North Korean State Actors Linked to Massive $285 Million Drift Protocol Heist

On April 1, 2026, the decentralized finance (DeFi) world was rocked as attackers drained approximately USD 285 million in user assets from Drift Protocol. The incident, occurring on the largest decentralized perpetual futures exchange on Solana, was executed with precision in roughly 12 minutes.

Initial investigations by TRM Labs suggest the hack was likely perpetrated by North Korean hackers. This marks the largest DeFi hack of 2026 and the second-largest exploit in Solana’s history, trailing only the 2022 Wormhole bridge hack.

The attack was not a spontaneous event but the result of weeks of meticulous on-chain staging that began on March 11. The threat actors utilized a parallel strategy involving attacker infrastructure, token manufacturing, and sophisticated social engineering.

The attackers spent weeks creating an entirely fictitious asset called CarbonVote Token (CVT). By seeding just a few thousand dollars in liquidity and utilizing wash trading, they built a price history near USD 1. Shockingly, “Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars”.

The critical vulnerability was not found in the code, but in the people. Attackers targeted the Drift Security Council, using social engineering to induce signers into “pre-signing transactions that appeared routine but carried hidden authorizations for critical admin actions”. These were facilitated by Solana’s durable nonce feature, which allows pre-signed transactions to be executed much later.

On March 27, a pivotal change occurred: Drift migrated its Security Council to a new configuration with zero timelock. This “eliminated the protocol’s last line of defense” by removing the delay that would have allowed for detection and intervention.

On April 1, the trap was sprung. The pre-signed transactions were deployed, listing the worthless CVT as valid collateral and raising withdrawal limits to extreme levels.

• The Deposit: Attackers deposited hundreds of millions in CVT against the manufactured price.
• The Withdrawal: 31 withdrawal transactions executed in 12 minutes, draining real assets like USDC and JLP.
• The Bridge: Within hours, most funds were bridged to Ethereum.

TRM noted that the bridging transactions “far outstripping the speed and aggressiveness of even the Bybit laundering of 2025”.

Drift Protocol has since suspended operations, and the DRIFT token saw a price collapse of over 40%.