Suspected DPRK Activity Tied to Drift Protocol Breach and EtherRAT Delivery Campaign
Drift Protocol disclosed that a malicious actor gained unauthorized access to its environment, according to a post amplified by cyber threat intelligence account lazarusholic. Public details remain limited, and the available reporting does not specify the intrusion vector, affected systems, or operational impact, but the incident has drawn attention in CTI circles because of possible links to DPRK-associated activity.
Separately, researchers at PhatomCandle reported a highly stealthy campaign using spoofed IT tools to deliver EtherRAT, with suspected ties to a North Korean advanced persistent threat. The two reports point to ongoing interest in financially and operationally motivated intrusions associated with suspected DPRK actors, spanning both direct compromise of crypto-related platforms and malware distribution through deceptive tooling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Research highlights EtherRAT spread via spoofed IT tools
A Medium article by PhatomCandle reported a stealthy campaign using spoofed IT tools to distribute EtherRAT and said the activity was suspected to be linked to a DPRK threat actor. The reference indicates this was newly published research rather than a follow-up on the Drift Protocol incident.
Chainalysis links Drift Protocol loss to privileged access
A Chainalysis article reported that the Drift Protocol incident resulted in a $285 million loss and said privileged access played a role in the compromise. This adds new impact and attack-path details beyond the earlier generic unauthorized-access disclosure.
Drift Protocol reports unauthorized access incident
A statement attributed to Drift Protocol said a malicious actor gained unauthorized access to the platform. The available reference does not provide technical details, scope, or confirmed attribution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Post by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DPRK-Linked Malware Campaigns Use Blockchain C2 to Target Crypto Firms and Developers
Researchers detailed two likely DPRK-linked malware operations that used public blockchains as resilient command-and-control infrastructure while targeting the cryptocurrency ecosystem and software developers. Elastic Security Labs said the **PHANTOMPULSE** Windows RAT, delivered through abused Obsidian plugins and the `PHANTOMPULL` loader, used multiple process-injection techniques, a `schuac`-based UAC bypass via `IElevatedFactoryServer`, hardware breakpoints to suppress **AMSI**, **WLDP**, and **ETW**, and scheduled tasks for persistence. The implant conducted host reconnaissance, screenshot capture, keylogging, and clipboard monitoring, and resolved its latest C2 by reading transaction data from **Ethereum**, **Base**, and **Optimism**, with Telegram and hardcoded-domain fallback paths also noted. A separate supply-chain intrusion attributed to **Famous Chollima** compromised the legitimate Packagist package `roberts/leads`, hiding malicious JavaScript in a development-branch `tailwind.js` file that fetched encrypted payloads from **TRON**, **Aptos**, and **BNB Smart Chain**. Socket linked the activity to prior DPRK tooling including **DEV#POPPER RAT**, **OmniStealer**, and **BeaverTail**, while public reporting and social-media tracking tied it to the broader **Contagious Interview** ecosystem. Elastic said PHANTOMPULSE's blockchain resolver failed to verify transaction senders, creating a rare opportunity for defenders to sinkhole infected hosts with a crafted transaction, and advised monitoring suspicious scheduled tasks, unusual `rundll32.exe` execution, hardware-breakpoint tampering, and Node.js access to blockchain or RPC services during builds.
Jun 6, 2026
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
May 1, 2026
DPRK Malware Campaign Uses EtherHiding to Conceal Payloads on Blockchain
Google Cloud's Mandiant reported that North Korean operators adopted **EtherHiding**, a technique that abuses blockchain infrastructure to hide malicious content and stage malware delivery. The activity uses decentralized platforms to store or retrieve attacker-controlled data, complicating takedown efforts and making network-based detection harder because the infrastructure blends into legitimate blockchain traffic. The report links the tradecraft to DPRK threat activity and highlights a broader shift toward resilient, hard-to-disrupt hosting for command-and-control or payload staging. By moving parts of the infection chain onto blockchain-backed services, the operators reduce reliance on traditional attacker domains and hosting, increasing the durability and stealth of malware campaigns targeting victims across the internet.
May 25, 2026