Category: Uncategorized

Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People’s Republic of Korea (DPRK) that began in the fall of 2025.

The Solana-based decentralized exchange described it as “an attack six months in the making,” attributing it with medium confidence to a North Korean state-sponsored hacking group dubbed UNC4736, which is also tracked under the cyptonyms AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.

The threat actor has a history of targeting the cryptocurrency sector for financial theft since at least 2018. It’s best known for the X_TRADER/3CX supply chain breach in 2023 and the $53 million hack of decentralized finance (DeFi) platform Radiant Capital in October 2024.

“The basis for this connection is both on-chain (fund flows used to stage and test this operation trace back to the Radiant attackers) and operational (personas deployed across this campaign have identifiable overlaps with known DPRK-linked activity),” Drift said in a Sunday analysis.

In an assessment published in late January 2026, cybersecurity company CrowdStrike described Golden Chollima as an offshoot of Labyrinth Chollima that’s primarily geared towards cryptocurrency theft by targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe.

“The adversary typically conducts smaller-value thefts at a more consistent operational tempo, suggesting responsibility for ensuring baseline revenue generation for the DPRK regime,” CrowdStrike said. “Despite improving trade relations with Russia, the DPRK requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites.”

In at least one incident observed in late 2024, UNC4736 delivered malicious Python packages through a fraudulent recruitment scheme to a European fintech company. Upon gaining access, the threat actor moved laterally to the victim’s cloud environment to access IAM configurations and associated cloud resources, and ultimately diverted cryptocurrency assets to adversary-controlled wallets.

How the Drift Attack Likely Unfolded

Drift, which is working with law enforcement and forensic partners to piece together the sequence of events that led to the hack, said it was the target of a “structured intelligence operation” that required months of planning.

Starting in or about fall 2025, individuals posing as a quantitative trading company approached Drift contributors at a major cryptocurrency conference and international crypto conferences under the pretext of integrating the protocol. It has since emerged that this was a deliberate approach, where members of this trading group approached and built rapport with specific Drift contributors at various major industry conferences that took place in several countries over a period of six months.

“The individuals who appeared in person were not North Korean nationals,” Drift explained. “DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.”

“They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. A Telegram group was established upon the first meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations. These interactions are typical of how trading firms interact and onboard with Drift.”

Then, sometime between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, a step that required filling out a form with strategy details. As part of this process, the individuals are said to have engaged with multiple contributors, asking them “detailed and informed product questions,” while depositing more than $1 million of their own funds.

This, Drift said, was a calculated move designed to build a functioning operational presence inside the Drift ecosystem, with integration conversations continuing with the contributors through February and March 2026. This included sharing links for projects, tools, and applications that the company claimed to be developing.

The possibility that these interactions with the trading group may have acted as the initial infection pathway assumed significance in the wake of the April 1 hack. But as Drift revealed, their Telegram chats and malicious software had been deleted right around the time the attack took place.

It’s suspected that there may be two primary attack vectors –

• One contributor may have been compromised after cloning a code repository shared by the group as part of efforts to deploy a frontend for their vault.
• A second contributor was persuaded into downloading a wallet product via Apple’s TestFlight to beta test the app.

The repository-based intrusion vector is assessed to have involved a malicious Microsoft Visual Studio Code (VS Code) project that weaponizes the “tasks.json” file to automatically trigger the execution of malicious code upon the project in the IDE by using the “runOn: folderOpen” option.

It’s worth noting that this technique has been adopted by North Korean threat actors associated with the Contagious Interview campaign since December 2025, prompting Microsoft to introduce new security controls in VS Code versions 1.109 and 1.110 to prevent unintended execution of tasks when opening a workspace.

“The investigation has shown so far that the profiles used in this third-party targeted operation had fully constructed identities including employment histories, public-facing credentials, and professional networks,” Drift said. “The people Drift contributors met in person appeared to have spent months building profiles, both personal and professional, that could withstand scrutiny during a business or counterparty relationship.”

