#DriftProtocolHacked DriftProtocolHacked: A #DriftProtocolHacked Complete Breakdown of the $285M North Korea-Linked DeFi Heist

The Short Version: On April 1, 2026 (yes, a real attack, not a joke), Solana's largest perpetual exchange Drift Protocol lost **~$285 million** in what is now being called the most sophisticated social engineering attack in DeFi history. The attackers spent **six months** building trust, meeting the team in person, depositing over $1 million of their own money, and finally compromised signer machines to drain the protocol in just 12 minutes .

---

1. The Timeline: How It Unfolded

The Attack Execution (April 1, 2026)

· Total stolen: ~$285 million across multiple pools: JLP (~$155.6M), USDC, SOL, cbBTC, wBTC, WETH, and meme coins
· Method: Attackers activated pre-signed "durable nonce" transactions, listed fake CVT tokens as valid collateral, raised withdrawal limits to maximum, and drained everything
· Speed: 31 withdrawal transactions cleared in ~12 minutes
· Immediate conversion: Stolen assets swapped to ~129,000 ETH (~$278M) via Jupiter, bridged to Ethereum

Immediate Response

· Deposits/withdrawals frozen immediately
· Drift confirmed: "This is not an April Fool's joke"
· All protocol functions paused; compromised wallets removed from multisig

---

2. The Six-Month Infiltration: A Structured Intelligence Operation

This was not a code bug or a random hack. It was a full-scale espionage operation.

Phase 1: First Contact (Fall 2025)

Individuals posing as a quantitative trading firm approached Drift contributors at a major crypto conference. They were technically sophisticated, credible, and set up a Telegram group immediately .

Phase 2: Trust Building (Dec 2025 - Jan 2026)

· Onboarded a legitimate-looking Ecosystem Vault on Drift
· Deposited over $1 million of their own capital to establish credibility
· Multiple working sessions about trading strategies and integrations
· Met Drift contributors face-to-face at conferences across multiple countries

Phase 3: Technical Compromise (Feb - Mar 2026)

Two likely attack vectors identified :

Vector Method
Malicious Repository Attacker shared a code repo under the guise of deploying a vault frontend. A known VSCode/Cursor vulnerability (flagged Dec 2025 - Feb 2026) allowed silent arbitrary code execution just by opening the folder—no clicks, no warnings
TestFlight App Contributor persuaded to install a beta "wallet app" via Apple TestFlight (which bypasses App Store security review)

Once machines were compromised, attackers obtained multisig approvals through transaction misrepresentation.

Phase 4: The Trap is Set (March 27, 2026)

Drift migrated its Security Council to a 2-of-5 multisig with 0-second timelock—meaning administrative actions could execute instantly with no delay. The pre-signed transactions were already sitting, waiting .

Phase 5: Execution (April 1, 2026)

· Attackers activated the dormant transactions
· Telegram chats and malicious software were completely scrubbed the moment the attack went live
· Funds drained in 12 minutes

---

3. Attribution: North Korea's UNC4736 (Lazarus Sub-Group)

With medium-high confidence, Drift and the SEAL 911 team attribute this to UNC4736 (aka AppleJeus, Citrine Sleet, Gleaming Pisces)—the same group behind the October 2024 Radiant Capital $50M hack .

Evidence Linking DPRK:

· On-chain overlap: Fund flows used to stage the Drift operation trace back to Radiant Capital attackers
· Operational patterns: Same patient, human-targeting approach used in the 2022 Ronin bridge hack ($625M)
· Tornado Cash origin: Attack began with ETH withdrawal from Tornado Cash on March 11
· Pyongyang timestamp: CVT deployment timestamp aligned with ~09:00 Pyongyang time
· Laundering speed: Immediate cross-chain conversion to ETH, no freezing by CEXs

Critical Note: The Face-to-Face People Were NOT North Korean Nationals

"The individuals who appeared at conferences in person were not North Korean nationals. DPRK threat actors operating at this level are known to deploy third-party intermediaries to handle relationship-building."

These intermediaries had fully constructed identities—employment histories, public credentials, professional networks—designed to withstand counterparty due diligence .

---

4. The Technical Breakdown: How the Exploit Worked

The "Durable Nonce" Attack

Solana has a legitimate feature called durable nonces that allows transactions to be pre-signed and executed later. The attackers:

1. Got multisig signers to approve what appeared to be routine transactions
2. Those approvals became live authorization keys held in reserve
3. When the timelock was removed on March 27, the pre-signed transactions activated instantly

The Fake Collateral Scheme

1. March 11: Attacker withdrew ETH from Tornado Cash
2. March 12: Deployed "CVT" (carbonvote) token
3. 3 weeks: Seeded minimal liquidity on Raydium, used wash trading to maintain ~$1.00 price
4. April 1: Drift's oracles read CVT as legitimate collateral → attacker deposited worthless CVT → protocol issued real assets against it

---

5. The Fallout: Who Got Hurt

Direct Losses: ~$285 Million

Asset Amount Value (USD)
JLP tokens ~41.7M ~$155.6M
USDC Various ~$80-100M
SOL Various Significant
cbBTC/wBTC/WETH Various Remainder

Protocols Affected (Contagion)

· Prime Numbers Fi: Millions lost
· Carrot Protocol: Paused mint/redeem functions after 50% of TVL affected
· Pyra Protocol: Withdrawals disabled entirely
· Piggybank: Lost $106,000 (reimbursed from treasury)

Jupiter's Response

"Jupiter Lend is not involved in Drift markets. JLP assets are fully backed by underlying assets. This is a difficult day for Solana DeFi."

