Verify a decision

{"actor":"system:backfill","investigation_id":"6756abb1-fffe-4beb-a1de-ea0c3f432d07","kind":"publish","page_slug":"citrine-sleet-applejeus","published_at":"2026-06-03T00:08:19.627Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Citrine Sleet / AppleJeus","sections":[{"content":"Citrine Sleet is a North Korean state-sponsored advanced persistent threat (APT) group attributed by Microsoft, Mandiant, Palo Alto Networks Unit 42, and the U.S. Government to Bureau 121 of the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service. The group operates under the broader Lazarus Group umbrella but is tracked as a distinct cluster by multiple vendors under different names: Citrine Sleet (Microsoft), Gleaming Pisces (Palo Alto Networks Unit 42), UNC4736 (Mandiant/Google), Labyrinth Chollima (CrowdStrike), and AppleJeus (U.S. Government/MITRE ATT&CK Group G1049). The MITRE ATT&CK framework catalogues the group as G1049 with associated software including POOLRAT and COLDCAT. The group's primary mission, per MITRE, is to generate and launder revenue to provide financial support to the North Korean government and its weapons programs. The RGB falls under the General Staff Bureau of the Korean People's Army. Microsoft attributes the group with medium-to-high confidence to North Korea based on infrastructure overlaps, code reuse, and targeting patterns consistent with DPRK financial objectives.","heading":"Attribution and Organizational Structure","severity":"critical","sources":[{"credibility":1,"name":"North Korean threat actor Citrine Sleet exploiting Chromium zero-day — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"credibility":1,"name":"AppleJeus, Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736, Group G1049 — MITRE ATT&CK","type":"research","url":"https://attack.mitre.org/groups/G1049/"},{"credibility":2,"name":"Threat Assessment: North Korean Threat Groups — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/"}]},{"content":"Kaspersky Lab's Global Research and Analysis Team discovered the AppleJeus campaign in August 2018 while performing incident response at a compromised cryptocurrency exchange in Asia. The attackers had created a fictitious company, 'Celas LLC,' with a fabricated Michigan business address, domain registration under a pseudonymous identity ('John Broox') via Domains4Bitcoins, and a valid SSL certificate from Comodo CA. A trojanized trading application called 'Celas Trade Pro' appeared legitimate and bore no outward signs of malicious behavior. Once installed, an embedded updater component collected system information, encrypted it using XOR key 'Moz&Wie;#t/6T!2y,' and transmitted it to a command-and-control (C2) server disguised as a GIF image upload; the C2 then delivered an encrypted Fallchill backdoor. This was the first documented case of the Lazarus Group deploying macOS malware. Kaspersky attributed the campaign to Lazarus based on reused RC4 encryption keys from 2015–2017 Fallchill variants, identical C2 infrastructure, and Korean language code 'ko-kp' in HTTP headers.","heading":"Origin and Discovery: Operation AppleJeus (2018)","severity":"high","sources":[{"credibility":2,"name":"Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware — Kaspersky Securelist","type":"research","url":"https://securelist.com/operation-applejeus/87553/"},{"credibility":2,"name":"AppleJeus: Lazarus Group Hunts Cryptocurrency Exchanges Using macOS Malware — Business Wire","type":"news_article","url":"https://www.businesswire.com/news/home/20180823005093/en/AppleJeus-Lazarus-Group-Hunts-Cryptocurrency-Exchanges-macOS"}]},{"content":"Citrine Sleet/AppleJeus has developed and deployed a continuously evolving suite of malware across Windows, macOS, and Linux platforms. Core tools include: (1) AppleJeus trojan — a remote administration tool embedded in fake cryptocurrency trading applications, enabling persistent remote access and asset exfiltration; (2) POOLRAT — a macOS backdoor supporting file upload/download, directory listing, command execution, and configuration management; (3) PondRAT — a lighter Linux and macOS variant of POOLRAT, delivered via poisoned Python packages on PyPI in 2024, sharing identical encryption key 'wLqfM]%wTx`~tUTbw>R^#yG5R(3C:;.' and matching function names (FConnectProxy, AcceptRequest) with earlier AppleJeus samples; (4) COLDCAT — a downloader beaconing with unique host identifiers; (5) VEILEDSIGNAL — a modular backdoor used in the 3CX supply chain attack, communicating via named pipes; (6) ICONICSTEALER — a data miner targeting browser history and application configurations; (7) SUDDENICON — a multi-stage downloader using encrypted icon files on GitHub for C2 configuration; (8) FudModule rootkit — a sophisticated kernel-level rootkit employing direct kernel object manipulation (DKOM) to disable security mechanisms from user mode, deployed via CVE-2024-7971 and CVE-2024-38106 exploitation in August 2024; and (9) INLETDRIFT — a macOS backdoor delivered