Sources: Drift Investigation · TRM Labs · The Hacker News · Hackread · Bloomberg · April 6–13, 2026
Drift Protocol published its full investigation this week, confirming the $285 million hack was the culmination of a six-month DPRK social engineering operation. Full timeline: Late 2025: attackers approached Drift contributors at a major crypto conference, posing as a quantitative trading firm. They met targets in person at conferences in multiple countries. December 2025–January 2026: deposited $1 million into a Drift Ecosystem Vault to establish credibility. Maintained Telegram communications and shared links to projects and tools. Three attack vectors identified: (1) contributor persuaded to download malicious wallet via Apple TestFlight, (2) contributor induced to clone malicious code repository, (3) potential exploitation of VSCode/Cursor vulnerabilities. March 11: on-chain staging began with 10 ETH withdrawal from Tornado Cash at approximately 09:00 Pyongyang time. April 1: executed 31 rapid withdrawals in 12 minutes, draining $285 million. Immediately after the hack, attackers deleted all Telegram communications. TRM Labs confirmed fund flows trace to Radiant Capital attackers (DPRK). Mandiant engaged for forensic investigation. SEALS 911 investigation confirmed overlaps with known DPRK-linked operational patterns. CrowdStrike describes the responsible group, Golden Chollima, as ensuring “baseline revenue generation for the DPRK regime” by targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe.
Action Required: Every financial institution with DeFi exposure, cryptocurrency custody, or blockchain integration should immediately review contributor and developer vetting processes for social engineering vulnerabilities. Implement verification protocols for conference-based partnership approaches. Never clone code repositories or install applications from unverified business contacts. Require timelocks on all administrative governance changes. Monitor for oracle manipulation in DeFi-integrated systems. Brief all client-facing and technical staff on conference-based DPRK social engineering patterns.
Sources: TechCrunch · Help Net Security · The Register · April 13–14, 2026
Booking.com confirmed today that unauthorized third parties accessed customer reservation data including names, email addresses, phone numbers, booking details, and any information shared with accommodations. Financial data was reportedly not accessed. However, the exposed information is already being weaponized: reports indicate hackers are using stolen booking details to send targeted WhatsApp messages impersonating hotels and Booking.com, requesting payment information from travelers who have active reservations. For financial services, this is relevant in two ways: (1) corporate travelers — including financial sector employees attending conferences and client meetings — are among the affected population, creating targeted phishing opportunities against high-value individuals, and (2) the breach demonstrates the same third-party/partner vulnerability pattern seen across every sector this quarter. Booking.com’s partner ecosystem was the attack vector, not Booking.com’s own systems.
Action Required: Alert traveling employees to the Booking.com breach and active WhatsApp fraud campaigns. Instruct staff to verify any hotel or booking-related requests through official channels. Review corporate travel booking procedures for exposure. Monitor for phishing attempts targeting employees with known travel schedules.
Sources: Anthropic · The Hacker News · BankInfoSecurity · April 8, 2026
Anthropic’s unreleased Mythos Preview AI model autonomously found and exploited zero-day vulnerabilities in every major operating system and browser. JPMorgan Chase is a founding partner of Project Glasswing, the initiative formed to use the model defensively — indicating the largest U.S. bank recognizes this as an existential threat. BankInfoSecurity reported that Mythos “promises to democratize access to such capabilities,” meaning the cost of finding and exploiting zero-days in financial infrastructure has collapsed from millions of dollars to thousands. Financial institutions rely on complex stacks of legacy and modern software — core banking systems, payment processors, trading platforms, risk engines, regulatory reporting tools — all of which contain undiscovered vulnerabilities that AI models like Mythos can now find autonomously. Palo Alto Networks warned similar capabilities are “weeks or months from proliferation.” Adversaries targeting financial institutions will soon be able to discover zero-days in the specific software your organization runs, at minimal cost.
Action Required: Engage with vendors of core banking, payment, and trading systems about their AI-augmented security testing programs. Conduct an inventory of all software in production and identify the oldest, least-audited components. Accelerate adoption of defense-in-depth architectures that assume zero-day exploitation is inevitable. Begin evaluating AI-augmented defensive security tooling. Ensure incident response plans account for exploitation of previously unknown vulnerabilities in production financial systems.
