TL;DR
- Drift Protocol was subjected to an attack on April 1, 2026, where an estimated $285 million in digital assets were stolen.
- The attackers spent six months building trust through a fake trading company – deceiving two out of five multisig signers into pre-signing malicious transactions.
- With a 'medium to high' degree of certainty, Drift and the SEAL 911 team link the operation to North Korean actors behind the previous Radiant Capital hack.
- The attack is considered the largest DeFi incident of 2026 and highlights human error as the weakest link in DeFi security.
A Fake Trading Company for Six Months
The attack on Drift Protocol on April 1, 2026, was not an impulsive smash-and-grab. According to The Block, the operation had been ongoing for at least six months before the actual withdrawal took place. The attackers established a seemingly legitimate trading company, conducted face-to-face meetings with Drift contributors, and actually deposited over one million dollars into one of the platform's Ecosystem Vaults to appear credible.
Over the months, they participated in product discussions, built relationships – and waited for the opportune moment.
Humans remain the bottleneck. Most attacks boil down to a single click on a link that shouldn't have been clicked.
That's according to Mert Mumtaz, CEO and co-founder of Helius – and his analysis hits the core of the Drift incident. No vulnerability in the smart contracts was exploited. Instead, two out of five administrators in Drift's Security Council were manipulated into pre-signing malicious transactions via Solana's built-in «durable nonce» feature, which allows pre-signed transactions to remain valid indefinitely.
Multisig Without Timelock – A Catastrophic Combination
At the time of the attack, Drift operated with a 2-of-5 multisig configuration without any form of timelock. This means that only two out of five approvers were needed to execute administrative actions with immediate effect – a configuration TRM Labs describes as eliminating «the protocol's last line of defense».
On-chain activity shows that the attackers began positioning themselves as early as March 11, 2026 – almost three weeks before the actual operation. Blockchain analytics firm Elliptic has identified several indicators pointing to state-sponsored actors from North Korea. Drift and the SEAL 911 team assess with «medium to high» certainty that these are the same actors behind the Radiant Capital hack.
North Korea: A Growing Threat to DeFi
The Drift incident falls into an increasingly clear pattern. North Korean hacker groups have, according to available intelligence, stolen over $6.7 billion in cryptocurrency over the past decade. In 2025 alone, a record was set with $2.02 billion – including the now infamous Bybit hack where approximately $1.5 billion in Ethereum vanished overnight.
A key tactic is to establish long-term trust rather than directly attacking technical systems. The FBI has previously warned against operations designated as «TraderTraitor», where North Korean actors pose as serious traders or recruiters to compromise key personnel with system access.
Industry Reacts: "Pause Growth and Conduct Audits"
Following the incident, Drift Protocol immediately froze all remaining functionality, halted deposits and withdrawals, and updated the multisig configuration to remove the compromised wallets. The team is collaborating with several security companies and law enforcement authorities.
Armani Ferrante, a prominent Solana developer, urged all crypto teams to «pause growth efforts and audit their entire security stack» in the wake of the incident. Charles Guillemet, CTO at Ledger, pointed to the need for better endpoint detection and hardware-based signatures as concrete measures the industry must prioritize.
The Drift hack is a reminder that even well-technically founded protocols can be severely impacted when human and organizational weaknesses are systematically exploited over time.