via malicious PDF in the Radiant Capital operation. The group has also exploited VSCode/Cursor task automation (tasks.json 'runOn: folderOpen') and Apple TestFlight beta distribution as malware delivery channels since at least late 2025.","heading":"Malware Arsenal and Technical Capabilities","severity":"critical","sources":[{"credibility":1,"name":"North Korean threat actor Citrine Sleet exploiting Chromium zero-day — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"credibility":2,"name":"Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/"},{"credibility":1,"name":"3CX Software Supply Chain Compromise — Mandiant / Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"credibility":1,"name":"AppleJeus: Analysis of North Korea's Cryptocurrency Malware — CISA Advisory AA21-048A","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"}]},{"content":"A defining characteristic of the AppleJeus cluster is the creation of elaborate fake companies and professional identities to deliver malware. The CISA/FBI/Treasury joint advisory (February 2021) documented seven distinct fake cryptocurrency trading companies linked to AppleJeus: Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale. Each company received a legitimate-looking website, functional product download, and professional branding. The Volexity research firm documented additional variants in December 2022 (BloxHolder). By 2025–2026, the group had significantly evolved its social engineering, deploying fully constructed professional identities with verifiable employment histories, public-facing credentials, LinkedIn profiles, and conference attendance. In the Radiant Capital attack (September–October 2024), the group impersonated a former contractor over Telegram. In the Drift Protocol operation (fall 2025–April 2026), operatives attended international cryptocurrency conferences across multiple countries in-person, deposited over $1 million of real capital into the Drift ecosystem, and conducted working sessions spanning months before executing the attack. Drift's post-mortem noted the individuals who appeared at conferences were likely not North Korean nationals but third-party intermediaries deployed as cutouts.","heading":"Fake Company and Social Engineering Infrastructure","severity":"critical","sources":[{"credibility":1,"name":"AppleJeus: Analysis of North Korea's Cryptocurrency Malware — CISA Advisory AA21-048A","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"Radiant Capital says North Korea posed as ex-contractor to carry out $50M hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/radiant-capital-north-korean-impersonated-ex-contractor-50-million-hack"},{"credibility":2,"name":"Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware — Volexity","type":"research","url":"https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/"}]},{"content":"Mandiant attributed the March 2023 3CX Desktop App supply chain compromise to UNC4736 with high confidence of a North Korean nexus. The attack represented the first publicly documented instance of one software supply chain compromise being used to initiate a second: in early 2022, a 3CX employee installed a trojanized X_TRADER installer (from Trading Technologies' legitimate website), which delivered the VEILEDSIGNAL backdoor onto the employee's personal computer. Attackers then moved laterally into 3CX's build environment, compromising the macOS and Windows build servers. The malicious 3CX DesktopApp (version 18.12.416 and earlier) bundled SUDDENICON and ICONICSTEALER, which harvested browser history and application credentials from victims. On Windows, persistence was achieved via TAXHAUL (DLL search order hijacking via IKEEXT, running as LocalSystem) and COLDCAT; on macOS via POOLRAT (Launch Daemons). The campaign shared technical indicators with prior AppleJeus operations including the RC4 key '3jB(2bsG#@c7' and the cookie variable '__tutma'. The 3CX DesktopApp is used by over 600,000 companies globally with 12 million daily users, making this one of the most impactful software supply chain attacks attributed to DPRK actors.","heading":"3CX Supply Chain Attack (2022–2023)","severity":"critical","sources":[{"credibility":1,"name":"3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise — Mandiant / Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"credibility":2,"name":"3CX Breach Was a Double Supply Chain Compromise — Krebs on Security","type":"news_article","url":"https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/"},{"credibility":2,"name":"North Korean hackers showcase new tactics in 3CX supply chain attack: Mandiant report — Axios","type":"news_article","url":"https://www.axios.com/2023/04/21/north-korea-supply-chain-attacks-3cx"}]},{"content":"On August 19, 2024, Microsoft identified Citrine Sleet actively exploiting CVE-2024-7971, a type confusion vulnerability in the Chromium V8 JavaScript engine (CVSS 8.8), affecting versions prior to 128.0.6613.84. Targets were directed to the