Audit log

Every state-changing event for Mach-O Man Malware Campaign (Lazarus / Chollima): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-07 23:05:29Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 424,989,785

   sig

   5cwuYSkkUtPc…bEExpjzHcopyexplorer ↗

   hash

   69tyXeNe38me…Vy51HaFWcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (26038 B) ▸

   {"actor":"system:backfill","investigation_id":"013a0a09-ae20-4647-a35a-080a0a5e1fd1","kind":"publish","page_slug":"mach-o-man-lazarus-chollima-macos-malware","published_at":"2026-06-07T23:05:29.405Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Mach-O Man Malware Campaign (Lazarus / Chollima)","sections":[{"content":"The 'Mach-O Man' campaign was first publicly documented on April 21, 2026, by Mauro Eldritch of BCA LTD, building on analysis from Bitso's Quetzal Team and the ANY.RUN interactive sandbox. The campaign is attributed to Lazarus Group's Chollima (also tracked as Famous Chollima) division — a sub-cluster of North Korea's primary intelligence bureau, the Reconnaissance General Bureau (RGB). The U.S. Treasury OFAC designated Lazarus Group, Bluenoroff, and Andariel as agencies or instrumentalities of the North Korean government on September 13, 2019. CertiK subsequently flagged the campaign on or around April 22, 2026, linking it to contemporaneous large-scale DeFi exploits. The malware is named after the Mach-O binary format native to macOS, and its Go-compiled modules are compatible with both Intel and Apple Silicon hardware.","heading":"Campaign Overview and Attribution","severity":"critical","sources":[{"credibility":2,"name":"ANY.RUN: Lazarus Mach-O Man Malware — What CISOs Need to Know","type":"research","url":"https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"},{"credibility":1,"name":"CoinDesk: Lazarus Group Has Become Especially Dangerous With New Mach-O Man Attack — CertiK","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/22/lazarus-group-has-become-especially-dangerous-with-new-mach-o-man-attack-certik"},{"credibility":1,"name":"U.S. Treasury OFAC: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm774"}]},{"content":"The Mach-O Man toolkit executes through four discrete stages. Stage 1 (Stager — teamsSDK.bin): The initial binary downloads fake application bundles that impersonate Zoom, Microsoft Teams, or Google Meet. It uses the macOS codesign utility to apply ad-hoc signatures and prompts the victim for a password three times, providing false rejection feedback on the first two attempts to obtain the real credential. Stage 2 (Profiler — D1YrHRTg.bin, D1yCPUyk.bin, D1ozPVNG.bin): Three profiler binaries perform host reconnaissance via sysctl queries, collecting hostname, CPU details, boot time, running processes, and browser extension data. Targeted browsers include Brave, Vivaldi, Opera, Chrome, Firefox, and Safari. Researchers noted a software defect — an endless loop that repeatedly posts the system profile text file to the C2 server — suggesting limited pre-deployment testing. Stage 3 (Persistence — minst2.bin): This component downloads a payload named 'localencode', saves it disguised as 'OneDrive', and installs a LaunchAgent at ~/Library/LaunchAgents/com.onedrive.launcher.plist to ensure re-execution on every login. Stage 4 (Stealer — macrasv2): The final stage harvests browser credentials, session cookies stored in SQLite databases, macOS Keychain entries, and browser extension data. All collected material is packaged into user_ext.zip and exfiltrated via the Telegram Bot API using exposed bot tokens. A self-deletion script (delete_self.sh) then removes artifacts using the rm command. The toolkit is written in Go; HTTP requests use the 'Go-http-client' User-Agent string, enabling binary identification by defenders.","heading":"Technical Analysis: Four-Stage Attack Chain","severity":"critical","sources":[{"credibility":2,"name":"ANY.RUN: Lazarus Mach-O Man Full Technical Analysis","type":"research","url":"https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"},{"credibility":2,"name":"CyberSecurityNews: Lazarus Hackers Attacking macOS Users With Mach-O Man Malware Kit","type":"news_article","url":"https://cybersecuritynews.com/mach-o-man-macos-malware-lazarus/"},{"credibility":2,"name":"Bitcoin News: Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign","type":"news_article","url":"https://news.bitcoin.com/mach-o-man-malware-steals-macos-keychain-data-in-lazarus-group-crypto-campaign/"}]},{"content":"The campaign's initial access vector relies on a technique security researchers call ClickFix, adapted