Sources: TRM Labs · Bloomberg · Fortune · The Hacker News · Hackread · TechCrunch · April 1–6, 2026
On April 1, DPRK-linked hackers drained $285 million from Drift Protocol in approximately 12 minutes — the largest DeFi hack of 2026 and the second-largest in Solana’s history. The attack was not a code exploit. It was a six-month social engineering operation. Timeline: In late 2025, attackers approached Drift contributors at a major crypto conference, posing as a legitimate quantitative trading firm. They met contributors in person at conferences in multiple countries. Between December 2025 and January 2026, they deposited $1 million of their own money into a Drift Ecosystem Vault to establish credibility. They then used three attack vectors: (1) persuading a contributor to download a malicious wallet app via Apple TestFlight, (2) inducing a contributor to clone a malicious code repository, and (3) potentially exploiting known vulnerabilities in developer tools (VSCode/Cursor). Once inside, attackers manipulated a multisig migration to remove timelocks, manufactured a fictitious token (CarbonVote), manipulated oracles to treat it as legitimate collateral, and executed 31 rapid withdrawals in 12 minutes. On-chain fund flows trace to the same actors behind the October 2024 Radiant Capital exploit. TRM Labs and multiple security firms attribute the attack to DPRK-linked actors (UNC4736 / Golden Chollima). North Korea stole $2 billion in cryptocurrency in 2025 — approximately 60% of all crypto stolen globally. These funds directly support nuclear weapons programs and military expansion.
Action Required: Financial institutions with DeFi exposure, cryptocurrency custody, or blockchain integration should immediately review multisig governance controls and implement timelocks on all administrative changes. Audit contributor and developer vetting processes for social engineering vulnerabilities. Train developers on recognizing social engineering through conference interactions, fake collaboration platforms, and malicious code repositories. Monitor for oracle manipulation and anomalous collateral inflation in any DeFi-integrated systems. Review exposure to Drift Protocol and affected downstream Solana protocols.
Sources: Quantum Safe News Center · The Times of India · FBI · 2025–2026
A cyberattack on SitusAMC, a mortgage technology vendor used by hundreds of banks for loan origination, collections, and regulatory compliance, has potentially exposed sensitive customer data from JPMorgan Chase, Citibank, and Morgan Stanley. The FBI is investigating. The compromised data may include Social Security numbers and financial details from loan applications. SitusAMC serves as essential infrastructure for the real estate lending industry — a single breach at this vendor level cascades to the largest names in American banking. A cybersecurity analyst stated that “even the largest U.S. banks can be compromised indirectly when third-party service providers fall short.” Financial regulators have warned banks that smaller technology partners often lack the necessary cybersecurity infrastructure. This breach underscores why third-party vendor risk management is no longer optional — it is the primary attack surface for financial institutions.
Action Required: Financial institutions using SitusAMC services should contact SitusAMC directly for breach impact assessment. Audit all mortgage technology vendor relationships for breach notification requirements. Review vendor cybersecurity assessments and SOC 2 reports. Prepare customer notification procedures if data exfiltration is confirmed. Implement enhanced monitoring for identity theft and fraudulent account activity involving mortgage customer data. Coordinate with FBI through existing financial sector liaison channels.
Sources: Google GTIG · Microsoft · Palo Alto Unit 42 · SANS · March 31, 2026
North Korean state-sponsored hackers (UNC1069 / Sapphire Sleet) hijacked the Axios npm package — 100 million weekly downloads, present in approximately 80% of cloud and code environments — and deployed a cross-platform Remote Access Trojan. Financial institutions are directly affected because Axios is widely used in trading platforms, customer-facing portals, mobile banking applications, internal dashboards, risk management systems, and regulatory reporting tools. The RAT harvested credentials, SSH keys, AWS tokens, and npm tokens. Any financial services application that ran npm install during the 3-hour exposure window on March 31 is potentially compromised. Combined with the Drift hack, North Korean actors conducted two simultaneous attack campaigns targeting the financial sector in the same week — one through social engineering and one through supply chain compromise. This represents a coordinated, multi-vector campaign against financial infrastructure.