Sources: Mandiant/Google GTIG · SecurityWeek · March 24, 2026
Mandiant’s M-Trends 2026 report, based on 500,000+ hours of incident response, confirmed financial services as the #3 most targeted sector in 2025 behind high-tech and business services. Key findings for finance: adversary handoff times collapsed to 22 seconds — initial access brokers pre-stage ransomware operators’ tools during the initial infection. Voice phishing is now the #2 initial vector at 11%, driven by ShinyHunters and Scattered Spider targeting help desks and IT support workflows. Email phishing dropped to 6%. Cloud and SaaS compromises are increasing, with attackers stealing OAuth tokens and session cookies that persist even after password changes. Modern ransomware groups are targeting backup infrastructure, identity services, and virtualization management before encrypting production — “recovery denial” that forces financial institutions to choose between paying or rebuilding from scratch. For banks where system downtime directly impacts transactions, payments, and regulatory reporting, this strategy is specifically designed to maximize pressure to pay.
Action Required: Restructure SOC workflows for 22-second containment. Train help desk staff on voice phishing verification — multi-channel identity verification is now mandatory. Implement monitoring for OAuth token and session cookie theft across all SaaS platforms. Air-gap or implement immutable backup infrastructure. Audit prior compromise history — if your institution was breached and remediated, assume the access was sold.
Sources: Hackread · FBI Atlanta · Indonesian National Police · April 12, 2026
FBI Atlanta and Indonesian National Police dismantled the W3LLSTORE phishing market, a $20 million fraud operation that provided phishing-as-a-service specifically targeting financial institutions. The operation sold custom phishing kits, credential harvesting tools, and ready-made campaigns targeting banking customers. While the takedown disrupts this specific operation, the phishing-as-a-service model continues to proliferate. The tools, techniques, and customer lists from W3LLSTORE will seed follow-on operations. Financial institutions should expect evolved phishing campaigns in the coming weeks as former W3LLSTORE customers migrate to alternative platforms.
Action Required: Review phishing detection capabilities for W3LLSTORE-style kit indicators. Implement enhanced monitoring for credential harvesting campaigns targeting your customers. Coordinate with your institution’s fraud team on expected post-takedown migration of phishing actors to new platforms. Brief customer-facing teams on the takedown and anticipated follow-on activity.
Sources: Bitdefender · Help Net Security · Tom’s Hardware · Kotaku · April 11–14, 2026
ShinyHunters published 78.6 million records from Rockstar Games on April 14 after the company refused to pay ransom. The breach was executed through Anodot, a third-party SaaS platform for cloud cost monitoring, using stolen authentication tokens to access Rockstar’s Snowflake environment. Financial institutions should pay close attention: this is the same third-party SaaS exploitation pattern ShinyHunters has used repeatedly. Any financial institution using Snowflake, Anodot, or similar cloud analytics platforms is exposed to the same attack vector. The attacker does not need to compromise your network — they compromise your vendor and use stolen tokens to access your cloud data. Audit every third-party integration that touches your Snowflake, AWS, or Azure environments for token hygiene and access scope.
Action Required: Audit all third-party SaaS integrations for authentication token hygiene. Review Snowflake, AWS, and Azure environments for excessive third-party access scopes. Implement continuous monitoring for anomalous third-party access patterns. Rotate tokens for all cloud analytics and cost monitoring integrations. Contact Anodot for breach impact assessment if your institution uses their services.
Sources: Adobe · CISA KEV · EXPMON · April 11–13, 2026
Adobe patched a critical Acrobat Reader zero-day (CVE-2026-34621, CVSS 8.6) actively exploited since December 2025. Malicious PDFs execute JavaScript to fingerprint systems, steal data, and deliver follow-on exploits. CISA added to KEV catalog with April 27 deadline. Financial institutions exchange enormous volumes of PDFs — contracts, regulatory filings, audit reports, client correspondence, trade confirmations, compliance documents. Phishing emails delivering malicious PDFs are disguised as invoices, legal documents, and regulatory communications. A single malicious PDF opened by a compliance officer, trader, or relationship manager is enough to establish a foothold.
Action Required: Patch Adobe Acrobat Reader immediately across all endpoints. Block “Adobe Synchronizer” User Agent traffic. Instruct staff not to open PDF attachments from unverified senders. Implement PDF sandboxing for incoming documents.
Sources: Kaspersky · The Hacker News · April 9–13, 2026
CPUID’s website was compromised for 19 hours (April 9–10), serving trojanized CPU-Z and HWMonitor that deployed STX RAT. Financial sector IT staff, data center engineers, and system administrators with privileged access to trading systems, payment infrastructure, and core banking environments are the target user base for these tools. STX RAT harvests credentials, VPN data, and password manager contents. A compromised workstation inside a financial institution’s IT department provides direct access to the most sensitive systems.
Action Required: Check all IT workstations for CPUID downloads April 9–10. Isolate and rotate credentials if found. Block C2 95.216.51[.]236. Implement application allowlisting on privileged workstations.
