# UNC4736 (Citrine Sleet / Gleaming Pisces)

**Type:** Organization (Threat Actor)  
**Status:** Active  
**Domain:** Internet Finance  
**Also Known As:** AppleJeus, Golden Chollima  
**Attribution:** North Korean state-sponsored  

## Overview
UNC4736 is a North Korean state-sponsored threat actor group specializing in cryptocurrency theft through sophisticated social engineering and supply chain attacks.

## Timeline
- **2025-10** — Began six-month social engineering campaign against Drift Protocol, posing as quantitative trading firm. Attended crypto conferences, deposited $1M+ to build credibility, integrated Ecosystem Vault for privileged access.
- **2026-04-01** — Executed $285M Drift Protocol exploit using compromised multisig keys obtained via malicious TestFlight app and VSCode/Cursor IDE vulnerability. Used Solana durable nonce feature to maintain transaction validity for 8+ days.
- **2026-04** — TRM Labs traced fund flows back to Radiant Capital attackers, confirming connection to previous DeFi exploits.