Action Required: Audit all npm dependencies across trading systems, customer portals, and internal applications for axios@1.14.1, axios@0.30.4, or plain-crypto-js. If found, treat affected systems as fully compromised and isolate from production financial networks. Rotate all credentials, API keys, and tokens on affected hosts. Pin axios to version 1.14.0 or earlier. Block traffic to sfrclak[.]com and 142.11.206.73. Coordinate with application vendors to confirm their dependency audits.
Sources: ISMG · GovInfoSecurity · April 2, 2026
A software vulnerability in the Lloyds Banking mobile application exposed transaction data for nearly 450,000 customers. This was not a cyberattack — it was an application-level flaw. However, it demonstrates the risk of software defects in financial services applications that handle sensitive transaction data. Application security testing, including dynamic analysis and penetration testing of mobile banking applications, is critical for preventing data exposure through non-malicious technical failures. The incident also highlights that not all data exposure requires an attacker — sometimes the vulnerability is in the application itself.
Action Required: Review your organization’s mobile application security testing program. Ensure dynamic application security testing (DAST) and penetration testing are conducted before every major release. Implement real-time monitoring for anomalous data access patterns in customer-facing applications. Audit API endpoints for proper access controls and data exposure limits.
Sources: Fox News · Security Boulevard · American Banker · State AG Filings · 2025–2026
The Marquis Financial Group breach has expanded to 672,000 confirmed affected individuals across 700+ financial institutions nationwide. Attackers exploited an unpatched SonicWall firewall vulnerability in August 2025, gaining access to systems containing names, addresses, card numbers, and other sensitive financial data. Marquis provides marketing and compliance services to banks and credit unions — concentrating sensitive customer data from hundreds of institutions in a single vendor environment. Texas accounts for the largest share of affected individuals with additional filings in Maine, Massachusetts, Iowa, and New Hampshire. Security experts note that exposed immutable identity data (SSNs, dates of birth) cannot be changed like passwords — once exposed, this information can be used indefinitely for account takeovers, new account fraud, and targeted scams referencing accurate personal and banking details.
Action Required: Financial institutions using Marquis services should verify whether their customers are in the affected population. Implement enhanced fraud monitoring for account takeover and new account fraud patterns. Audit all vendor relationships for patch management requirements — the SonicWall vulnerability was known and had a patch available. Review third-party vendor contracts for cybersecurity compliance obligations and breach notification timelines.
Sources: ISMG · Dutch Ministry of Finance Statement · March–April 2026
The Dutch Ministry of Finance took its “Mijn Schatkist” treasury banking portal offline after detecting unauthorized access on March 19. The ministry subsequently shut down multiple systems on March 23, cutting digital access for approximately 1,600 public sector entities including ministries, agencies, educational institutions, social funds, and local governments. Users cannot view balances or initiate financial instruments such as loans or deposits through the portal. While funds remain accessible through standard banking channels, the operational disruption to government financial operations is significant. This demonstrates how a breach at a centralized financial platform can cascade across an entire government’s operations — relevant for any financial institution providing infrastructure to government or institutional clients.
Action Required: Financial institutions providing treasury, payment, or banking infrastructure to government or institutional clients should review their incident response plans for scenarios where the platform must be taken offline. Ensure alternative transaction pathways are documented and tested. Audit centralized platform access controls and monitoring for unauthorized access patterns.
Sources: Cisco Advisory · April 2, 2026
Cisco disclosed a critical authentication bypass in the Integrated Management Controller allowing unauthenticated remote attackers to gain admin access through a crafted HTTP request (CVE-2026-20093, CVSS 9.8). Financial institutions running Cisco server infrastructure in data centers and trading environments should patch immediately. A compromised IMC gives an attacker persistent access below the operating system level — invisible to most endpoint detection and trading system monitoring tools.
Action Required: Patch all Cisco IMC instances immediately. Restrict IMC management interfaces to isolated management networks. Audit IMC access logs for unauthorized password change requests.
Sources: Drift Investigation · Hackread · The Hacker News · CrowdStrike · April 6, 2026
The Drift hack revealed a social engineering methodology that should alarm every financial institution: North Korean operatives are attending conferences in person, posing as legitimate firms, and building trust relationships over months before executing attacks. This is not remote phishing — this is physical pre-positioning in the financial sector’s professional ecosystem. The attackers met their targets face-to-face at multiple conferences across multiple countries, used real company identities, shared business cards, joined Slack and Telegram groups, and deposited real money to establish credibility. CrowdStrike describes Golden Chollima as targeting small fintech firms in the U.S., Canada, South Korea, India, and Western Europe to ensure “baseline revenue generation for the DPRK regime.” Financial sector employees attending conferences, joining industry collaboration groups, or engaging with new business partners should treat any unsolicited relationship-building as a potential targeting indicator — especially from unfamiliar firms seeking technical integration or partnership.