Tokens Unaffected

· Unitas Protocol
· Meteora
· Perena (though their Neutral Trade-managed JLP vault was impacted)
#DriftProtocolHacked

6. The Stablecoin Controversy: Circle vs. Tether

A major secondary story emerged: Why didn't Circle freeze the stolen USDC?

The Numbers

· $230 million in USDC was bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP)
· This happened over six hours with no intervention

The Contrast

Protocol Response
USDT0 (Tether) Halted cross-chain communication on Solana within 90 minutes
Circle CCTP No intervention documented; protocol ran permissionlessly

The Criticism

On-chain analyst ZachXBT publicly criticized Circle's failure to act. Industry observers noted this exposes a fundamental design trade-off: centralized control for emergency response (USDT0) vs. permissionless decentralization (CCTP) .

For context, Curve Finance founder Michael Egorov noted: "If North Korean hackers are involved, the probability of recovery is zero. They never cooperate and are not afraid of law enforcement."

---

7. Drift's Response & Recovery Efforts

Immediate Actions (April 1-3)

· All protocol functions frozen
· Compromised wallets removed from multisig
· Attacker addresses flagged with exchanges and bridge operators
· On-chain messages sent to hacker wallets: "We are ready to speak"

The Negotiation Attempt (April 3)

Drift sent on-chain messages to four Ethereum wallets holding stolen funds, stating:

"Critical information of parties related to the exploit have been identified. To the community, Drift will share further updates as soon as third-party attributions are completed."

The only response? A random wallet holding $200 in ETH replied: *"Send me $10 million to mess with the Drift team."*

Forensic Investigation

· Mandiant engaged to lead forensic investigation
· SEAL 911 team (Taylor Monahan, tanuki42_, pcaversaccio, Nick Bax) credited for identifying actors
· Formal attribution pending completed device forensics

What tanuki42_ Said

"This is the most elaborate and targeted attack I think I've seen perpetrated by DPRK in the crypto space. Recruiting multiple facilitators and getting them to target specific people in real life at major crypto events is a wild tactic."

---

8. Why This Changes Everything for DeFi

The Hard Truth

"If attackers are willing to spend six months, invest $1 million in the ecosystem, meet teams in person, deposit real capital, and wait patiently—what security model is designed to detect that?"

Lessons Learned

1. Timelocks are not optional. Removing a timelock (as Drift did on March 27) turns a complex attack into a 12-minute cashout
2. Social engineering > code exploits. The most sophisticated code audit won't stop a human from opening a malicious VSCode folder or installing a TestFlight app
3. Permissioned vs. permissionless security matters. The USDT0 vs. CCTP contrast shows real trade-offs in stablecoin design
4. North Korea is here to stay. Elliptic tracked over $300M stolen in Q1 2026 alone, with DPRK-linked actors responsible for $6.5B+ in recent years

What's Next for Drift

· Unless funds are recovered or a major backstop emerges, path likely leads to liquidation, bankruptcy, or litigation
· No comprehensive reimbursement plan announced as of April 3-5
· Recovery probability if DPRK is involved: 0% (per Michael Egorov)

---

9. Key Wallets & On-Chain Data

Attacker ETH Wallets (Post-bridge):

· 0xAa843eD65C1f061F111B5289169731351c5e57C1
· 0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7
· 0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674

Total held: ~105,969 ETH (~$226M)

Drift's On-Chain Message Sender:

· 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105

---

Final Takeaway

This wasn't a hack. It was a six-month hostile intelligence operation conducted by a nation-state against a DeFi protocol. The attackers:

· Used third-party intermediaries with fake but perfect identities
· Met targets in person at conferences across multiple countries
· Deposited $1M+ of real capital as cover
· Exploited trusted developer tools (VSCode) and Apple's TestFlight
· Executed a perfectly timed, 12-minute drain

If DeFi wants to survive, the industry needs to accept that social engineering and nation-state actors are the threat model now—not just smart contract bugs.

"The investigation has shown that the profiles used had fully constructed identities including employment histories, public-facing credentials, and professional networks that could withstand scrutiny during a business relationship." — Drift Protocol #DriftProtocolHacked #DriftProtocolHacked