On the morning of April 1, 2026, Drift Protocol β a Solana-based decentralized perpetuals exchange with over $1 billion in open interest β paused all operations and began alerting users that funds had been drained. By the time the incident was fully understood, $285 million in user assets were gone. The theft had taken 12 minutes to execute.
The preparation had taken six months.
What followed the initial shock was the gradual exposure of one of the most elaborate cyberattacks in the history of decentralized finance β not a code exploit, not a flash loan, not an oracle manipulation, but a sustained, multi-country social engineering operation run by North Korean state-sponsored hackers who attended crypto conferences in person, built genuine professional relationships with Drift contributors, and manipulated real Security Council members into signing transactions that quietly handed control of the protocol to an attacker-controlled address.
TRM Labs subsequently attributed the attack with medium-high confidence to UNC4736, the North Korean threat actor also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces β a subunit of the Lazarus Group responsible for multiple billion-dollar crypto thefts.
This is the full story of how it happened.
Phase 1: The Long Approach (Fall 2025)
The attack began in the fall of 2025 β approximately five months before any money moved.
A group presenting themselves as representatives of a quantitative trading firm began appearing at major crypto conferences across multiple countries. The individuals were not North Korean nationals; DPRK operations at this level routinely deploy third-party intermediaries β people who may not know they are working for the North Korean state β to conduct face-to-face relationship building. Their role was to establish credibility, generate a paper trail of legitimate-seeming interactions, and identify the specific individuals within the Drift team and Security Council who would become targets.
The fake firm presented a polished front: a professional website, a documented history of activity in crypto markets, and knowledgeable staff who could hold technical conversations about perpetuals mechanics, Solana architecture, and liquidity provision. They expressed interest in βintegratingβ with Drift β a natural approach for a trading firm, completely unsuspicious on its face.
Over months, they built relationships with Drift contributors through conference conversations, Telegram messages, and eventually calls. They attended follow-up events. They were patient.
This phase has no visible on-chain footprint. It is invisible in blockchain analytics. The only evidence is testimonial: contributors who remember meeting these individuals, email threads, conference photographs.
Phase 2: On-Chain Staging (March 11 β March 30, 2026)
On March 11, 2026 β three weeks before the theft β the attackerβs infrastructure began appearing on-chain.
Three parallel tracks ran simultaneously:
Track 1: The Fake Collateral Asset
The attacker created a token called CarbonVote Token (CVT) β a completely synthetic asset with no legitimate backing, seeded with a few thousand dollars in liquidity across two decentralized exchanges. A modest wash-trading operation was run through those pools to generate apparent trading volume and price history.
The goal was to trick Driftβs oracle infrastructure β the price feed system that determines the value of assets used as collateral β into treating CVT as a legitimate asset worth hundreds of millions of dollars. Drift, like most DeFi perpetuals platforms, relies on oracle inputs to value collateral positions. A sufficiently manipulated price feed for a low-liquidity token can produce grossly inflated collateral valuations.
This is the mechanism that turned a few thousand dollars into apparent collateral worth $285 million.
Track 2: Durable Nonce Infrastructure
Solanaβs durable nonces feature allows transactions to be signed in advance and executed later β a feature designed for legitimate use cases like cold wallet signing and multi-party authorization workflows. The attacker pre-built a transaction execution infrastructure using durable nonces, staging the withdrawal instructions weeks before they would be used.
This meant that when execution day came, the theft could be completed in seconds per step rather than requiring real-time transaction construction.
Track 3: Security Council Manipulation
This is the most audacious element of the operation.
Drift Protocolβs security model relied on a Security Council β a multi-signature governance body empowered to execute emergency protocol changes. The attackers had spent months building relationships with specific Security Council members through the fake trading firm persona.
Between March 23 and March 30, the attacker β operating under the guise of a legitimate integration discussion β presented Security Council members with transactions to sign. The transactions were described as routine governance operations related to the integration. In reality, they contained hidden instructions using Solanaβs composable transaction format: while the visible portions of the transactions appeared benign, embedded instructions transferred administrative control of Driftβs core contracts to an attacker-controlled address.
Security Council members signed. They saw what appeared to be standard governance operations. They did not detect the embedded malicious instructions.
Critically, the attacker had also identified and exploited a zero-timelock Security Council migration β a governance configuration that allowed administrative changes to execute immediately, without the 24-48 hour delay that would have given the community time to detect and respond to the suspicious transaction.
By the end of March, the attacker held pre-signed administrative authority over Driftβs contracts. The only remaining step was execution.
Phase 3: The 12-Minute Drain (April 1, 2026)
At approximately 08:47 UTC on April 1, execution began.
Using the administrative access acquired through the manipulated Security Council signatures, the attacker:
- Upgraded Driftβs vault contracts to malicious versions that routed withdrawals to attacker-controlled addresses
- Used CVTβs manipulated oracle price to post it as collateral and borrow against it at face value
- Executed the durable-nonce-staged withdrawal transactions in rapid sequence
- Drained approximately $285 million in SOL, USDC, and BTC-derivative positions across Driftβs liquidity pools
The entire drain completed in approximately 12 minutes. Within hours, the stolen funds were bridged from Solana to Ethereum β a standard laundering technique that breaks the direct on-chain trail β and began passing through mixers and OTC desks associated with DPRK operations.
By the time Driftβs team detected the anomaly and paused contracts, the funds were gone.
