teleo/teleo-codex
8
0
Fork 0
Code Issues 22 Pull requests 3 Projects Releases Packages Wiki Activity Actions 66
teleo-codex/entities/internet-finance/unc4736.md
Teleo Agents eaaffb27bf
Some checks are pending
Sync Graph Data to teleo-app / sync (push) Waiting to run
Details
rio: extract claims from 2026-04-02-drift-protocol-durable-nonce-exploit 
- Source: inbox/queue/2026-04-02-drift-protocol-durable-nonce-exploit.md
- Domain: internet-finance
- Claims: 2, Entities: 2
- Enrichments: 2
- Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5)

Pentagon-Agent: Rio <PIPELINE>
2026-04-07 22:31:55 +00:00

15 lines
No EOL
1 KiB
Markdown
Raw Blame History

# UNC4736 (Citrine Sleet / Gleaming Pisces)
**Type:** Organization (Threat Actor)
**Status:** Active
**Domain:** Internet Finance
**Also Known As:** AppleJeus, Golden Chollima
**Attribution:** North Korean state-sponsored
## Overview
UNC4736 is a North Korean state-sponsored threat actor group specializing in cryptocurrency theft through sophisticated social engineering and supply chain attacks.
## Timeline
- **2025-10** — Began six-month social engineering campaign against Drift Protocol, posing as quantitative trading firm. Attended crypto conferences, deposited $1M+ to build credibility, integrated Ecosystem Vault for privileged access.
- **2026-04-01** — Executed $285M Drift Protocol exploit using compromised multisig keys obtained via malicious TestFlight app and VSCode/Cursor IDE vulnerability. Used Solana durable nonce feature to maintain transaction validity for 8+ days.
- **2026-04** — TRM Labs traced fund flows back to Radiant Capital attackers, confirming connection to previous DeFi exploits.
Reference in a new issue View git blame Copy permalink