here for macOS targets. Attackers — posing as investors, researchers, or business partners — send urgent meeting invitations via Telegram for video calls on Zoom, Microsoft Teams, or Google Meet. The link leads to a convincing but fraudulent website (e.g., update-teams[.]live or livemicrosft[.]com) that displays a simulated connection error and instructs the victim to copy and paste a single Terminal command to resolve the issue. Upon execution, the command pulls and runs teamsSDK.bin via curl, initiating the full four-stage infection chain. This approach is particularly effective against cryptocurrency and fintech professionals, who routinely receive legitimate cold outreach from investors and counterparties. The entire chain requires no software vulnerability — only user compliance. A DarkReading analysis noted Lazarus's pivot from traditional phishing exploits to this terminal-based social engineering approach as a significant tactical shift.","heading":"Delivery Vector: ClickFix Social Engineering","severity":"critical","sources":[{"credibility":1,"name":"Dark Reading: North Korea's Lazarus Targets macOS Users via ClickFix","type":"news_article","url":"https://www.darkreading.com/threat-intelligence/north-koreas-lazarus-targets-macos-users-clickfix"},{"credibility":2,"name":"CoinTelegraph: Lazarus Group Malware Targets Crypto, Business Execs via macOS","type":"news_article","url":"https://cointelegraph.com/news/lazarus-group-malware-crypto-business-execs-macos"},{"credibility":2,"name":"crypto.news: Lazarus Group Uses Fake Meeting Hack","type":"news_article","url":"https://crypto.news/lazarus-group-uses-fake-meeting-hack/"}]},{"content":"Researchers at ANY.RUN published the following indicators of compromise associated with the Mach-O Man campaign as of April 2026. Malicious domains: update-teams[.]live, livemicrosft[.]com. Command-and-control IP addresses: 172.86.113.102, 144.172.114.220. Active ports: 8888, 9999. Binary SHA256 hashes: macrasv2 — 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c; minst2.bin — 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b; teamsSDK.bin — 871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3. Persistence artifact: ~/Library/LaunchAgents/com.onedrive.launcher.plist. Exfiltration archive: user_ext.zip. Network signature: HTTP User-Agent 'Go-http-client'. Encryption: RC4 keys (specific values published in the ANY.RUN report). The Telegram bot tokens used for exfiltration were found to be operationally exposed, which enabled researchers to partially observe the C2 channel and reportedly disrupt aspects of the operation.","heading":"Indicators of Compromise (IOCs)","severity":"high","sources":[{"credibility":2,"name":"ANY.RUN: Lazarus Mach-O Man Malware Full IOC Report","type":"research","url":"https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"},{"credibility":2,"name":"Cybernews: Lazarus macOS Malware Foiled by C2 Exploit","type":"news_article","url":"https://cybernews.com/security/north-korean-hackers-new-malware-foiled-by-researcher/"}]},{"content":"On April 1, 2026, Drift Protocol, a Solana-based DeFi platform, suffered an exploit resulting in losses estimated between $285 million and $295 million — the largest DeFi hack of 2026 and the second-largest in Solana's history. The Hacker News and Bloomberg both reported that the breach was the culmination of a six-month social engineering operation beginning in fall 2025. Attackers posing as a quantitative trading firm attended cryptocurrency conferences, built rapport with Drift contributors, established a Telegram group for trading strategy discussions, and deposited over $1 million into a vault to appear legitimate. The attack vector included a weaponized VS Code project containing malicious tasks.json files and a fake Apple TestFlight wallet application. Drift attributed the attack with medium confidence to UNC4736, a DPRK-linked cluster also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. On-chain evidence linked funds to the Radiant Capital attack of October 2024. TRM Labs and Elliptic both published corroborating analyses attributing the hack to North Korean state-sponsored actors. While the Drift breach preceded the public Mach-O Man disclosure by three weeks, both campaigns are attributed to Lazarus Group sub-clusters operating within the same time window.","heading":"Linked Exploits: Drift Protocol ($285M, April 1 2026)","severity":"critical","sources":[{"credibility":1,"name":"The Hacker News: $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Bloomberg: Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":2,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol in $285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"CoinDesk: Drift Outlines a Recovery Plan for Users After $295 Million DPRK-Linked Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}]},{"content":"In mid-April 2026, KelpDAO suffered an exploit in which approximately 116,500 rsETH (valued at roughly $290–293 million) were released against a non-existent burn via a manipulated bridge mechanism. BleepingComputer and Chainalysis both reported the theft. LayerZero publicly attributed the incident to North Korea's Lazarus Group and stated that KelpDAO's use of a 1-of-1 DVN (Decentralized Verifier Network) setup — a single point of failure — was a contributing factor. Attackers allegedly compromised internal RPC nodes and conducted DDoS attacks on external nodes to feed false data to the verification network. Stolen funds were routed through Tornado Cash. Arbitrum froze $71 million linked to the exploit. Bitcoin News reported that Lazarus Group subsequently moved $175 million in ETH following the freeze. The Chainalysis blog published a dedicated case study, 'Inside the KelpDAO Bridge Exploit,' corroborating the Lazarus attribution and tracing on-chain fund flows.","heading":"Linked Exploits: KelpDAO Bridge ($290M+, April 2026)","severity":"critical","sources":[{"credibility":1,"name":"BleepingComputer: KelpDAO Suffers $290 Million Heist Tied to Lazarus Hackers","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/"},{"credibility":1,"name":"Chainalysis: Inside the KelpDAO Bridge Exploit","type":"on_chain","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"CoinDesk: LayerZero Blames Kelp's Setup for $290 Million Exploit, Attributes It to North Korea's Lazarus","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"The Block: LayerZero Says North Korea's Lazarus Likely Behind Kelp DAO Exploit","type":"news_article","url":"https://www.theblock.co/post/398028/layerzero-kelp-dao-lazarus"},{"credibility":2,"name":"Bitcoin News: Lazarus Group Suspected of Moving $175M in ETH After Arbitrum Freezes $71M From KelpDAO Exploit","type":"news_article","url":"https://news.bitcoin.com/lazarus-group-suspected-of-moving-175m-in-eth-after-arbitrum-freezes-71m-from-kelpdao-exploit/"}]},{"content":"The U.S. Treasury's Office of Foreign Assets Control (OFAC) designated Lazarus Group as a Specially Designated National (SDN) on September 13, 2019, along with Bluenoroff and Andariel sub-groups, under Executive Order 13722. All three are listed as agencies, instrumentalities, or controlled entities of the Government of North Korea, subordinate to the Reconnaissance General Bureau (RGB). OFAC has since issued additional designations for individuals and entities laundering cryptocurrency for Lazarus Group (March 2, 2020) and sanctioned the Tornado Cash mixer on May 6, 2022, citing its use to launder DPRK-linked funds. U.S. persons are prohibited from transacting with these entities. The U.S. Department of Justice filed a complaint in August 2020 seeking forfeiture of 280 cryptocurrency addresses associated with North Korean exchange hackers, supported by Chainalysis blockchain tracing. A United Nations Panel of Experts report documented dozens of North Korean cyber operations over a five-year period netting an estimated $3 billion in stolen assets.","heading":"Regulatory Status and Sanctions","severity":"critical","sources":[{"credibility":1,"name":"U.S. Treasury OFAC: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups (2019)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm774"},{"credibility":1,"name":"U.S. Treasury OFAC: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group (2020)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":1,"name":"U.S. Treasury OFAC: First-Ever Sanctions on a Virtual Currency Mixer — Tornado Cash (2022)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy0768"},{"credibility":1,"name":"Chainalysis: DOJ Demands Forfeiture of 280 Cryptocurrency Addresses Associated with North Korea","type":"court_filing","url":"https://www.chainalysis.com/blog/lazarus-group-north-korea-doj-complaint-august-2020/"}]},{"content":"Security researchers and blockchain analytics firms estimate Lazarus Group's cumulative cryptocurrency theft is among the largest attributable to a single threat actor. Chainalysis reported DPRK-linked actors stole approximately $2.02 billion in 2025 alone, a 51% year-over-year increase, representing roughly 76% of all service-related crypto thefts that year. Prior to the April 2026 exploits, cumulative