attacker-controlled domain voyagorclub[.]space, which served the zero-day RCE exploit. Upon successful exploitation in the sandboxed Chromium renderer, shellcode downloaded a Windows sandbox escape exploit (CVE-2024-38106, a Windows kernel vulnerability patched August 13, 2024) and the FudModule rootkit. FudModule employs direct kernel object manipulation (DKOM) to disable kernel security mechanisms while executing from user mode, and was also previously attributed to the Diamond Sleet threat cluster — suggesting shared tooling between DPRK groups. Microsoft noted overlapping infrastructure between Diamond Sleet and Citrine Sleet. Google patched CVE-2024-7971 on August 21, 2024, two days after Microsoft's discovery. Additional CVEs exploited by Citrine Sleet in related campaigns include CVE-2024-21338 (AppLocker driver zero-day used by FudModule 2.0) and CVE-2024-38193 (AFD.sys driver vulnerability).","heading":"CVE-2024-7971 Chromium Zero-Day and FudModule Rootkit (August 2024)","severity":"critical","sources":[{"credibility":1,"name":"North Korean threat actor Citrine Sleet exploiting Chromium zero-day — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"credibility":2,"name":"North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit — The Hacker News","type":"news_article","url":"https://thehackernews.com/2024/08/north-korean-hackers-deploy-fudmodule.html"},{"credibility":2,"name":"North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit — Security Affairs","type":"news_article","url":"https://securityaffairs.com/167848/breaking-news/north-korea-linked-apt-exploited-chrome-zero-day-cve-2024-7971.html"}]},{"content":"Palo Alto Networks Unit 42 attributed a campaign distributing malicious Python packages via PyPI to Gleaming Pisces (Citrine Sleet) with medium confidence in September 2024. The packages — real-ids (893 downloads), coloredtxt (381 downloads), beautifultext (736 downloads), and minisound (416 downloads) — contained encoded payloads that downloaded and executed PondRAT, a Linux and macOS backdoor. Unit 42 assessed PondRAT as a lighter variant of POOLRAT, sharing the identical encryption key 'wLqfM]%wTx`~tUTbw>R^#yG5R(3C:;.' and matching function names with the kupayupdate_stage2 sample from the 2021 AppleJeus campaign. PondRAT's four core commands (file upload, file download, sleep, and command execution) mirror a subset of POOLRAT's broader capability set. The campaign's objective was assessed as gaining initial access to software developers' endpoints as a precursor to supply chain compromise, following the pattern established in the 3CX intrusion.","heading":"PondRAT / Poisoned Python Packages Campaign (2024)","severity":"high","sources":[{"credibility":2,"name":"Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/"},{"credibility":2,"name":"New PondRAT Malware Hidden in Python Packages Targets Software Developers — The Hacker News","type":"news_article","url":"https://thehackernews.com/2024/09/new-pondrat-malware-hidden-in-python.html"},{"credibility":2,"name":"North Korea-linked APT Gleaming Pisces delivers new PondRAT backdoor via malicious Python packages — Security Affairs","type":"news_article","url":"https://securityaffairs.com/168781/apt/gleaming-pisces-malicious-python-packages.html"}]},{"content":"On October 16, 2024, Radiant Capital, a cross-chain DeFi lending protocol, lost approximately $50 million after attackers compromised three developers' devices during a routine multi-signature emissions adjustment process. The attack chain began on September 11, 2024, when threat actors sent a malicious ZIP file via Telegram, impersonating a former contractor and requesting review of a security report on another crypto incident. The ZIP contained INLETDRIFT, a macOS backdoor. Once the three compromised devices were used to sign what appeared to be a legitimate transaction, attackers obtained sufficient multisig approval to drain protocol funds. Mandiant investigated the incident and attributed it to UNC4736 (Citrine Sleet) based on tactical and tooling overlaps with prior operations. Radiant Capital subsequently wound down operations after failing to recover or secure new funding, reducing from a peak of several hundred million dollars TVL to approximately $2 million. On-chain fund flow analysis by investigators later connected wallet addresses from this breach to those used in the Drift Protocol attack, linking the two operations.","heading":"Radiant Capital Breach (October 2024, $50 Million)","severity":"critical","sources":[{"credibility":2,"name":"Radiant Capital says North Korean hackers behind $50 million hack in October — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2024/12/09/radiant-capital-says-north-korean-hackers-behind-50-million-attack-in-october"},{"credibility":2,"name":"North Korean hackers behind $50 million crypto heist of Radiant Capital — The Record","type":"news_article","url":"https://therecord.media/radiant-capital-heist-north-korea"},{"credibility":2,"name":"$50 