Suspected DPRK Activity Tied to Drift Protocol Breach and EtherRAT Delivery Campaign
Drift Protocol disclosed that a malicious actor gained unauthorized access to its environment, according to a post amplified by cyber threat intelligence account lazarusholic. Public details remain limited, and the available reporting does not specify the intrusion vector, affected systems, or operational impact, but the incident has drawn attention in CTI circles because of possible links to DPRK-associated activity.
Separately, researchers at PhatomCandle reported a highly stealthy campaign using spoofed IT tools to deliver EtherRAT, with suspected ties to a North Korean advanced persistent threat. The two reports point to ongoing interest in financially and operationally motivated intrusions associated with suspected DPRK actors, spanning both direct compromise of crypto-related platforms and malware distribution through deceptive tooling.
Timeline
Apr 9, 2026
Research highlights EtherRAT spread via spoofed IT tools
A Medium article by PhatomCandle reported a stealthy campaign using spoofed IT tools to distribute EtherRAT and said the activity was suspected to be linked to a DPRK threat actor. The reference indicates this was newly published research rather than a follow-up on the Drift Protocol incident.
Apr 9, 2026
Chainalysis links Drift Protocol loss to privileged access
A Chainalysis article reported that the Drift Protocol incident resulted in a $285 million loss and said privileged access played a role in the compromise. This adds new impact and attack-path details beyond the earlier generic unauthorized-access disclosure.
Apr 5, 2026
Drift Protocol reports unauthorized access incident
A statement attributed to Drift Protocol said a malicious actor gained unauthorized access to the platform. The available reference does not provide technical details, scope, or confirmed attribution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Yesterday
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
1 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
5 days ago