theft from 2019 through end-2025 was estimated at $6.75 billion by Chainalysis. With the Drift ($285–295M) and KelpDAO ($290–293M) exploits in April 2026, total estimated theft now exceeds $7.3 billion according to CryptoTimes and other trackers. The CyberScoop analysis of the 2025 Bybit hack ($1.46 billion) noted that the scale and sophistication of Lazarus operations led analysts to describe the group as operating at 'institutional' speed and scale. Bybit CEO Ben Zhou stated post-hack that Lazarus laundered funds at a pace consistent with professional financial operations.","heading":"Scale of Lazarus Group Cryptocurrency Theft","severity":"high","sources":[{"credibility":2,"name":"CryptoTimes: KelpDAO, Bybit, Ronin — Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"},{"credibility":1,"name":"CyberScoop: Crypto Analysts Stunned by Lazarus Group's Capabilities in $1.46B Bybit Theft","type":"news_article","url":"https://cyberscoop.com/bybit-lazarus-group-north-korea-ethereum/"},{"credibility":2,"name":"SpotedCrypto: Lazarus Group Stole $578M in 18 Days — Crypto's Worst Month Since Bybit","type":"news_article","url":"https://www.spotedcrypto.com/april-2026-crypto-hacks-lazarus-defi-crisis/"}]}],"sources_used":[{"credibility":2,"name":"ANY.RUN: Lazarus Mach-O Man Malware — What CISOs Need to Know (Primary Technical Report)","type":"research","url":"https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"},{"credibility":1,"name":"CoinDesk: Lazarus Group Has Become Especially Dangerous With New Mach-O Man Attack — CertiK","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/22/lazarus-group-has-become-especially-dangerous-with-new-mach-o-man-attack-certik"},{"credibility":1,"name":"U.S. Treasury OFAC: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm774"},{"credibility":1,"name":"U.S. Treasury OFAC: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":1,"name":"U.S. Treasury OFAC: First-Ever Sanctions on a Virtual Currency Mixer — Tornado Cash","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy0768"},{"credibility":1,"name":"Bloomberg: Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"The Hacker News: $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"BleepingComputer: KelpDAO Suffers $290 Million Heist Tied to Lazarus Hackers","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/"},{"credibility":1,"name":"Chainalysis: Inside the KelpDAO Bridge Exploit","type":"on_chain","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":1,"name":"CoinDesk: LayerZero Blames Kelp's Setup for $290 Million Exploit, Attributes It to North Korea's Lazarus","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"The Block: LayerZero Says North Korea's Lazarus Likely Behind Kelp DAO Exploit","type":"news_article","url":"https://www.theblock.co/post/398028/layerzero-kelp-dao-lazarus"},{"credibility":2,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol in $285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"CyberSecurityNews: Lazarus Hackers Attacking macOS Users With Mach-O Man Malware Kit","type":"news_article","url":"https://cybersecuritynews.com/mach-o-man-macos-malware-lazarus/"},{"credibility":1,"name":"Dark Reading: North Korea's Lazarus Targets macOS Users via ClickFix","type":"news_article","url":"https://www.darkreading.com/threat-intelligence/north-koreas-lazarus-targets-macos-users-clickfix"},{"credibility":2,"name":"Cybernews: Lazarus macOS Malware Foiled by C2 Exploit","type":"news_article","url":"https://cybernews.com/security/north-korean-hackers-new-malware-foiled-by-researcher/"},{"credibility":1,"name":"CyberScoop: Crypto Analysts Stunned by Lazarus Group's Capabilities in $1.46B Bybit Theft","type":"news_article","url":"https://cyberscoop.com/bybit-lazarus-group-north-korea-ethereum/"},{"credibility":1,"name":"Chainalysis: DOJ Demands Forfeiture of 280 Cryptocurrency Addresses Associated with North Korea","type":"court_filing","url":"https://www.chainalysis.com/blog/lazarus-group-north-korea-doj-complaint-august-2020/"},{"credibility":2,"name":"CryptoTimes: KelpDAO, Bybit, Ronin — Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"},{"credibility":2,"name":"Bitcoin News: Mach-O Man Malware Steals macOS Keychain Data in Lazarus Group Crypto Campaign","type":"news_article","url":"https://news.bitcoin.com/mach-o-man-malware-steals-macos-keychain-data-in-lazarus-group-crypto-campaign/"},{"credibility":1,"name":"CoinDesk: Drift Outlines Recovery Plan for Users After $295 Million DPRK-Linked Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}],"summary":"Mach-O Man is a four-stage macOS