North Korea’s Fragmented Malware Ecosystem

The disclosure comes as DomainTools Investigations (DTI) disclosed that DPRK’s cyber apparatus has evolved into a “deliberately fragmented” malware ecosystem that’s mission-driven, operationally resilient, and resistant to attribution efforts. This shift is believed to be a response to law enforcement actions and intelligence disclosures about North Korean hacking campaigns.

“Malware development and operations are increasingly compartmentalized, both technically and organizationally, ensuring that exposure in one mission area does not cascade across the entire program,” DTI said. “Crucially, this model also maximizes ambiguity. By separating tooling, infrastructure, and operational patterns along mission lines, the DPRK complicates attribution and slows defender decision-making.”

To that end, DomainTools noted that DPRK’s espionage-oriented malware track is chiefly associated with Kimsuky, while Lazarus Group spearheads efforts to generate illicit revenue for the regime, transforming into a “central pillar” for sanctions evasion. The third track revolves around deploying ransomware and wiper malware for purposes of strategic signaling and drawing attention to its capabilities. This disruptive branch is associated with Andariel.

Social Engineering Behind Contagious Interview and IT Worker Fraud

Social engineering and deception continue to be the main catalyst for many of the intrusions that have been attributed to DPRK threat actors. This includes the recent supply chain compromise of the hugely popular npm package, Axios, as well as ongoing campaigns like Contagious Interview and IT worker fraud.

Contagious Interview is the moniker assigned to a long-running threat in which the adversary approaches prospective targets and tricks them into executing malicious code from a fake repository as part of an assessment. Some of these efforts have used weaponized Node.js projects hosted on GitHub to deploy a JavaScript backdoor called DEV#POPPER RAT and an information stealer known as OmniStealer.

On the other hand, DPRK IT worker fraud refers to coordinated efforts by North Korean operatives to land remote freelance and full-time roles at Western companies using stolen identities, AI-generated personas, and falsified credentials. Once hired, they generate steady revenue and leverage the access to introduce malware and siphon proprietary and sensitive information. In some cases, the stolen data is used to extort money from businesses.

The state-sponsored program deploys thousands of technically skilled workers in countries like China and Russia, who connect to company-issued laptops hosted at laptop farms in the U.S. and elsewhere. The scheme also relies on a network of facilitators to receive work laptops, manage payroll, and handle logistics. These facilitators are recruited through shell companies.

The process starts with recruiters who identify and screen potential candidates. Once accepted, the IT workers enter an onboarding phase, where facilitators assign identities and profiles, and guide them through resume updates, interview preparation, and initial job applications. The threat actors also work with collaborators to complete hiring requirements for full-time opportunities where strict identity verification policies are enforced.

As noted by Chainalysis, cryptocurrency plays a central role in funneling a majority of the wages generated by these IT worker schemes back to North Korea while evading international sanctions.

“The cycle is constant and unending. North Korean IT workers understand that, sooner or later, they will either quit or be dismissed from any given role,” Flare and IBM X-Force said in a report last month. “As a result, they are continually shifting between jobs, identities, and accounts – never remaining in one position or using a single persona for very long.”

New evidence unearthed by Flare has since revealed the campaign’s efforts to actively recruit individuals from Iran, Syria, Lebanon, and Saudi Arabia, with at least two Iranians receiving formal offer letters from U.S. employers. There have been more than 10 instances of Iranian nationals being recruited by the regime.

Facilitators have also been found to use LinkedIn to hire separate people from Iran, Ireland, and India, who are then coached to land the jobs. These individuals, called callers or interviewers, get on the phone with American hiring managers, pass technical interviews, and impersonate the real or fake Western personas curated by them. When a caller fails an interview, the facilitator reviews the recording and provides feedback.

“North Koreans are deliberately targeting U.S. defense contractors, cryptocurrency exchanges, and financial institutions,” Flare said. “While the primary motivations appear to be financial, the deliberate targeting evidenced from their documents indicates that there may be other objectives at play as well.”

