TL;DR
- North Korean hackers are behind 76% of all crypto losses from fraud and attacks so far in 2026, according to TRM Labs
- Since 2017, North Korean actors have stolen a total of six billion dollars in cryptocurrency
- Drift Protocol was drained of 285 million dollars on April 1, 2026 – not via a smart contract vulnerability, but through months-long social engineering
- The attack reveals that technical audits alone are not enough: human and operational security routines are a critical vulnerability
North Korea Dominates Crypto Crime in 2026
North Korean state-sponsored hacker groups are, in 2026, the undisputed largest threat to the crypto industry. According to the security company TRM Labs, these actors account for a full 76 percent of all registered losses related to crypto attacks and fraud so far this year. In total, North Korean actors have stolen assets equivalent to six billion dollars in digital assets since 2017, CoinDesk reports.
The figures are striking, and they emerged in connection with an in-depth review of the attack on the decentralized exchange Drift Protocol – an attack that in April 2026 cost users over 285 million dollars.
The Drift Attack: A “Long Game” Over Several Months
Drift Protocol is a decentralized perpetuals exchange built on the Solana blockchain. Prior to the attack, the protocol had passed several independent security audits. Trail of Bits conducted a thorough review in late 2022 without uncovering serious smart contract vulnerabilities, and in February 2026, the protocol received an approved status from ClawSecure with a score of 85 out of 100.
Nevertheless, Drift was drained of an estimated 285 million dollars on April 1, 2026.
The reason was not a classic technical vulnerability in the code – it was human. According to TRM Labs' investigation, the attackers spent months building trust with individuals on the Drift team, likely through direct contact. They then exploited Solana's so-called “durable nonce” mechanism to manipulate multisig approvals, ultimately gaining administrative control over the protocol.
The attackers did not exploit a code vulnerability – they exploited people. Months of trust-building was the attack weapon itself.
Social Engineering as an Attack Vector
The attack on Drift represents a worrying development: the threat has moved from purely technical exploits to sophisticated social engineering attacks. Previously, these types of attacks required hackers to find holes in smart contract code. Now, the people behind the protocols are the entry point.
In the Drift case, the attackers are said to have physically or digitally built relationships with key personnel over a longer period, in what TRM Labs describes as a coordinated operational security attack. Neither the Trail of Bits audit from 2022 nor the ClawSecure approval from February 2026 was designed to catch such attack vectors – both primarily focus on code vulnerability.
What's Next for Drift?
After the attack, Drift Protocol announced that they plan a relaunch after new audits conducted by security firms OtterSec and Asymmetric. It is currently unclear whether these audits will also address operational security and key management, or if they will primarily focus on smart contract code.
The Industry Must Think Broader About Security
The Drift attack is a wake-up call for the entire industry. When North Korean actors, according to TRM Labs, are moving faster and are more sophisticated than ever, it is not enough to conduct code audits and call it security. Key management, governance architecture, and routines for identifying social engineering must be incorporated into security work.
For an industry that is increasingly offering financial services to a broad public, the consequences of ignoring this are serious – not only for individual protocols, but for trust in decentralized finance as a whole.
