Months-Long Social Engineering Campaign Leads to $310 Million Loss at NorthRiver Exchange

April 7, 2026 — A prolonged and highly coordinated social engineering operation targeting NorthRiver Exchange has resulted in the unauthorized transfer of approximately $310 million in digital assets, according to sources familiar with the response.

The incident, which unfolded over nearly six months, is drawing attention across the cybersecurity community for its unconventional approach. Rather than exploiting software vulnerabilities or deploying malware, investigators say the attackers focused on building trust both online and in person, before leveraging that trust to gain access to legitimate systems and workflows.

Security teams have attributed the activity to a group now being tracked as Silent Ledger Collective.

According to multiple sources, the operation began with the creation of carefully constructed digital identities. These personas were designed to appear credible within professional and cryptocurrency-focused communities, complete with consistent activity, industry engagement, and verifiable backgrounds.

Over time, the individuals behind these identities became active participants in discussions, networking spaces, and industry events, gradually establishing themselves as legitimate actors within the ecosystem.

What distinguishes this campaign from more traditional cyber incidents is its progression beyond the digital environment. Investigators say members of the group engaged in real-world interactions, meeting with professionals and stakeholders connected to NorthRiver Exchange under the guise of investors, collaborators, or strategic partners.

These interactions were described as routine at the time and did not raise immediate suspicion.

By the later stages of the operation, the group is believed to have developed trusted relationships with individuals who had proximity to NorthRiver’s operational environment. This trust, rather than any technical exploit, became the primary access vector.

Instead of breaching systems directly, the attackers appear to have gained access through legitimate channels either by influencing internal processes, obtaining authorized credentials, or operating within established workflows. Because the activity aligned with expected user behavior, it did not trigger traditional security alerts.

“The challenge here is that nothing looked inherently malicious from a systems perspective,” one source involved in the investigation said. “The actions themselves were valid. It was the intent behind them that wasn’t.”

Once sufficient access was established, the group initiated a series of transactions using authenticated mechanisms. These transactions, while unauthorized in intent, were executed in a manner consistent with normal operations, allowing them to proceed without immediate detection.

By the time irregularities were identified, approximately $310 million in digital assets had already been transferred out of controlled accounts.

NorthRiver Exchange has not publicly confirmed the number of systems or accounts impacted but acknowledged that the incident involved “unauthorized activity conducted through legitimate access pathways.”

The company has since launched a comprehensive internal review, focusing on access governance, transaction authorization protocols, and third-party relationship management. Additional controls are being introduced, including enhanced verification requirements for high-value transactions and expanded behavioral monitoring to identify anomalies that fall outside of technical indicators alone.

Cybersecurity experts say the incident underscores a broader shift in the threat landscape, where attackers increasingly target human trust rather than technical weaknesses.

“This is a reminder that security isn’t just about defending systems—it’s about validating relationships,” said one industry analyst. “When an attacker can operate inside trusted boundaries, traditional defenses become far less effective.”

The blending of online persona development with in-person interaction is also raising new concerns about the convergence of physical and digital attack surfaces, particularly in industries where networking and partnership-building are core to operations.

While investigations into the full scope of the campaign remain ongoing, the incident is already being cited as a case study in how long-term social engineering can bypass even mature security environments.

There were no exploited vulnerabilities, no malware deployments, and no perimeter breaches.

Instead, the operation succeeded by embedding itself within the very systems of trust organizations rely on to function.

Watching the perimeter — and what slips past it. — Ayaan Chowdhury