“The DPRK is not simply deploying its own nationals under false identities. It is building a multinational recruitment pipeline, drawing skilled developers from Iran, Syria, Lebanon, and Saudi Arabia into an infrastructure designed to infiltrate U.S. defense contractors, cryptocurrency exchanges, financial institutions, and enterprises of every size. The recruits are real software engineers, paid in cryptocurrency, coached through interviews, and slotted into fabricated Western personas.”

Ravie LakshmananApr 05, 2026Vulnerability / API Security

Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild.

The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation.

“An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests,” Fortinet said in a Saturday advisory.

The issue affects FortiClient EMS versions 7.4.5 through 7.4.6. It’s expected to be fully patched in the upcoming version 7.4.7, although the company has released a hotfix to address it. 

Simo Kohonen from Defused Cyber and Nguyen Duc Anh have been credited with discovering and reporting the flaw. In a post on X, Defused Cyber said it observed zero-day exploitation of CVE-2026-35616 earlier this week. According to watchTowr, exploitation attempts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026.

Successful exploitation of the flaw could allow an unauthenticated attacker to sidestep API authentication and authorization protections, and execute malicious code or commands via crafted requests. 

“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the company added.

The development comes merely days after another recently-patched, critical vulnerability in FortiClient EMS (CVE-2026-21643, CVSS score: 9.1) came under active exploitation. It’s currently not known if the same threat actor is behind the exploitation of both the flaws, and if they are being weaponized together.

Given the severity of the vulnerabilities, users are advised to update their FortiClient EMS to the latest version as soon as possible.

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” watchTowr CEO and founder Benjamin Harris told The Hacker News.

“Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

“What is disappointing is the bigger picture. This is the second unauthenticated vulnerability in FortiClient EMS in a matter of weeks.”

“So, once again, organizations running FortiClient EMS and exposed to the Internet should treat this as an emergency response situation, not something to pick up on Tuesday morning. Apply the hotfix. Attackers already have a head start.”

When Border Patrol agents who took part in Operation Midway Blitz left Chicagoland last November, then-Assistant Homeland Security Secretary Tricia McLaughlin asserted “we aren’t leaving Chicago.” The same day, reporters with the Sun-Times warned a government source told them that federal immigration agents may return in strength come spring.

But as McLaughlin said, they never really left.

High-ranking Border Patrol officer and former Midway Blitz commander Greg Bovino made good on McLaughlin’s promise in mid-December, when he and federal immigration agents conducted two days of chaotic raids through Chicago and multiple suburbs, arresting more than a dozen people. As 2025 came to a close, he again threatened Chicagoland.

“If you think we’re done with Chicago, you’d better check yourself before you wreck yourself.

Don’t call it a comeback; we’re gonna be here for years,” Bovino said in a December 30, 2025 social media post.

Now spring has come, and while agents with Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) aren’t yet here in the numbers seen in the fall, Chicagoland communities are still feeling their impact.

“While the overall operation has clearly scaled back since last September, October, and November, ICE remains in the region and is continuing to abduct neighbors on a daily basis,” Brandon Lee, a spokesperson for the Illinois Coalition for Immigrant and Refugee Rights (ICIRR), told the Weekly.

ICIRR tracks reports of federal immigration agents’ activity and maintains a family support hotline for those impacted by immigration detention. Lee said the hotline continues to receive calls every day. According to data ICIRR has collected since the start of the year, Lee said, federal agents’ presence in Chicagoland is below that seen during the fall, but higher than before Midway Blitz began.

Unlike the high-profile, chaotic raids carried out by large groups of Border Patrol in the fall and winter, activity lately has been more targeted, lower profile, and faster moving, according to a representative with the rapid response and immigrant rights advocacy group Organización Hijos de Migrantes who goes by Logos. He said encounters sometimes only last a few minutes and are carried out by smaller groups of ICE agents.

