Drift has revealed that a cyberattack on April 1, 2026, that stole $285 million was the result of months of social engineering campaigns run by North Korea in late 2025 This article explores drift revealed cyberattack. . The decentralized exchange based on Solana called it "a six-month operation" and said with moderate confidence that it was done by a North Korean state-sponsored hacking group.

Since at least 2018, the threat actor has been stealing money from the cryptocurrency sector. The X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of the decentralized finance platform Radiant Capital in October 2024 are its most famous events. There are two main ways that people think attacks could happen. The repository-based intrusion vector includes a bad Microsoft Visual Studio Code project.

The Lazarus Group is a key player in helping the regime make money illegally by becoming a "central pillar" for avoiding sanctions. The third track is about using ransomware and wiper malware to show off skills and get attention, which is linked to Andariel. According to DTI's Drift report, which came out on Monday, the revelation shows that the DPRK's cybersecurity team has turned into a "fragmented" malware network that focuses on specific goals and is able to avoid attribution attempts.

North Korean IT workers know that they will either leave their jobs or be fired from them at some point. It's not just that the DPRK is using fake names; it's also making a network for recruiting people from many countries.

Skilled developers from Iran, Syria, Lebanon, and Saudi Arabia are being offered jobs by U.S. defense contractors, cryptocurrency exchanges, banks, and big businesses. These new hires are real software engineers who get paid in cryptocurrencies and have to go through interviews to fit into fake Western personalities. The regime has hired more than 10 people from Iran.

At least two Iranians were offered jobs by U.S. companies.