Satine Sentinel: April 3, 2026

April 3, 2026

Two stories dominated this week, and they don’t look related at first glance: a North Korean state operation that spent three weeks manufacturing a fake cryptocurrency token and socially engineering a DeFi governance council before draining $285 million in twelve minutes, and a Chinese-speaking threat actor whose malware has now appeared for a second time in the Apple App Store using optical character recognition to silently photograph credentials out of victims’ phone galleries. Updates this week close the loop on two stories from last week that were unresolved: CERT-EU confirmed today that the European Commission breach started with a compromised security scanner, not a misconfigured AWS bucket, and Handala kept operating after the FBI seized its domains and isn’t slowing down.

The pattern is the same one that’s been running all quarter: the attack surface is the tooling you trust. Drift’s security council trusted a durable nonce transaction because it looked routine. The European Commission trusted a security scanner it ran inside its own cloud pipeline. iPhone users trusted two apps that passed Apple’s review process. In each case, the trust relationship itself was the vulnerability.

This week: how DPRK redefined governance hijacking as a multi-week staged operation, how OCR malware got back into the App Store a year after it was first removed, and two significant updates on stories from last week that are now substantially clearer.

Drift Protocol: DPRK’s $285M Durable Nonce Governance Hijack

What happened:

On April 1, 2026, attackers drained approximately $285 million in user assets from Drift Protocol, the largest decentralized perpetual futures exchange on Solana, in roughly 12 minutes, with most stolen funds bridged to Ethereum within hours. On-chain staging began on March 11, nearly three weeks before the April 1 execution, with attacker infrastructure, token manufacturing, and social engineering all running in parallel with careful coordination. The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense.

Technical details that matter:

The attack was not a hack in the traditional sense. Nobody found a bug or cracked a private key. Instead, the attacker used a legitimate Solana feature called “durable nonces” to trick Drift’s Security Council into pre-approving transactions that would be executed weeks later, at a time and in a context the signers never intended. The result was a drain of at least $270 million that took less than a minute to execute but more than a week to set up.

The staging sequence is worth understanding step by step. Between March 23 and March 30, the attacker created multiple durable nonce accounts. Durable nonces are a legitimate Solana feature allowing transactions to be pre-signed and executed later without expiring. The attacker used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorizations. Drift migrated its Security Council on March 27 to a new 2-of-5 threshold with zero timelock, eliminating the delay that would have allowed detection before admin actions took effect. The attacker adapted in real time: by March 30, a new durable nonce account appeared tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration.

The fake token component ran in parallel. The attacker manufactured an entirely fictitious asset, CarbonVote Token, with a few thousand dollars in seeded liquidity and wash trading, and Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars. On execution day, the attacker listed CVT as a valid market on Drift, raised withdrawal limits to extreme levels, and executed 31 rapid withdrawals draining real assets from nearly 20 vaults within roughly 12 minutes. Within hours, the exploiter had swapped $270.9 million into USDC, bridged them from Solana to Ethereum via Circle’s CCTP TokenMessengerMinterV2, and purchased 129,000 ETH, splitting them across multiple wallets. TRM Labs and Elliptic both assessed the behavior as consistent with DPRK-backed operations. The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, approximately $1.46 billion of which originated from the Bybit hack in February 2025.

Why critical institutions should care:

The Drift attack is a proof of concept against any governance model that relies on human approvers who cannot verify the full content of what they are signing. That problem is not exclusive to DeFi. Any institution using multisig authorization for high-value transactions, shared administrative approval workflows, or delegated signing authority faces a structurally similar exposure if the approval process can be socially engineered. Three immediate lessons: timelocks on governance and admin actions are a critical safeguard, and their removal eliminates the detection window that makes intervention possible. Oracle design requires defense-in-depth with minimum liquidity thresholds and circuit breakers before accepting any asset as collateral. And multisig signers need robust processes for independently verifying the full content of any transaction before signing. For financial institutions with blockchain exposure and fintech infrastructure teams managing treasury operations, DPRK has now demonstrated this technique at scale twice in fourteen months.

Key sources:

SparkCat Returns: OCR Credential Harvester Back in the App Store

What happened:

Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was first discovered targeting both mobile operating systems. The malware has been found concealing itself within seemingly benign apps such as enterprise messengers and food delivery services, while silently scanning victims’ photo galleries for cryptocurrency wallet recovery phrases. Kaspersky found two infected apps on the App Store and one on the Google Play Store that primarily target cryptocurrency users in Asia. The iOS variant takes a different approach when scanning for cryptocurrency wallet mnemonic phrases, scanning specifically for phrases written in English, which could further widen the reach of iOS variants as they can affect users regardless of region.

Technical details that matter:

SparkCat’s technical approach bypasses the fundamental assumption that app stores perform meaningful content review. The malware grabs photos stored in devices’ gallery and uploads them to the C2 server selectively. A request containing the image’s MD5 hash is sent to /api/e/img/uploadedCheck on the C2. Next, the image is uploaded to either Amazon’s cloud storage or to the “rust” server, then a link to the image is uploaded for optical character recognition processing. The SDK, designed for analytics as suggested by its package name com.spark.stat, is actually malware that selectively steals gallery content.