These tactics may be less disruptive, Logos said, but it also makes it harder for rapid responders and the community at large to respond to them.

“Per day we’re averaging anywhere from two to six [reports of abductions],” Logos said. “And with ICE tactics it’s harder to respond to.”

DHS declined to comment on just how many agents it has active in the Chicago region, citing “operational security.” Lee similarly declined to share specific data ICIRR’s team had collated, but said the level of reports of abductions by federal immigration agents has remained consistent since the start of the year.

“March hotline data is not out of line with previous months so far. Daily tracking is roughly the same as February when we ended the month with over 2,800 total calls,” Lee said. “As of now we can categorize the level of ICE presence in the area as being higher than what it was pre-’Midway Blitz’ with regular reports of abductions throughout the region, but still below the level of September, October, and November 2025.”

As in last fall, heavily Latine suburbs and communities across Chicago’s Southwest Side continue to be hotspots. Lee cited Brighton Park and the surrounding area in Chicago, and the suburbs of Bolingbrook, Cicero, Berwyn, Oak Park, Melrose Park, Elgin, Aurora and Wheeling.

Since the start of this month, suburbs where Chicago area rapid response teams have reported agents detaining people include Naperville, Cicero, Joliet and Oak Park. Agents’ presence in Chicago has been reported in Back of the Yards, the West Loop, West Lawn and North Lawndale.

The recent Oak Park detention occurred the morning of Friday, March 20, near the office of Illinois Senate President Don Harmon. According to one rapid responder, a vehicle was left behind at the scene. John Patterson, a spokesperson with Harmon’s office, said staffers “saw what appeared to be the latter part of a traffic stop happening about a block east” of the office. Patterson said Harmon didn’t see the detention itself, but did witness other vehicles driving away.

“What we think we witnessed was a reminder that the federal presence in our communities has not ended,” Harmon said in a prepared statement. “Everyone needs to remain vigilant and look out for our neighbors.”

The Oak Park incident tracks with the recent ICE tactics described by Hijos de Migrantes, which maintains a social media page with a daily running tally of reported abductions by federal agents in Chicagoland.

Logos also said that while ICE agents seemed to focus on early mornings during the winter, with spring coming, they have been moving their activities later into the day. Traffic stops and blocking in cars are a common tactic, they said, echoing the scenario Senate President Harmon’s office described.

The change in tactics comes after ICE and Border Patrol agents shot and killed two 37-year-old U.S. citizens, Renee Good and Alex Pretti, in Minneapolis this past winter, sparking national outrage and fueling calls for ICE to be abolished.

In the fallout from Operation Metro Surge in Minneapolis, Greg Bovino, Tricia McLaughlin, and ultimately Homeland Security Secretary Kristi Noem all left their positions, with so-called “Border Czar” Tom Homan stepping in to fill the leadership gap and Republican Oklahoma Senator Markwayne Mullin tapped to head up the Department of Homeland Security (DHS), which administers ICE and CBP.

President Donald Trump told NBC in February that “maybe we could use a little bit of a softer touch, but you still have to be tough.”

On top of the public backlash, DHS and the Department of Justice have also taken multiple losses in federal court since November, resulting in immigration detainees ordered free, limits placed on agents’ use of force and improved conditions at the ICE processing facility in Broadview.

Some of these losses have faced subsequent challenges from the government; earlier this month the Seventh Circuit Appellate Court vacated the preliminary injunction in the class action brought by press and clergy, which resulted in use-of-force restrictions on federal agents. But other court rulings, notably a November 5 order from District Judge Robert Gettleman, which mandated better conditions and access to legal counsel at the Broadview facility, have stuck.

Gettleman issued his order, initially only meant to last two weeks but now extended “until further order of court,” in a class action that immigration detainees brought against the federal government in October over the allegedly inhumane treatment they suffered inside the Broadview facility. Prior to November 5, Broadview detainees reported being held in unsanitary, overcrowded conditions, being pressured to sign legal documents they didn’t understand, and not being given sufficient food or water. Pablo Moreno González, a former detainee serving as a class representative in the case, testified on November 4 that he was held in a room in the Broadview facility with 150 other people.

