The Drift-Radiant-Amnokgang Triangle — How DPRK's Hack Unit And IT-Worker Revenue Network Connect Through One Wallet Graph

On April 5, 2026 — four days after Drift Protocol was drained for $285 million in a 12-minute exploit at 16:05:18 UTC on April 1 — Drift's incident team published its formal post-mortem. The document attributed the exploit to UNC4736, also tracked as Citrine Sleet, AppleJeus, Golden Chollima, and Gleaming Pisces, a DPRK threat actor documented by Microsoft Threat Intelligence, Mandiant, and adjacent firms since 2018.

The specific operational claim, quoted in CoinDesk's coverage of the post-mortem:

> "The basis for this connection is both on-chain (fund flows used to stage and test this operation trace back to the Radiant attackers) and operational (personas deployed across this campaign have identifiable overlaps with known DPRK-linked activity)."

The phrase "fund flows used to stage and test this operation trace back to the Radiant attackers" is unusually direct. Drift's team did not assert behavioral similarity or threat-actor signature overlap. They asserted **specific on-chain fund flows** — meaning wallets, transactions, hash-level evidence — that connect the April 2026 Drift attack to the October 2024 Radiant Capital exploit at the funding layer.

The post-mortem did not publish the specific intermediate wallet addresses. The hashes that constitute the trace remain inside Drift's incident-response data and, presumably, with the law-enforcement agencies coordinating the investigation. The attribution is firm; the wallet-level evidence is not in the public record.

This matters because it sets a structural precedent. Drift attributed a 2026 attack to a 2024 attack at the **wallet-graph level**. The same DPRK unit operated continuously, reusing infrastructure, for at least eighteen months — and the on-chain fingerprint persists across that window.

On March 12, 2026, OFAC published an enforcement action designating six individuals and two entities tied to the DPRK IT-worker revenue scheme. Twenty-one crypto wallet addresses were added to the SDN crypto-attribution extension. The designations covered:

**Amnokgang Technology Development Company** (DPRK) with seven addresses: - Ethereum: `0xcB74874f1e06Fcf80A306e06e5379A44B488bA2D`, `0x0330070FD38Ec3bB94F58FA55D40368271E9e54A`, `0x9Be599d7867f5E1a2D7Ec6dB9710dF2b98A15573` - TRON: `TNrX2FwrHKoo4XACGkmSzqeK4pdnKYn6Z7`, `TEEYCuGDyeNkuDj4u6GQRXxXo3Nh29r2vP`, `TZB4NrX7k9ZsV6PRc1GigAztLL8WHpLvwP`, `TDe2UNAvuUnTbbDo7518eMe3TXN5qJW8Ft`

**Yun Song Guk** (DPRK IT-worker lead in Boten, Laos): - Ethereum: `0xb637f84b66876ebf609c2a4208905f9ddac9d075`, `0x95584C303FCd48AF5c6B9873015f2AD0ca84EaE3`

**Hoang Minh Quang** (financial coordinator): - Bitcoin: `bc1qyy5pt5cx3zth8xlj92lq5y87dh8xv3nwgs4ncq`

**Sim Hyon Sop** — re-designated with 11 new Ethereum and TRON addresses, flagged for active links to Iran's Islamic Revolutionary Guard Corps.

Chainalysis's analysis of the action, published the same day, carried the operational claim that fills in the Drift-side gap:

> "Addresses belonging to Amnokgang... additionally leveraged Southeast Asian movement services and received downstream funds from a suspected DPRK hack."

"Received downstream funds from a suspected DPRK hack." The Amnokgang network — designated as the IT-worker revenue infrastructure — was, per Chainalysis, also a destination for hack proceeds. The source hack is not publicly named.

