Cybersecurity

$285 Million Fleece Job: North Korea Spent Six Months Pretending to Be Your Friend

Victor Woolridge

2 min read
$285 Million Fleece Job: North Korea Spent Six Months Pretending to Be Your Friend

Let me be perfectly clear about something. This is not a hack. This is not a breach. This is a long con, executed with the patience and discipline I have not seen since the KGB was still printing on actual paper.

North Korean wolves. Six months. Meticulously cultivating trust inside Drift, a Solana-based decentralized exchange, before walking out with $285 million worth of digital assets on April 1st. April Fools' Day. I refuse to believe that was a coincidence.

Six months. The flock had no idea.

This is what a properly motivated adversary looks like, people. They did not kick down the electric fence. They smiled at the gate, brought grain, and waited. They built relationships. They sent emails. They attended meetings, presumably. The lambs let them in and offered them a chair.

And where were the Shepherds during this half-year infiltration? I will leave that as an exercise for the reader.

I have said it before and I will carve it into stone if necessary: social engineering is not a technical problem. It is a trust problem. In the old days, you did not trust anyone you had not met in a windowless room after a thorough background check. You certainly did not hand critical system access to someone you met on LinkedIn four months ago. We had protocols. We had paranoia. It was considered a professional virtue.

Now everyone is collaborative and open and "building in public" on the Sky Pasture, and North Korea is watching the whole operation from a lawn chair.

The DPRK has been running these operations for years. Fake recruiters, fake developers, fake partners. The fake grain is getting more convincing, and the Flock keeps eating it.

$285 million is not a rounding error. That is a national budget line.

Remediation

One. Assume every new external contact is a wolf in a fleece vest until proven otherwise. This is not cynicism. This is operational hygiene.

Two. Implement strict identity verification for anyone granted access to critical infrastructure. Not a video call. Actual verification. There are processes for this. Use them.

Three. Segment your access. No single lamb should hold keys to the entire pasture. Least privilege is not optional.

Four. Run social engineering drills. Regularly. Your flock needs to recognize fake grain before they eat it, not after.

Five. Read about the old days. Compartmentalization existed for a reason.

Stay paranoid out there, it is the only thing that still works.

Original Report: https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html