystem Vault, deposited over $1 million, and established a functioning operational presence. The chaps even met face to face at multiple industry conferences, a known DPRK operational pattern, using third-party intermediaries with fully constructed professional identities. Jolly clever, eh?

“Pretty rum if true. Tl;dr – hackers casually gained trust via IRL conference meet, set up a TG channel, became a customer, built integrations over 6 months, and then got one chap with a testflight link to show off their handiwork.”

– mert (@mert) April 5, 2026

The technical intrusion, old bean, proceeded through two vectors. The first involved a TestFlight application, presented as their proprietary wallet product, and the second exploited a known vulnerability in VSCode and Cursor. Once contributor devices were compromised, the attackers obtained the necessary multisig approvals, pre-signed transactions using Solana’s durable nonce mechanism, and sat tight for over a week before pulling the trigger on April 1, draining $270 million in under sixty seconds. Dashed efficient, what?

Attribution to UNC4736 is based on on-chain fund flows linking the attack to wallets associated with the October 2024 Radiant Capital exploit, as well as operational overlap with known DPRK-linked personas identified by Mandiant and SEALS 911. We anticipate Mandiant’s full forensic report will surface additional infrastructure overlaps, connecting this operation to prior Lazarus Group-adjacent campaigns.

EXPLORE: Crypto breakout alerts this week

Read More

2026-04-06 14:52