The candidate hacks visible to Chainalysis as of March 12, 2026 were Bybit (February 2025, $1.5B, the largest single source), Radiant Capital (October 2024, $53M), the various 2025 incidents (Cetus, Mango Markets follow-ons, smaller exploits), and an undetermined set of earlier 2023-2024 hacks. The April 1, 2026 Drift exploit had not yet occurred. The April 18, 2026 KelpDAO exploit had not yet occurred.

Given the timing and the documented UNC4736 attribution overlap, the most likely source hack — though not the only candidate — is Radiant Capital. Radiant's attacker cluster was tracked by Mandiant and adjacent firms throughout 2024-2025. The cluster used Southeast Asian intermediary services (consistent with Chainalysis's "Southeast Asian movement services" reference). The cluster's geographic operational profile matches Amnokgang's Vietnam-Laos-DPRK structure.

This is hypothesis, not proven attribution. It is the hypothesis most consistent with the published data.

Read Drift's post-mortem and Chainalysis's analysis together:

- **Drift (April 2026)** ← staging fund flows trace to ← **Radiant Capital (October 2024)** - **Amnokgang (OFAC March 2026)** ← received downstream funds from ← **a "suspected DPRK hack"**

If the unnamed hack in the second relationship is Radiant Capital — and the timing, the UNC4736 attribution overlap, and the Southeast Asian movement-services reference all support this — then the Amnokgang network and the Drift staging chain share the same upstream source.

The IT-worker revenue infrastructure and the hack-and-steal cluster do not operate as separate ecosystems. They are downstream consumers of the same upstream wallet graph. The Radiant Capital proceeds, in this reading, financed both the IT-worker network's operational infrastructure (the laundering paths Chainalysis described) and the staging chain for the next major hack-and-steal operation (Drift, eighteen months later).

This is the linkage that no public source has yet explicitly stated. Drift's post-mortem stops at "Radiant attackers." Chainalysis's analysis stops at "suspected DPRK hack." Neither connects to the other. Read together, with the timing and attribution overlap considered, the triangle closes.

The compliance implication is structural. Pipelines that screen for hack-and-steal wallet exposure (Bybit cluster, Drift cluster, KelpDAO cluster) and pipelines that screen for IT-worker payroll exposure (Amnokgang, Yun Song Guk, Sim Hyon Sop, Sobaeksu, Saenal, Songkwang) have been operating as separate filters. Per the published attributions, the upstream graph is the same. A wallet that is in the Drift downstream is also, with some probability, in the Amnokgang upstream. Compliance frameworks that screen one side but not the other are missing exposure on the side they are not screening.

The other half of this story is the unnamed-victim universe.

The DOJ has announced victim counts in multiple 2024-2026 DPRK IT-worker enforcement actions:

- **May 6, 2026 sentencing** (Matthew Isaac Knoot + Erick Ntekereze Prince, 18-month sentences each): approximately **70 victim companies** referenced. Companies not named. - **April 2025 sentencing** ($5M case, two US nationals): **136 victim companies** referenced. Companies not named. - **Taylor Monahan (MetaMask), 2024-2025 public statements**: "**40-plus DeFi protocols**" have unknowingly employed DPRK workers "all the way back to DeFi Summer." No names given. - **ZachXBT, April 8, 2026 publication**: explicitly stated he is "closely monitoring five other larger clusters" but will not publish those addresses publicly "since they are active."

Aggregate across these sources: more than 200 Western crypto and adjacent technology companies have publicly verified or strongly implied DPRK IT-worker payroll exposure. The number of public, named companies in the open record: **four**.

The four:

**1. ElementalDeFi** (Solana). Worker: Keisuke Watanabe. Aliases: @kasky53, keisukew53, kdevdivvy, 0xWoo, [email protected]. "On payroll for years" per ZachXBT's April 7, 2026 disclosure. Payment amount not publicly disclosed.

**2. Stabble** (Solana DEX). Same worker: Keisuke Watanabe, as former CTO. TVL dropped 62 percent (from $1.75M to under $663K) in hours after the April 7 disclosure. The Stabble case is the cleanest example of the "you hired the same person twice" pattern — the same operator working two protocols simultaneously, paid from both, neither company aware the developer was DPRK-attributed.