Attribution: Why TRM Points to DPRK
TRM Labsβ attribution to UNC4736 / Lazarus Group rests on several pillars:
On-chain laundering patterns: The post-theft fund movement followed pathways consistent with DPRK-linked operations β specific bridge choices, mixer usage timing, and OTC conversion patterns that overlap with prior attributed hacks including Bybit (February 2025) and the Ronin bridge (2022).
Operational tradecraft: The use of third-party intermediaries for face-to-face relationship building, the months-long patience of the approach, the construction of elaborate fake organizational identities β these are consistent with documented DPRK tactics. Most criminal hackers do not spend six months at industry conferences before stealing.
CarbonVote Token construction: The fabricated collateral asset approach mirrors techniques used in prior DPRK-attributed exploits where synthetic assets were used to fool oracle infrastructure.
Technical infrastructure: Blockchain forensics revealed wallet addresses and transaction patterns linked to known DPRK-controlled infrastructure through historical clustering analysis.
Attribution in cyber operations is never absolute, and TRM was explicit in qualifying its confidence level as βmedium.β But the weight of evidence is consistent with the DPRK hypothesis, and no credible alternative attribution has emerged.
The DeFi Security Failures It Exposed
The Drift hack exposed multiple compounding security failures:
1. Oracle Manipulation Still Works
The CVT fake collateral attack is a variation on a class of oracle manipulation exploits that have been documented for years. Driftβs oracle infrastructure should have included:
- Price circuit breakers that reject collateral valuations with insufficient liquidity depth
- Time-weighted average price (TWAP) requirements that resist short-term price manipulation
- Collateral whitelisting that restricts accepted collateral to vetted, high-liquidity assets
None of these controls adequately blocked the CVT manipulation.
2. Zero-Timelock Governance Is a Critical Vulnerability
The absence of a timelock on Security Council migrations turned a governance system designed to protect the protocol into a weapon against it. A 48-hour timelock β a standard security practice in DeFi β would have given the community time to detect the malicious transactions before they executed.
Timelocks cost governance speed. The absence of timelocks costs funds.
3. Transaction Opacity in Multi-sig Signing
Security Council members signed transactions they did not fully verify. This is a human problem amplified by technical design: Solanaβs composable transaction format allows complex instruction sets to be bundled in ways that may not surface legibly in standard multi-sig signing interfaces.
Hardware wallet manufacturers and multi-sig interfaces need to invest in transaction simulation and plain-language disclosure of what a transaction actually does before the user signs.
4. Social Engineering Remains the Dominant Attack Vector
For the second major DeFi hack in succession (following Bybit), the technical vulnerability was not in the code β it was in the people. Attackers did not find a bug in Driftβs contracts. They found a gap in Driftβs security culture: a team that had not been trained to recognize a sustained, professional social engineering operation.
No smart contract audit catches this. No bug bounty program incentivizes finding it. It requires a completely different security practice: operational security training, threat modeling for social engineering, and governance processes that assume signers may be compromised.
The North Korea Context
The Drift hack did not happen in isolation. According to TRM Labs, North Korean hackers accounted for 76% of all 2026 crypto hack losses through April β $577 million out of a total $759 million. Since 2017, DPRK-linked operations have stolen over $6 billion in cryptocurrency.
The scale is not incidental. Cryptocurrency theft is now a significant component of North Koreaβs state revenue, used to fund its weapons programs and circumvent international sanctions. The UN Panel of Experts has estimated that crypto theft funds a material portion of the DPRKβs missile and nuclear development budget.
This is not opportunistic criminal activity. It is state-sponsored economic warfare, and it is getting more sophisticated. The Drift operation represents a qualitative escalation from prior DPRK tactics β longer planning horizons, deeper social infiltration, and multi-vector attacks that combine social engineering with technical execution in ways that defeat security controls designed to stop only one or the other.
What Needs to Change in DeFi
The Drift hack demands changes at multiple levels:
Protocol-level: Mandatory timelocks on all administrative migrations, collateral whitelisting with liquidity minimums, multi-oracle price validation, and smart contract upgrade delays across all governance-controlled contracts.
Tooling-level: Transaction simulation in hardware wallets and multi-sig interfaces. No governance signer should be able to execute a transaction without seeing a plain-language description of what it does on-chain.
Operational-level: Social engineering awareness training for core contributors. Background verification for professional relationships that progress to access-relevant discussions. A presumption that anyone seeking integration discussions is a potential attacker until proven otherwise.
Ecosystem-level: Cross-protocol threat intelligence sharing. When a new entity appears at conferences specifically targeting multiple protocolsβ contributors, this should trigger alerts β not just post-mortems.
The $285 Million Question
Drift Protocol has announced a recovery fund and is working with law enforcement and blockchain analytics firms. Recovery from DPRK-linked hacks is historically rare: North Korea has sophisticated operational security for laundering, and the funds typically disappear into OTC markets within weeks.
For users who held funds on Drift, the realistic outcome is partial recovery at best, over an extended timeframe, through legal and protocol-level remediation rather than fund return.
For the industry, the outcome is a concrete lesson in the difference between smart contract security and protocol security. The code was audited. The governance was not.
This article is provided for informational purposes only and does not constitute financial or legal advice.
Sources:
- North Korean Hackers Attack Drift Protocol In $285M Heist β TRM Labs
- Drift Protocol Hack: How Privileged Access Led to a $285M Loss β Chainalysis
- $285M Drift Hack Traced to Six-Month DPRK Social Engineering Operation β The Hacker News
- Drift Protocol Exploit: Why βSocial Trustβ Is the Newest Cybersecurity Gap β Crowell & Moring