Million Radiant Capital Heist Blamed on North Korean Hackers — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/radiant-capital-50-million-heist-blamed-on-north-korean-hackers/"},{"credibility":2,"name":"Radiant Capital to wind down after $50 million North Korea-linked hack — Crypto.news","type":"news_article","url":"https://crypto.news/radiant-capital-to-wind-down-after-50-million-north-korea-linked-hack/"}]},{"content":"On April 1, 2026, Drift Protocol — a Solana-based decentralized perpetual futures exchange — lost approximately $285 million in user assets in roughly twelve minutes, in what became one of the largest DeFi exploits in history. Drift's post-mortem attributed the attack to UNC4736 (Citrine Sleet) with medium confidence, supported by on-chain fund flows tracing to wallet addresses linked to the October 2024 Radiant Capital breach. The operation began approximately six months prior, in fall 2025, when individuals posing as employees of a quantitative trading firm made contact with Drift contributors at major cryptocurrency conferences across multiple countries. The attackers exhibited technical fluency, presented verifiable professional backgrounds and employment histories, and engaged in substantive months-long conversations about trading strategies and vault integrations. In December 2025 through January 2026, the group onboarded an Ecosystem Vault and deposited over $1 million in real capital as a trust-building measure. Two primary attack vectors were identified: (1) a malicious Microsoft VSCode/Cursor project weaponizing a 'tasks.json' file with the 'runOn: folderOpen' option to execute arbitrary code automatically upon opening — a technique North Korean actors adopted from approximately December 2025; and (2) a beta iOS wallet application distributed via Apple TestFlight, which bypasses App Store security review. Once two contributors' devices were compromised, attackers obtained the multisig approvals needed for a durable nonce attack, with pre-signed transactions remaining dormant for over one week before execution on April 1. Associated Telegram channels and malware were deleted immediately after the attack. Law enforcement and Mandiant are assisting with the ongoing investigation. The attack is the largest confirmed DPRK crypto operation attributed to Citrine Sleet.","heading":"Drift Protocol Exploit (April 2026, $285 Million)","severity":"critical","sources":[{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"'It reads like a spy novel': $280 million theft from Drift involved North Korean fake companies, cutouts — The Record","type":"news_article","url":"https://therecord.media/drift-crypto-theft-post-mortem-north-korea"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"Drift $280M crypto theft linked to 6-month in-person operation — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-linked-to-6-month-in-person-operation/"},{"credibility":2,"name":"Drift Protocol Exploit: Why 'Social Trust' Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"news_article","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"}]},{"content":"On February 17, 2021, CISA, the FBI, and the Department of the Treasury issued a joint cybersecurity advisory (AA21-048A) detailing seven versions of AppleJeus malware and the fake companies used to distribute them. The advisory noted that DPRK cyber actors had targeted cryptocurrency organizations in over 30 countries in the preceding year. The Lazarus Group — the broader umbrella organization encompassing Citrine Sleet — was sanctioned by OFAC on September 13, 2019, as an agency, instrumentality, or controlled entity of the Government of the DPRK. In May 2022, OFAC sanctioned the cryptocurrency mixer Blender.io — the first-ever designation of a virtual currency mixer — for providing mixing services to the Lazarus Group following the $625 million Ronin Network hack. In April 2023, OFAC coordinated with South Korea to sanction OTC traders who converted stolen cryptocurrency for the Lazarus Group. In March 2026, OFAC took further action targeting DPRK IT worker networks using cryptocurrency. Chainalysis has estimated that cumulative DPRK-attributed cryptocurrency theft reached at least $6.75 billion since 2016 as of December 2025, with North Korean hackers stealing a record $2.02 billion in 2025 alone across all affiliated groups.","heading":"U.S. Government Advisories and Sanctions","severity":"critical","sources":[{"credibility":1,"name":"AppleJeus: Analysis of North Korea's Cryptocurrency Malware — CISA Advisory AA21-048A","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"},{"credibility":1,"name":"North Korean Malicious Cyber Activity: AppleJeus — CISA Alert","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2021/02/17/north-korean-malicious-cyber-activity-applejeus"},{"credibility":1,"name":"Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":2,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"North Korea stole $2 billion in crypto