**3. Munchables** (Blast blockchain, NFT/gaming). Four worker accounts — NelsonMurua913, Werewolves0493, BrightDragon0719, Super1114 — assessed by ZachXBT as likely one individual operating multiple identities. Outcome: $62.5 million exploit, March 2024. This case is in the corpus because the worker conducted an active exploit, forcing public disclosure of the employer.

**4. Favrr** (Ethereum) + **ChainSaw platform** (Replicandy, Peplicator, Hedz, Zogz NFT collections). Worker alias: "Alex Hong." Favrr lost approximately $680,000 in June 2025; ChainSaw-associated projects lost approximately $310,000 in a separate exploit. Total approximately $1 million across both.

These are the four. Every other Western crypto company that has paid into the DPRK IT-worker network — including, per Drift's own post-mortem attribution chain, companies whose staging-chain funds ultimately flowed into Amnokgang — is publicly unnamed.

The withholding pattern is structurally consistent across all investigators. ZachXBT, Chainalysis, TRM Labs, Nisos, Elliptic, the DOJ press releases, and the OFAC designations all disclose victim counts as aggregates without identifying the specific companies. The reasons stated or implied include: ongoing law-enforcement investigations, victim privacy protections, avoidance of secondary reputational harm to companies that may themselves be victims of identity fraud rather than knowing participants in the scheme, and — in ZachXBT's specific framing — operational protection of active investigative threads.

If the Drift-Radiant-Amnokgang triangle holds, three compliance implications follow.

**First, the screening separation is wrong.** Pipelines that treat "hack-attributed wallet exposure" and "IT-worker payroll exposure" as separate filter categories should consolidate them under a single DPRK operational graph. A wallet that touched the Radiant Capital attacker cluster carries Amnokgang-adjacent risk regardless of whether it has appeared in any IT-worker payment record. A wallet that paid into the luckyguys.site coordinator network carries Drift-staging-adjacent risk regardless of whether the company has experienced an active hack.

**Second, the victim count is structurally larger than the named four.** The 70-plus, 136-plus, 40-plus-DeFi, and "five-larger-cluster" disclosures map to a corpus of approximately 200 to 300 Western companies that have paid into the DPRK network at some point in 2023-2026. If those companies' payroll wallets are downstream of the same upstream graph that financed the Drift staging chain, then any company in that corpus is, by transitive risk, a downstream funder of the next major hack. The framing changes from "we hired a contractor who turned out to be DPRK-attributed" to "our payroll wallet financed the staging chain for a 2026 nine-figure exploit."

**Third, the EU 20th sanctions package May 24 framework is incomplete for this exposure.** The EU's expanded sanctions enforcement focuses on Russia-corridor cryptoassets (A7A5, RUBx, Russian and Belarusian digital rubles) and on CASPs "established in Russia" or Belarus. The DPRK-operational-graph exposure documented by Drift's post-mortem and Chainalysis's analysis is not within the EU package's scope. Western compliance pipelines need a parallel framework that addresses the DPRK-operational-graph risk separately — through OFAC SDN screening, threat-intelligence integration of the publicly-named OFAC addresses, and proactive contractor-payroll-wallet screening.

The Funnull / Liu Lizhi OFAC action in May 2026 — designating the Philippines-based Funnull Technology Inc. and its administrator Liu Lizhi for processing more than $200 million in pig-butchering proceeds, with TRON address `TNmRfnSUXZoWWzxcDDbf95eGQYXt1mJDt8` and Ethereum address `0xd5ED34b52AC4ab84d8FA8A231a3218bbF01Ed510` — shows that OFAC is continuing to designate specific operational nodes in adjacent illicit-finance graphs. The Funnull addresses show direct on-chain flows from Huione Pay, the Cambodia-based payment processor already sanctioned in 2025. This is the same pattern: a publicly-designated terminal that closes one operational layer, while the upstream sources remain undisclosed.

