TL;DR
- Drift Protocol confirms that the attack on April 1, 2026, was a coordinated North Korean intelligence operation that lasted approximately six months.
- The attackers posed as representatives of a quantitative trading firm and met Drift contributors in person in several countries.
- They deposited one million dollars in equity to appear legitimate, then waited for months before striking.
- A total of an estimated $270–286 million in various cryptocurrencies was stolen in what is considered the largest DeFi hack of the year.
An Operation in the Shadow of Crypto Conferences
Drift Protocol, a decentralized exchange built on the Solana blockchain, revealed on Friday that the attack that hit the protocol on April 1 was not a traditional smart contract attack – it was the result of a six-month intelligence operation, according to CoinDesk.
The attackers began preparations as early as October 2025. They posed as representatives of a quantitative trading firm and contacted Drift contributors at major crypto conferences in several countries. The meetings took place face-to-face, lending credibility to the actors and giving them access to key personnel in the project.
To strengthen the illusion of legitimacy, the group went so far as to deposit one million dollars of their own funds into the protocol. Then they waited.
The attackers deposited one million dollars of their own funds and waited for half a year – all to build trust before striking.
Not a Code Error, but Human Failure
The attack did not exploit a vulnerability in Drift's smart contracts. According to Drift's own analyses and data from blockchain security companies like TRM Labs and Elliptic, the attackers combined advanced social engineering with a technical method based on so-called “durable nonces” – a mechanism that allowed them to bypass the protocol's security measures and execute pre-signed transactions.
By compromising devices belonging to Drift contributors – likely through malicious links or tools – they managed to gain administrative control over the protocol's security council and manipulate the multisig structure. Additionally, a fabricated token called CarbonVote Token (CVT) is said to have been used for oracle manipulation.
Solana Foundation President, Lily Liu, subsequently emphasized that the smart contracts themselves held up – the vulnerability lay in the administrative layers surrounding the protocol, not in the code.
Linked to Previous North Korean Attacks
Drift itself states that it links the operation with “medium to high confidence” to the same actors behind the Radiant Capital hack in October 2024 – an incident previously attributed to the North Korean threat group UNC4736, also known as AppleJeus or Citrine Sleet. Blockchain analysts at Elliptic describe “several indicators” pointing to the Democratic People's Republic of Korea (DPRK).
North Korea-affiliated hackers were estimated in 2025 to be behind the theft of over two billion dollars from the crypto sector globally – almost 60 percent of all stolen funds that year, according to available industry data.
Investigation and Response Measures
Following the attack, Drift immediately shut down all deposits and withdrawals and froze the protocol's other functions. The company is now collaborating with security firms such as Mandiant and SEAL 911, as well as law enforcement agencies and crypto exchanges, to track and freeze the stolen funds. Compromised wallets have been removed from the multisig structure.
A preliminary incident report has been published, and Drift has promised a more comprehensive investigation. Crypto lawyer Ariel Givner has, according to CoinDesk, suggested that the incident could be considered civil negligence, given the alleged weaknesses in basic security practices.
The case illustrates a disturbing shift in the attack pattern against the DeFi sector: from exploiting code vulnerabilities to systematically attacking the people and administrative structures behind the protocols.