in 2025, Chainalysis says — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"}]},{"content":"Citrine Sleet employs a broad spectrum of TTPs across the MITRE ATT&CK framework. Initial access vectors include: trojanized software (fake trading applications, poisoned open-source packages on PyPI, malicious GitHub repositories), spearphishing via Telegram and email, drive-by compromise via browser zero-days, supply chain compromise (trading software, communications software), and TestFlight beta app distribution. Persistence mechanisms include DLL search order hijacking (TAXHAUL/IKEEXT), macOS Launch Daemons (POOLRAT), and VSCode task automation. The group exploits both Windows and macOS environments and has targeted Linux. Defense evasion relies on the FudModule rootkit's DKOM-based disabling of kernel security mechanisms, code signing abuse using legitimate certificates, and RC4/AES-256-GCM encrypted C2 communications. Credential access involves browser history and application configuration theft (ICONICSTEALER). Lateral movement uses the compiled Fast Reverse Proxy (FRP) tool. A significant TTP evolution documented since 2024–2025 is extended in-person social engineering: spending weeks to months building trust with targets at physical conferences, depositing real capital, and mimicking standard institutional onboarding procedures before executing attacks. This represents a significant escalation beyond traditional phishing and requires security models beyond technical controls.","heading":"Tactics, Techniques, and Procedures (TTPs)","severity":"high","sources":[{"credibility":1,"name":"AppleJeus, Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736, Group G1049 — MITRE ATT&CK","type":"research","url":"https://attack.mitre.org/groups/G1049/"},{"credibility":1,"name":"North Korean threat actor Citrine Sleet exploiting Chromium zero-day — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"credibility":1,"name":"3CX Software Supply Chain Compromise — Mandiant / Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"}]},{"content":"Chainalysis reported that DPRK-affiliated hackers stole $1.3 billion in cryptocurrency across 47 incidents in 2024 (a 103% year-over-year increase from $660.5 million across 20 incidents in 2023), and a record $2.02 billion in 2025. The cumulative lower-bound DPRK cryptocurrency theft estimate as of December 2025 is at least $6.75 billion since 2016. Operations specifically attributed to Citrine Sleet/UNC4736 include: the October 2024 Radiant Capital breach ($50 million), and the April 2026 Drift Protocol exploit ($285 million), with fund flows connecting both. The broader AppleJeus campaign family (tracked since 2018) has targeted cryptocurrency organizations in over 30 countries, per the 2021 CISA advisory. The U.S. government has assessed that DPRK-linked cryptocurrency theft proceeds fund North Korea's weapons of mass destruction and ballistic missile programs. Chainalysis notes DPRK is achieving larger thefts with fewer incidents and that the DeFi sector, developer toolchains, and exchange employees remain primary target surfaces.","heading":"Scope and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"$2.2 Billion Stolen in Crypto in 2024 — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/"},{"credibility":2,"name":"North Korean hackers stole $1.3B in crypto in 2024 — CoinTelegraph / Chainalysis","type":"news_article","url":"https://cointelegraph.com/news/north-korean-hackers-crypto-theft-2024-chainalysis"},{"credibility":2,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":1,"name":"AppleJeus: Analysis of North Korea's Cryptocurrency Malware — CISA Advisory AA21-048A","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"}]}],"sources_used":[{"credibility":1,"name":"North Korean threat actor Citrine Sleet exploiting Chromium zero-day — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"credibility":1,"name":"AppleJeus, Gleaming Pisces, Citrine Sleet, UNC1720, UNC4736, Group G1049 — MITRE ATT&CK","type":"research","url":"https://attack.mitre.org/groups/G1049/"},{"credibility":1,"name":"AppleJeus: Analysis of North Korea's Cryptocurrency Malware — CISA Advisory AA21-048A","type":"regulatory","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"},{"credibility":1,"name":"North Korean Malicious Cyber Activity: AppleJeus — CISA Alert (2021)","type":"regulatory","url":"https://www.cisa.gov/news-events/alerts/2021/02/17/north-korean-malicious-cyber-activity-applejeus"},{"credibility":1,"name":"Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":1,"name":"3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise — Mandiant / Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"credibility":2,"name":"Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/"},{"credibility":2,"name":"Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware — Kaspersky Securelist","type":"research","url":"https://securelist.com/operation-applejeus/87553/"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"'It