The OCR keyword targeting reveals the attacker’s goals: the terms all indicated the attackers were financially motivated, specifically targeting recovery phrases known as “mnemonics” that can be used to regain access to cryptocurrency wallets, with keywords in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. The malware is embedded at the SDK level inside otherwise functional apps, meaning the apps work normally and the malicious behavior triggers only under specific conditions such as opening a support chat. While Google and Apple have removed most of the offending apps from their stores, some can still be found there, the researchers warned. Kaspersky previously attributed the campaign to Chinese-speaking operators based on code comments and developer directory names found in the iOS variant.

Why critical institutions should care:

The institutional risk here is less about cryptocurrency wallets and more about what the attack model demonstrates. SparkCat is an SDK-level supply chain compromise embedded inside apps that pass official store review. The same technique works against any target that lives in a photo gallery: authentication QR codes, password screenshots, multi-factor recovery codes, and corporate credential documents that employees photograph for convenience. Any organization with a BYOD policy or mobile device fleet running apps from the App Store or Google Play is running third-party SDKs whose behavior cannot be fully audited at install time. Users would do well to avoid making screenshots of sensitive information and storing it unencrypted, and if their crypto wallet has not already been emptied, to move funds to a new wallet with a new seed phrase after cleaning affected devices. The enterprise translation: sensitive credentials, OTP seeds, and recovery codes have no business being in a device photo gallery, and mobile device management policies should be explicit about this.

Key sources:

Updates From Last Week

European Commission Breach: CERT-EU Confirms Trivy Supply Chain Was the Entry Vector

Last week this column covered the European Commission AWS breach and noted that the attack vector remained genuinely unknown, one of the most important unanswered questions for defenders trying to assess their own exposure. Today, CERT-EU closed that gap.

CERT-EU confirmed that ShinyHunters are behind the recent breach of cloud infrastructure underpinning European Commission websites, and that they stole and subsequently leaked approximately 340 GB of data. Based on initial access occurring on March 19, the misuse of AWS credentials, and the EC using a compromised version of AquaSec’s Trivy security scanner at the time of the attack, CERT-EU and the EC assess with high confidence that the initial access vector was the Trivy supply-chain compromise. The attackers acquired an AWS API key, which granted them control over the EC’s AWS accounts. They then used TruffleHog to scan for secrets and validate AWS credentials by calling the Security Token Service, used the compromised AWS secret to create and attach a new access key to an existing user, and began reconnaissance. This modus operandi has been tied to TeamPCP, the group linked to the recent Trivy, KICS, LiteLLM, and Telnyx supply chain attacks.

This attribution matters beyond attribution. Last week’s coverage of TeamPCP established that a single backdoored security tool cascaded into compromises across npm, PyPI, AI libraries, and telephony infrastructure. The European Commission breach is the same campaign’s highest-profile confirmed victim so far. The compromised account is part of the technical infrastructure driving multiple European Commission websites, and data pertaining to at least 29 other Union entities may be affected. Any organization that ran Trivy during the week of March 19 without version pinning should now treat this as confirmed initial access risk, not theoretical exposure.

Key sources:

Handala: Operating Normally After FBI Domain Seizures

Last week covered Handala’s publication of Kash Patel’s personal email archive as a retaliation for FBI domain seizures. The update this week is that the seizures had essentially no operational impact. Handala posted on its Telegram channel that “the seizure of our domains, propaganda bombardment, threats of assassination, and even the looming shadow of aerial bombardment are nothing more than the latest desperate attempts by the United States and its allies to silence the voice of Handala,” and the group spun up new infrastructure within hours of the seizure.

The group also claimed responsibility for doxxing dozens of Lockheed Martin employees stationed in the Middle East, which Lockheed stated showed no evidence of impact to its systems. Handala and other groups have repeatedly targeted Israel, with the Israeli National Cyber Directorate reporting that Iran-linked hackers erased data from at least 60 Israeli companies through wiper attacks. Iran-linked ransomware group Pay2Key is reportedly offering 80 percent of profits to hackers targeting enemies of Iran, an uptick from its previous 70 percent cut, with special conditions described for “Iran’s friends.” The practical update for defenders: domain seizure alone is not a meaningful disruption to a group operating with MOIS backing. Handala is actively recruiting affiliate operators and expanding its claimed targeting list.

Key sources:

The Pattern This Week

The Drift attack and the SparkCat campaign have nothing superficially in common. One is a nation-state financial operation that took three weeks of patient setup. The other is an SDK embedded in food delivery apps. But they share a structural property: both exploited the gap between what a trusted system appears to be doing and what it is actually doing. Drift’s security council approved transactions that looked routine. SparkCat’s infected apps behave exactly as advertised right up until they start scanning your photo gallery.

The European Commission update closes an important loop: the defender who read last week’s Sentinel and concluded “check your AWS IAM controls” was looking in the wrong place. The real question was “did your CI/CD pipeline run Trivy last week without pinning the version?” The attack vector was two layers upstream from where defenders were looking.

That is the recurring problem across all four items this week. By the time an attack is visible at the layer you are monitoring, the actual entry point was somewhere else entirely.

See you next week.

Drift Protocol: DPRK’s $285M Durable Nonce Governance Hijack

SparkCat Returns: OCR Credential Harvester Back in the App Store

Updates From Last Week

The Pattern This Week

Like this:

Ready to Strengthen Your Defenses?