This is a hypothesis-driven research piece, not a forensic-grade attribution report. The specific load-bearing claims:

- Drift Protocol's incident team attributed the April 2026 attack's staging chain to the October 2024 Radiant Capital attacker wallet graph. **This is Drift's own published attribution.** It is sourced. - Chainalysis attributed Amnokgang's incoming funds, at the OFAC-designation moment, partially to "a suspected DPRK hack." **This is Chainalysis's own published attribution.** It is sourced. - The hypothesis that the unnamed hack in Chainalysis's framing is most likely Radiant Capital is **a Sanctuary hypothesis** based on timing, threat-actor attribution overlap, and geographic-infrastructure consistency. It is not proven. It is the inference most consistent with the published data and the easiest hypothesis to test if the underlying wallet hashes become publicly available.

What this piece does not claim: - Specific wallet addresses that bridge Drift staging to Amnokgang downstream. Drift did not publish them; Chainalysis did not publish them; Sanctuary cannot publish what we have not independently verified. - Specific Western companies among the unnamed 70/136/40-plus universe. The withholding pattern is industry-wide and reflects ongoing investigations. - A definitive identity for "Mark X" or the LAB-cluster funder-of-funders, which are separate investigative threads.

What this piece does claim, and what we believe is publishable: - The two published attributions, read together, change the structural framing of DPRK crypto operations. The hack-and-steal cluster and the IT-worker revenue network are not separate. They are connected at the upstream wallet graph. - The compliance pipelines that screen one side without screening the other are missing material exposure on the side they do not screen.

**One.** Add the 21 OFAC March 12, 2026 addresses to your screening at the highest confidence tier. This is the most concrete actionable data point from this analysis. The addresses are publicly designated. Any wallet that has interacted with any of these — directly or at small hop depth — should be flagged.

**Two.** Treat hack-attributed-wallet exposure (Drift, KelpDAO, Bybit, Radiant Capital, the cluster) and IT-worker-payroll-wallet exposure (luckyguys.site, Amnokgang, Yun Song Guk, Sim Hyon Sop) as a single category for risk-tier purposes. If your compliance vendor maintains them as separate filters, request consolidation or apply transitive-risk weighting yourself.

**Three.** Audit your own contractor payment history against the OFAC March 12 addresses, against the publicly-disclosed Stabble / ElementalDeFi worker aliases (Keisuke Watanabe, @kasky53, keisukew53, kdevdivvy, 0xWoo), and against the Munchables four-identity cluster (NelsonMurua913, Werewolves0493, BrightDragon0719, Super1114). The four publicly-named cases are the proof-of-concept for the methodology; the unnamed 200-plus are the unaddressed exposure.

DPRK crypto operations in 2026 are not two separate ecosystems. Drift's own post-mortem and Chainalysis's own attribution analysis, taken together, point to a single upstream wallet graph behind both the hack-and-steal cluster and the IT-worker revenue network. The triangle — Drift staging chain, Radiant Capital October 2024 exploit, Amnokgang downstream funds — closes on the timing, the attribution overlap, and the geographic-infrastructure consistency.

For compliance teams: screen for the graph, not for the labeled category. The categories are how the public reporting is filed. The graph is how the operation actually runs.

The four publicly-named Western employers are the visible portion. The hidden 70, 136, and 40-plus DeFi protocols are the much larger universe. The compliance pipelines that recognize this — and the threat-intelligence integrations that consolidate hack-attribution and IT-worker-attribution into a single category — produce materially better risk decisions than the pipelines that maintain the separation.

Sanctuary publishes this analysis as an exclusive research contribution. The hypothesis is testable; the published attributions that anchor it are auditable; the structural compliance implication is operational today.

The two attributions exist. The triangle closes. The compliance pipelines should follow.