reads like a spy novel': $280 million theft from Drift involved North Korean fake companies, cutouts — The Record","type":"news_article","url":"https://therecord.media/drift-crypto-theft-post-mortem-north-korea"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"Drift $280M crypto theft linked to 6-month in-person operation — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-linked-to-6-month-in-person-operation/"},{"credibility":2,"name":"Radiant Capital says North Korean hackers behind $50 million hack in October — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2024/12/09/radiant-capital-says-north-korean-hackers-behind-50-million-attack-in-october"},{"credibility":2,"name":"North Korean hackers behind $50 million crypto heist of Radiant Capital — The Record","type":"news_article","url":"https://therecord.media/radiant-capital-heist-north-korea"},{"credibility":2,"name":"Radiant Capital to wind down after $50 million North Korea-linked hack — Crypto.news","type":"news_article","url":"https://crypto.news/radiant-capital-to-wind-down-after-50-million-north-korea-linked-hack/"},{"credibility":2,"name":"North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit — Security Affairs","type":"news_article","url":"https://securityaffairs.com/167848/breaking-news/north-korea-linked-apt-exploited-chrome-zero-day-cve-2024-7971.html"},{"credibility":2,"name":"North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit — The Hacker News","type":"news_article","url":"https://thehackernews.com/2024/08/north-korean-hackers-deploy-fudmodule.html"},{"credibility":2,"name":"3CX Breach Was a Double Supply Chain Compromise — Krebs on Security","type":"news_article","url":"https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/"},{"credibility":2,"name":"Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware — Volexity","type":"research","url":"https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/"},{"credibility":2,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":2,"name":"North Korean hackers stole $1.3B in crypto in 2024 — CoinTelegraph / Chainalysis","type":"news_article","url":"https://cointelegraph.com/news/north-korean-hackers-crypto-theft-2024-chainalysis"},{"credibility":2,"name":"North Korea stole $2 billion in crypto in 2025, Chainalysis says — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"credibility":2,"name":"North Korean Group UNC4736 Blamed for Radiant Capital Breach — Be In Crypto","type":"news_article","url":"https://beincrypto.com/north-korea-radiant-capital-hack/"},{"credibility":2,"name":"Threat Assessment: North Korean Threat Groups — Palo Alto Networks Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/"}],"summary":"Citrine Sleet (also tracked as AppleJeus, Gleaming Pisces, UNC4736, and Labyrinth Chollima) is a North Korean state-sponsored threat cluster attributed to Bureau 121 of the Reconnaissance General Bureau (RGB), active since at least 2018. The group specializes in financially motivated cyberattacks against cryptocurrency exchanges, DeFi protocols, and developer toolchains, deploying trojanized trading applications, supply chain compromises, and zero-day exploits to steal digital assets. Chainalysis estimates DPRK-linked actors have stolen at least $6.75 billion in cryptocurrency since 2016, with Citrine Sleet/UNC4736 operations accounting for multiple hundred-million-dollar individual incidents including the April 2026 Drift Protocol exploit ($285 million) and the October 2024 Radiant Capital breach ($50 million).","timeline":[{"date":"2018-06-01","event":"AppleJeus malware samples dated June–August 2018 deployed against a cryptocurrency exchange in Asia via trojanized 'Celas Trade Pro' application from fake company 'Celas LLC.' First documented macOS malware deployment by Lazarus Group.","source":"Kaspersky Lab Securelist","source_url":"https://securelist.com/operation-applejeus/87553/"},{"date":"2018-08-23","event":"Kaspersky Lab publicly discloses Operation AppleJeus, attributing trojanized cryptocurrency trading software to the Lazarus Group.","source":"Business Wire / Kaspersky","source_url":"https://www.businesswire.com/news/home/20180823005093/en/AppleJeus-Lazarus-Group-Hunts-Cryptocurrency-Exchanges-macOS"},{"date":"2019-09-13","event":"OFAC formally sanctions the Lazarus Group as an agency or instrumentality of the Government of the DPRK.","source":"U.S. Department of the Treasury","source_url":"https://home.treasury.gov/news/press-releases/sm924"},{"date":"2021-02-17","event":"CISA, FBI, and the Department of the Treasury issue joint advisory AA21-048A documenting seven AppleJeus malware variants and associated fake cryptocurrency trading companies targeting organizations in over 30 countries.","source":"CISA","source_url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a"},{"date":"2022-02-01","event":"Trading Technologies website compromised via hidden IFRAME exploit (CVE-2022-0609); X_TRADER software trojanized with VEILEDSIGNAL