The facility is central to deportation efforts in the Chicago area. Given Illinois laws that bar state facilities from being used for civil immigration enforcement, it is one of the only places agents can take Chicagoland detainees for processing before they are moved elsewhere.

The U.S. Attorney’s Office in Chicago argued in court filings that granting the class’ demands for better detention conditions, including clean holding areas, more bedding and more floor space per detainee, would hamper local deportation efforts.

“Ultimately, the laundry list of demands would limit defendants’ ability to manage short-term detentions and, if granted, effectively halt the ongoing enforcement of immigration laws in the region,” the U.S. Attorney’s Office wrote in a filing two days before Gettleman issued his order largely favoring the detainee class.

When two Catholic priests and a nun went to deliver eucharist and ashes to the Broadview facility on Ash Wednesday — the fruits of another court victory — they did not report 150 people held in one room like Moreno González did. In fact they found no one was being held in the facility at all when they arrived.

People are still being brought to the facility, however, and some are now being arrested when they arrive for immigration check-in appointments.

Lee confirmed ICIRR was aware such detentions were taking place.

“While we don’t have a total number on this, we know that it is a tactic that ICE is using right now,” he said, adding ICIRR was working with rapid response groups and the immigrant advocacy group Sanctuary Working Group to set up accompaniment for people called to the facility.

Danielle Berkowsky, an attorney with the MacArthur Justice Center, one of the law firms representing the class of Broadview detainees, further confirmed the trend of people being detained at Broadview check-ins. Like Lee, she said she didn’t have an exact figure, but added she considered it a “significant number.” Berkowsky said the MacArthur Justice Center attorneys had also gotten word of arrests happening during check-ins at the ICE Chicago Field Office at 101 W. Ida B. Wells Drive.

“I have a few people I spoke to who said… ‘I’ve been here for several years, I filed for asylum, I have an appointment or a court date scheduled, I come to Chicago every year for my check-in, and I came here and they arrested me,’” Berkowsky said. “These are people who have work permits, who have all sorts of paperwork in order, they’re attending their check-ins.”

She further made reference to an ICE agent reportedly telling a detainee that, due to a policy change, they would remain in custody until a judge could see him. It’s unclear what policy exactly may be at issue, though in February, a panel of the New Orleans-based Fifth Circuit Appellate Court issued a landmark ruling which held that those who entered the United States without inspection can be held in mandatory detention without bond.

Berkowsky urged those called in for a check-in at the Broadview facility to have their affairs in order, to have an attorney’s phone number ready if possible, and to have any necessary medication handy. She also urged those who are detained to ask for a private legal call, one of the conditions mandated in Judge Gettleman’s order.

“Part of our case is that there should be — there is — a private room with a phone call that is not monitored, so you should be able to use that room and have a private confidential legal call upon request,” Berkowsky said. “They’re not gonna offer it, so if you’re in there, request it.”

Despite the continued presence of federal immigration agents in Chicagoland and the tactics they are pursuing on the street and in immigration processing facilities, Logos said Hijos de Migrantes has lately learned of more incidents where community members are able to evade their grasp.

“They’re getting sloppy… people are able to escape more,” they said. “I think they get into this period where they’re just desperate to make arrests.”
ICE agents were also deployed to airports across the country last Monday amid an ongoing partial government shutdown over funding for DHS, which administers the Transportation Security Administration. Dozens were sent to O’Hare, with a nebulous set of responsibilities.

Press freedom is under attack

As Trump cracks down on political speech, independent media is increasingly necessary.

Truthout produces reporting you won’t see in the mainstream: journalism from the frontlines of global conflict, interviews with grassroots movement leaders, high-quality legal analysis and more.

Our work is possible thanks to reader support. Help Truthout catalyze change and social justice — make a tax-deductible monthly or one-time donation today.