North Korea Behind $285M Drift Protocol Heist

Drift Protocol, a decentralized exchange on Solana, lost approximately $285 million on April 1 in what TRM Labs believes was a North Korean state-sponsored attack. The heist ranks as the largest DeFi exploit of 2026 and the second-largest in Solana's history behind the 2022 Wormhole bridge hack.

The attackers combined social engineering, oracle manipulation, and governance exploitation into a multi-week operation that culminated in 31 withdrawal transactions completed in just 12 minutes.

How the Attack Unfolded

TRM Labs documented the attack timeline:

• March 11: Attackers withdrew 10 ETH from Tornado Cash to begin staging
• March 12: Deployed infrastructure for CarbonVote Token (CVT), a fake asset used in the exploit
• March 23-30: Created "durable nonce" accounts containing pre-signed transactions
• March 27: Security Council migrated to a 2/5 multisig threshold with zero timelock
• April 1: Execution—31 withdrawals in approximately 12 minutes
• April 2: Drift confirmed the breach

The fake token component is particularly notable. Attackers minted 750 million CVT tokens, seeded a small liquidity pool on Raydium (approximately $500), then used wash trading to establish a price history near $1. Over time, Drift's oracles picked up this artificial signal and treated CVT as legitimate collateral worth hundreds of millions.

The Social Engineering Vector

Before the on-chain exploitation, attackers induced Security Council signers to pre-sign transactions that "appeared routine but carried hidden authorizations for critical admin actions," according to TRM Labs.

The governance exploitation was enabled by a zero-timelock migration to the Security Council, which eliminated any detection window. By the time anyone noticed something was wrong, the funds were already moving.

This pattern mirrors Lazarus Group operations we've covered previously, where patient reconnaissance and social engineering precede rapid financial extraction. The attackers demonstrated what TRM Labs called "staggering confidence" in their ability to move large sums quickly.

Impact and Response

Drift's total value locked plummeted from $550 million to under $300 million within an hour. The DRIFT token dropped over 40 percent during the incident, sending shockwaves across Solana's DeFi ecosystem.

Stolen assets—USDC, JLP, SOL, WBTC, and others—were bridged primarily to Ethereum within hours of extraction. Greyphish and similar monitoring tools flagged the unusual bridge activity, but by then the funds had already moved through multiple hops.

Blockchain investigator ZachXBT publicly criticized Circle for not freezing the stolen USDC quickly enough, noting that millions in stablecoins flowed freely through exchanges even after the hack was publicly known.

Why This Matters

This attack demonstrates the evolution of North Korean crypto theft operations. Rather than exploiting smart contract bugs directly, the attackers compromised the human and governance layers surrounding the protocol. Pre-signed transactions, manipulated oracles, and social engineering created an attack surface that purely technical audits wouldn't catch.

For DeFi protocols, the lessons are uncomfortable:

1. Timelocks on governance changes aren't optional—zero-timelock migrations created the exploitation window
2. Oracle manipulation through wash trading is a real threat—protocols need more sophisticated price validation
3. Pre-signed transactions are a vector—multisig signers need to understand exactly what they're approving

The $285 million loss continues North Korea's streak of funding state operations through cryptocurrency theft. For more on protecting personal crypto assets, see our online safety guide.