The theft of $285 million from Drift was part of a sophisticated social engineering campaign orchestrated by the Democratic People's Republic of Korea (DPRK), culminating in an attack on April 1, 2026. Drift characterized the incident as meticulously planned, with a timeline extending back to the fall of 2025. This operation was linked to a hacking group known as UNC4736, which has previously targeted the cryptocurrency industry.
Cybersecurity firm CrowdStrike noted in a January 2026 assessment that this group, also referred to as Golden Chollima, primarily focuses on cryptocurrency theft, particularly from smaller fintech companies in regions such as the U.S., Canada, South Korea, India, and Western Europe. The group has a history of financial cybercrime, with notable incidents including the $53 million breach of Radiant Capital in October 2024.
Drift is currently collaborating with law enforcement and forensic experts to reconstruct the events leading to the breach. The analysis indicates that the attackers utilized fraudulent recruitment strategies to infiltrate a European fintech firm, eventually redirecting cryptocurrency assets to wallets under their control.