Sources: Drift Investigation · The Hacker News · CrowdStrike · April 13, 2026
The Drift investigation revealed operational details that financial institutions must internalize: DPRK actors are investing months of effort and real capital to build trust with targets before executing attacks. They attend industry conferences in person, maintain sustained communication through legitimate channels (Telegram, Slack), deposit real money into platforms, and present themselves as sophisticated business partners. The attackers deleted all communications immediately after the hack — indicating operational discipline designed to complicate forensic investigation. This is not opportunistic cybercrime. This is state-sponsored intelligence tradecraft applied to financial theft. Financial sector employees who attend conferences, participate in industry collaboration groups, or evaluate new technology partnerships should treat any unsolicited relationship-building as a potential targeting indicator. The attackers specifically target contributors and developers — people with access to code repositories, governance systems, and administrative controls — rather than senior executives.
Action Required: Brief all employees attending financial conferences on DPRK social engineering methodology. Implement multi-person verification for any new business partnership involving code sharing, application installation, or technical integration. Never download applications via TestFlight or side-loading from unverified business contacts. Harden developer environments — VSCode, Cursor, and code repositories are documented attack vectors. Report suspicious approaches to your security team and FBI CyWatch.
Sources: Quantum Safe News · FBI · Continuing from Week 2
The SitusAMC mortgage vendor breach (reported in last week’s brief) continues with JPMorgan Chase, Citibank, and Morgan Stanley still assessing the impact on their customer data. The FBI investigation is ongoing. SSNs and financial details from loan applications may be compromised. This breach demonstrates the fundamental vulnerability of the financial sector’s vendor ecosystem: a single mortgage technology vendor breach exposes the three largest names in American banking. The breach also highlights a regulatory exposure — financial institutions bear responsibility for the security of their vendor ecosystem regardless of where the actual compromise occurred.
Action Required: If your institution uses SitusAMC services, maintain ongoing coordination with SitusAMC and the FBI on impact assessment. Prepare customer notification procedures. Implement enhanced fraud monitoring for mortgage customer populations. Review vendor cybersecurity obligations in all contracts.
Full operational timeline now confirmed. Six months of patient social engineering including in-person conference meetings across countries, $1M real deposit, and sustained communication. Mandiant engaged for forensic investigation. Fund flows confirmed to Radiant Capital attackers via TRM Labs and on-chain analysis. CrowdStrike describes Golden Chollima as targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe to generate “baseline revenue for the DPRK regime.” Despite improving trade relations with Russia, the DPRK requires additional revenue to fund nuclear weapons, destroyers, nuclear submarines, and additional satellite launches. Every dollar stolen funds state military programs. The operational patience, capital investment, and in-person tradecraft demonstrated in the Drift operation represent the highest-sophistication social engineering campaign documented against the financial sector.
Primary TTPs
Conference Infiltration, 6-Month Social Engineering, Oracle Manipulation, Multisig Exploitation
Target Sectors
DeFi, Cryptocurrency, Fintech, Financial Services
Activity Level
Critical · $285M stolen · Full timeline confirmed
Published 78.6 million Rockstar Games records today after the April 14 ransom deadline passed. The breach exploited Anodot, a third-party SaaS platform, using stolen authentication tokens to access Snowflake-hosted data. This is the same pattern used against TransUnion, the European Commission, and other targets. ShinyHunters consistently exploits the gap between trusted SaaS integrations and the cloud environments they connect to. Financial institutions using any cloud-hosted analytics, cost monitoring, or business intelligence platform connected to their primary cloud environments via authentication tokens are exposed to this exact attack vector. ShinyHunters does not need to hack your network — they hack your vendor’s vendor.
Primary TTPs
Third-Party SaaS Exploitation, Token Theft, Vishing, Snowflake/Cloud Targeting
Target Sectors
Technology, Financial Services, Government, Gaming
Activity Level
Active · 78.6M records published today · Pattern escalating
The Axios npm supply chain compromise continues to generate follow-on risk. Stolen credentials and tokens from the March 31 attack are being used for secondary operations. Combined with the Drift hack, two distinct DPRK threat groups (UNC4736 and UNC1069) conducted major financial sector attacks within days of each other, suggesting state-level campaign coordination. Financial institutions should assume any system that ran npm install during the March 31 exposure window may have exported credentials that are now in DPRK hands.
Primary TTPs
Supply Chain Compromise, Social Engineering, npm Hijacking, Credential Theft
Target Sectors
Software Supply Chain, Financial Services, Cryptocurrency
Activity Level
Active · Follow-on operations from stolen credentials ongoing