North Korean Hackers Exploit Drift Protocol’s Vulnerabilities, Draining $285 Million in a Coordinated 12-Minute Attack
On April 1, Drift Protocol issued a statement on X that began with an unusual disclaimer: “This is not an April Fools joke.” The gravity of this statement soon became apparent as news broke of a $285 million exploit that decimated more than half of the total value locked in the Solana-based decentralized perpetual futures exchange. This attack had been meticulously planned over a six-month period.
The breach involved a sophisticated technique utilizing durable nonces, which allowed the malicious actor to swiftly seize control of Drift’s Security Council administrative powers. This incident, confirmed as a highly orchestrated operation, underscores the vulnerabilities present in decentralized finance (DeFi) platforms.
Drift Protocol stands as the largest decentralized perpetual futures exchange on the Solana blockchain, enabling users to trade leveraged financial positions without a centralized intermediary. Prior to the attack, the protocol managed approximately $550 million in user assets. According to TRM Labs, the exploit was executed in roughly 12 minutes, marking it as the largest DeFi hack of 2026 and the second-largest exploit in Solana’s history, surpassed only by the $326 million Wormhole bridge hack in 2022.
A Six-Month Long-Con Operation
The attack was attributed to a North Korean state-linked group that spent around six months infiltrating Drift Protocol under the guise of a quantitative trading firm. The attackers built trust by engaging with Drift contributors at conferences, depositing over $1 million, and integrating an Ecosystem Vault. They subsequently compromised devices through a malicious TestFlight app and exploited a vulnerability in VSCode/Cursor to gain multisig approvals.
On-chain preparations for the attack commenced on March 11, nearly three weeks before the April 1 execution. This involved a 10 ETH withdrawal from Tornado Cash, with funds beginning to move around 12:00 AM GMT on March 12—approximately 9:00 AM Pyongyang time. Shortly thereafter, these funds were used to deploy the CarbonVote Token (CVT), a fictitious asset designed to manipulate Drift’s price oracles.
The Fake Token That Fooled an Oracle
A crucial aspect of the attack was the creation of the CarbonVote Token (CVT). The attacker minted approximately 750 million units and established a small liquidity pool of about $500 on the Raydium decentralized exchange. Through wash trading—artificial trades between wallets controlled by the attacker—a price history was artificially inflated to near $1. Over time, this fabricated price was recognized by oracles, leading them to treat the token as legitimate.
In blockchain protocols, oracles serve as systems that relay real-world price data into smart contracts, enabling protocols to ascertain the value of their assets. By generating a false price history for a worthless token, the attackers deceived Drift’s oracles into considering CVT as legitimate collateral worth hundreds of millions.
Durable Nonces: The Governance Weapon
The most innovative element of the attack exploited a legitimate feature of Solana known as durable nonces. By securing two misleading approvals from Drift’s five-member Security Council multisig, the attacker pre-signed transactions that remained valid for over a week. This allowed them to seize protocol-level control in mere minutes.
A multisig, or multi-signature, is a governance structure requiring multiple approvals for administrative actions, making it difficult for a single compromised individual to jeopardize the system. Durable nonces enable transactions on Solana to be pre-signed and executed later, a feature intended for operational efficiency. In this case, the attackers obtained two of the five necessary signatures through social engineering, presenting the signers with what appeared to be routine transactions and keeping those approvals dormant until the execution day.
When Drift executed a legitimate Security Council migration on March 27, the attacker adapted their strategy. By March 30, new nonce activity was observed linked to a member of the updated multisig, indicating that the attacker had regained the required two-of-five approval threshold under the new configuration.
On April 1, two transactions, spaced four slots apart on the Solana blockchain, created and approved a malicious admin transfer, which was executed almost immediately. Within minutes, the attacker gained full control of Drift’s protocol-level permissions and introduced a fraudulent withdrawal mechanism, draining the vaults.
DPRK Attribution and Laundering
Investigators have attributed the attack to UNC4736, a North Korean state-affiliated group also known as AppleJeus or Citrine Sleet. This attribution is based on on-chain fund flows that trace back to the Radiant Capital attackers and operational overlaps with known DPRK-linked personas.
The stolen assets were consolidated and exchanged for USDC and SOL before being partially bridged to Ethereum using Circle’s Cross-Chain Transfer Protocol. On Ethereum, portions were converted into ETH, while some funds were funneled through centralized exchanges. On-chain investigator ZachXBT publicly criticized Circle for not freezing the stolen USDC, despite it crossing during U.S. business hours. This inaction was notably contrasted with Circle’s recent decision to freeze unrelated corporate wallets in a civil case.
If confirmed, the Drift incident would mark the eighteenth DPRK-linked crypto theft tracked by Elliptic in 2026, with over $300 million stolen to date. DPRK-linked actors have reportedly stolen over $6.5 billion in cryptoassets in recent years, with proceeds often linked to funding North Korea’s weapons programs.
The Drift exploit did not occur in isolation. It coincided with multiple security vendors attributing a supply chain attack on Axios npm to North Korean group UNC1069—a simultaneous two-front operation targeting both the software development ecosystem and the crypto finance layer that supports Pyongyang’s strategic initiatives.
Drift has since frozen all protocol functions, removed the compromised wallet from the multisig, and is collaborating with security firms, exchanges, bridges, and law enforcement to trace and recover the stolen assets. A detailed postmortem is anticipated, and the DRIFT token experienced a decline of over 20% following the news of the exploit.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
