teleo/teleo-codex
8
0
Fork 0
Code Issues 22 Pull requests 3 Projects Releases Packages Wiki Activity Actions 66
teleo-codex/entities/internet-finance/unc4736.md
Teleo Agents eaaffb27bf
Some checks are pending
Sync Graph Data to teleo-app / sync (push) Waiting to run
Details
rio: extract claims from 2026-04-02-drift-protocol-durable-nonce-exploit 
- Source: inbox/queue/2026-04-02-drift-protocol-durable-nonce-exploit.md
- Domain: internet-finance
- Claims: 2, Entities: 2
- Enrichments: 2
- Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5)

Pentagon-Agent: Rio <PIPELINE>
2026-04-07 22:31:55 +00:00

1 KiB
Raw Blame History

UNC4736 (Citrine Sleet / Gleaming Pisces)

Type: Organization (Threat Actor)
Status: Active
Domain: Internet Finance
Also Known As: AppleJeus, Golden Chollima
Attribution: North Korean state-sponsored

Overview

UNC4736 is a North Korean state-sponsored threat actor group specializing in cryptocurrency theft through sophisticated social engineering and supply chain attacks.

Timeline

  • 2025-10 — Began six-month social engineering campaign against Drift Protocol, posing as quantitative trading firm. Attended crypto conferences, deposited $1M+ to build credibility, integrated Ecosystem Vault for privileged access.
  • 2026-04-01 — Executed $285M Drift Protocol exploit using compromised multisig keys obtained via malicious TestFlight app and VSCode/Cursor IDE vulnerability. Used Solana durable nonce feature to maintain transaction validity for 8+ days.
  • 2026-04 — TRM Labs traced fund flows back to Radiant Capital attackers, confirming connection to previous DeFi exploits.