Cyber Threat Actor: Citrine Sleet
| Actor Type | Location | Known Incidents |
Nation State
|
North Korea
|
1 incident |
|---|
Profile
Citrine Sleet is a threat actor tracked under that alias and is publicly associated with North Korea. The actor’s location is identified as North Korea, and attribution to North Korean state‑linked operators has been made by investigators following the observed intrusion. No other aliases or geographic details are provided in the source material.
The actor’s known activity focuses on decentralized finance platforms, specifically targeting a Solana‑based perpetual futures protocol. In the observed operation the actor sought financial gain by stealing digital assets rather than pursuing espionage or disruption. The theft involved converting stolen funds into a stablecoin, moving them across chains, and obscuring the trail through a mixing service. This indicates a clear monetary objective tied to the illicit acquisition of value.
The tactics observed in the incident include a prolonged social engineering campaign lasting approximately six months, the compromise of a code repository, and the distribution of a malicious TestFlight wallet application. An undisclosed initial access vector was also used. Once inside, the actor modified the protocol’s approval mechanism to require only two of five signatures and removed any time delay, then minted a large quantity of fake tokens that were accepted as collateral. The actor subsequently drained assets via rapid withdrawals, swapped the proceeds to USDC on Solana, bridged them to Ethereum, and laundered the funds through a mixing service before the protocol halted operations.
The Drift compromise in April 2026 represents a representative campaign for Citrine Sleet and has been linked by investigators to earlier North Korean‑linked hacks. No additional publicly reported operations are detailed in the source material, so the profile is limited to the confirmed facts surrounding this incident. The actor’s known behavior reflects a financially motivated, state‑aligned approach that combines social engineering, supply chain compromise, and manipulation of blockchain governance mechanisms.