backdoor, initiating the 3CX supply chain attack chain.","source":"Mandiant / Google Cloud Blog","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"date":"2022-12-01","event":"Volexity documents additional AppleJeus variants including 'BloxHolder' fake trading platform distributing updated malware.","source":"Volexity","source_url":"https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/"},{"date":"2023-03-01","event":"3CX DesktopApp supply chain compromise discovered; malicious versions 18.12.416 and earlier found to deliver SUDDENICON and ICONICSTEALER to enterprise users globally.","source":"3CX / Mandiant","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"date":"2023-04-20","event":"Mandiant publishes full 3CX supply chain compromise analysis, attributing the cascading attack to UNC4736 with high confidence of North Korean nexus.","source":"Mandiant / Google Cloud Blog","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"},{"date":"2024-02-01","event":"Malicious Python packages (real-ids, coloredtxt, beautifultext, minisound) containing PondRAT backdoor uploaded to PyPI, attributed to Gleaming Pisces (Citrine Sleet) by Palo Alto Networks Unit 42.","source":"Palo Alto Networks Unit 42","source_url":"https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/"},{"date":"2024-08-13","event":"Microsoft patches CVE-2024-38106 (Windows kernel vulnerability) as part of August Patch Tuesday.","source":"Microsoft","source_url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"date":"2024-08-19","event":"Microsoft identifies Citrine Sleet actively exploiting Chromium zero-day CVE-2024-7971 (V8 type confusion, CVSS 8.8) to deliver FudModule rootkit via exploit domain voyagorclub[.]space.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"date":"2024-08-21","event":"Google releases Chrome patch for CVE-2024-7971.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"date":"2024-08-30","event":"Microsoft publicly publishes Citrine Sleet CVE-2024-7971 / FudModule rootkit analysis.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/"},{"date":"2024-09-11","event":"UNC4736 operatives send malicious ZIP file via Telegram to Radiant Capital developers, impersonating a former contractor and delivering INLETDRIFT macOS backdoor inside a PDF.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/radiant-capital-north-korean-impersonated-ex-contractor-50-million-hack"},{"date":"2024-09-01","event":"Palo Alto Networks Unit 42 publishes Gleaming Pisces / PondRAT poisoned Python packages campaign analysis.","source":"Palo Alto Networks Unit 42","source_url":"https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/"},{"date":"2024-10-16","event":"UNC4736 (Citrine Sleet) exploits compromised Radiant Capital developer devices to drain approximately $50 million from the cross-chain DeFi protocol. Three developers' multisig keys are used to approve fraudulent transactions.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2024/12/09/radiant-capital-says-north-korean-hackers-behind-50-million-attack-in-october"},{"date":"2024-12-09","event":"Radiant Capital publicly attributes the October 2024 $50 million exploit to UNC4736 (Citrine Sleet) following Mandiant investigation.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2024/12/09/radiant-capital-says-north-korean-hackers-behind-50-million-attack-in-october"},{"date":"2025-10-01","event":"Citrine Sleet operatives begin approaching Drift Protocol contributors at major cryptocurrency conferences, presenting as employees of a quantitative trading firm. Six-month social engineering operation commences.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2025-12-01","event":"Attackers onboard an Ecosystem Vault on Drift Protocol, depositing over $1 million in real capital to establish legitimacy and begin formal integration discussions.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"date":"2026-02-01","event":"Drift operatives continue in-person meetings with contributors across multiple countries, sharing malicious links and ultimately compromising contributor devices via malicious VSCode project (tasks.json exploit) and a TestFlight iOS application.","source":"The Record","source_url":"https://therecord.media/drift-crypto-theft-post-mortem-north-korea"},{"date":"2026-04-01","event":"Attackers execute durable nonce attack on Drift Protocol using pre-signed multisig transactions dormant for over one week, draining approximately $285 million in user assets in roughly twelve minutes. Telegram channels and malware are immediately deleted.","source":"Bleeping Computer","source_url":"https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-linked-to-6-month-in-person-operation/"},{"date":"2026-04-05","event":"Drift Protocol publishes post-mortem attributing attack to UNC4736 (Citrine Sleet) with medium confidence based on on-chain fund flows to Radiant Capital addresses. Mandiant and law enforcement engaged.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"}]},"v":1}