malware kit attributed to North Korea's Lazarus Group (Chollima division), publicly disclosed in April 2026 by researchers at Bitso's Quetzal Team and the ANY.RUN sandbox platform. The campaign uses ClickFix social engineering — delivering fake meeting invitations via Telegram — to trick cryptocurrency and fintech executives into executing a terminal command that deploys a modular toolkit capable of stealing macOS Keychain secrets, browser credentials, session cookies, and crypto wallet extension data. Security researchers have linked the same threat actor cluster to over $575 million stolen from Drift Protocol and KelpDAO in April 2026 alone, and Lazarus Group's cumulative cryptocurrency theft since 2017 is estimated to exceed $7.3 billion.","timeline":[{"date":"2007-01-01","event":"Lazarus Group established by the North Korean government, subordinate to the 110th Research Center, 3rd Bureau of the RGB, according to U.S. Treasury.","source":"U.S. Treasury OFAC Press Release SM774","source_url":"https://home.treasury.gov/news/press-releases/sm774"},{"date":"2019-09-13","event":"OFAC designates Lazarus Group, Bluenoroff, and Andariel as SDNs under Executive Order 13722, prohibiting U.S. persons from transacting with them.","source":"U.S. Treasury OFAC","source_url":"https://home.treasury.gov/news/press-releases/sm774"},{"date":"2020-03-02","event":"OFAC sanctions two Chinese nationals for laundering cryptocurrency on behalf of Lazarus Group.","source":"U.S. Treasury OFAC","source_url":"https://home.treasury.gov/news/press-releases/sm924"},{"date":"2020-08-01","event":"U.S. DOJ files complaint seeking forfeiture of 280 cryptocurrency addresses linked to North Korean exchange hackers, supported by Chainalysis tracing.","source":"Chainalysis Blog","source_url":"https://www.chainalysis.com/blog/lazarus-group-north-korea-doj-complaint-august-2020/"},{"date":"2022-05-06","event":"OFAC issues first-ever sanctions on a virtual currency mixer (Tornado Cash) citing its use to launder DPRK-linked proceeds.","source":"U.S. Treasury OFAC","source_url":"https://home.treasury.gov/news/press-releases/jy0768"},{"date":"2025-01-01","event":"Chainalysis estimates DPRK-linked actors stole $2.02 billion during 2025, a 51% year-over-year increase, per its 2026 crypto crime report.","source":"CryptoTimes / Chainalysis","source_url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"},{"date":"2025-09-01","event":"Alleged start of six-month social engineering operation targeting Drift Protocol, with DPRK-linked operatives attending conferences and building relationships with contributors (approximate date per reporting).","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-04-01","event":"Drift Protocol exploited for approximately $285–295 million via social engineering and durable nonce manipulation. Attributed with medium confidence to UNC4736 (Citrine Sleet / Golden Chollima), a DPRK-linked cluster.","source":"Bloomberg / The Hacker News / TRM Labs","source_url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"date":"2026-04-18","event":"KelpDAO bridge exploited for approximately $290–293 million (116,500 rsETH) via compromised RPC nodes and a single-point-of-failure DVN configuration. LayerZero and Chainalysis attribute the attack to Lazarus Group.","source":"BleepingComputer / Chainalysis / CoinDesk","source_url":"https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/"},{"date":"2026-04-21","event":"Researchers at Bitso's Quetzal Team and ANY.RUN (analyst: Mauro Eldritch) publicly disclose the Mach-O Man malware kit, publishing full technical analysis including binary names, IOCs, and four-stage attack chain.","source":"ANY.RUN Cybersecurity Blog","source_url":"https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/"},{"date":"2026-04-22","event":"CertiK publishes analysis linking Mach-O Man campaign to Lazarus Group and connecting it to the Drift and KelpDAO exploits. CoinDesk covers the story.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/22/lazarus-group-has-become-especially-dangerous-with-new-mach-o-man-attack-certik"},{"date":"2026-04-22","event":"Arbitrum reportedly freezes $71 million in funds linked to the KelpDAO exploit.","source":"Bitcoin News","source_url":"https://news.bitcoin.com/lazarus-group-suspected-of-moving-175m-in-eth-after-arbitrum-freezes-71m-from-kelpdao-exploit/"},{"date":"2026-05-05","event":"Drift Protocol publishes a recovery plan for affected users following the $285–295 million DPRK-linked exploit.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 5ef0287b-f722-4f8c-a2a3-2b05066bada5copy