Action Required: Brief all employees attending financial industry conferences on DPRK social engineering tactics. Implement verification protocols for any new business partnership that involves code sharing, application testing, or technical integration. Never clone code repositories or install applications from unverified sources, even when presented by seemingly legitimate business partners. Report any suspicious recruitment, partnership, or collaboration approaches to your security team and FBI CyWatch. Review and harden developer environment security — VSCode, Cursor, and similar tools are documented attack vectors.
Sources: American Banker · Coinbase Disclosure · 2025
Continuing watch item from industry data: a threat actor bribed individuals performing services for Coinbase at overseas retail support locations to improperly access customer information. Instead of paying a $20 million extortion demand, Coinbase established a $20 million reward fund for information leading to arrest and conviction. This incident demonstrates that insider threats in financial services extend beyond traditional employees to contracted service providers operating in overseas locations with less oversight. Financial institutions with outsourced customer support, operations, or technology services should review access controls for overseas contractors with access to customer data.
Action Required: Audit access privileges for all contracted and outsourced personnel, particularly those in overseas locations. Implement behavioral analytics to detect unusual access patterns by service personnel. Review data loss prevention controls for customer-facing support environments. Ensure insider threat programs cover contractors and third-party service providers, not just direct employees.
Responsible for the $285 million Drift Protocol exploit. CrowdStrike describes Golden Chollima as primarily geared toward cryptocurrency theft targeting small fintech firms, ensuring “baseline revenue generation for the DPRK regime.” The Drift attack demonstrated unprecedented operational patience — six months of social engineering including in-person conference meetings, depositing $1M in real funds, and building trust through legitimate-appearing business relationships. On-chain fund flows trace directly to the Radiant Capital attackers. The group uses social engineering through conferences, fake collaboration platforms, malicious TestFlight apps, and poisoned code repositories. Unlike traditional cybercriminal groups, DPRK actors are funding state military programs, making them persistent, well-resourced, and willing to invest significant time and capital in each operation.
Primary TTPs
Social Engineering, Conference Infiltration, Oracle Manipulation, Multisig Exploitation
Target Sectors
DeFi, Cryptocurrency, Fintech, Venture Capital, Blockchain
Activity Level
Critical · $285M stolen · 6-month operation
Responsible for the Axios npm supply chain compromise that affects financial services software dependencies. Historically focused on cryptocurrency and DeFi theft, now demonstrating capability to target the broader software supply chain. The social engineering tradecraft — cloned company identities, fake Slack workspaces with branded channels, fake Teams calls — mirrors the Drift attack pattern. Both UNC4736 and UNC1069 are DPRK-linked actors conducting simultaneous operations against the financial sector in the same week, suggesting coordinated campaign planning at the state level. Microsoft tracks the same actor as Sapphire Sleet. Stolen credentials from the Axios attack will enable follow-on financial sector operations for weeks to months.
Primary TTPs
Supply Chain Compromise, Social Engineering, npm Hijacking, Credential Theft
Target Sectors
Software Supply Chain, Financial Services, Cryptocurrency
Activity Level
Critical · Active · Coordinated with UNC4736
Continuing threat to financial services. ShinyHunters is responsible for the TransUnion breach via voice phishing (vishing) campaigns targeting Salesforce-connected systems. The group has demonstrated capability to breach financial infrastructure through identity-based attacks — abusing SSO, OAuth, and voice phishing to bypass MFA. Google researchers linked the tactics to Salesforce system exploitation, although Salesforce stated its platform was not compromised. ShinyHunters also claimed the European Commission breach. The group represents the leading edge of identity-based attacks against financial services, using social engineering and credential abuse rather than malware or network exploitation.
Primary TTPs
Vishing, SSO/OAuth Abuse, Salesforce Exploitation, Data Exfiltration
Target Sectors
Financial Services, Technology, Government, SaaS
Activity Level
Active · Identity-based attacks · Persistent