North Korean Hackers Spent Six Months Infiltrating Drift Protocol. Then They Drained $285 Million in 12 Minutes.

On April 1, a group of attackers drained $285 million from Drift Protocol — Solana's largest perpetual futures exchange — in exactly 31 transactions over roughly 12 minutes. The attack is the biggest DeFi exploit of 2026 and Solana's second-largest ever, behind only the $326 million Wormhole bridge hack in 2022.

Drift has since attributed the breach with medium confidence to UNC4736, a North Korean state-sponsored hacking group also tracked as AppleJeus, Citrine Sleet, and Gleaming Pisces. The group has been targeting cryptocurrency platforms since at least 2018.

The Six-Month Con

The prep started in fall 2025. Attackers approached Drift contributors at a major crypto conference, posing as a professional quantitative trading firm. They met team members face-to-face at events in multiple countries. Between December 2025 and January 2026, they onboarded an Ecosystem Vault after depositing over $1 million in real funds. Months of "substantive conversations around trading strategies and vault integrations" followed.

Two infection vectors were deployed. A malicious Visual Studio Code project used the tasks.json file's runOn: folderOpen option to execute code automatically when a contributor opened the repository. Separately, a contributor was manipulated into downloading a wallet application via Apple's TestFlight beta program.

How They Broke the Oracle

The technical execution was brutal. The attacker minted 750 million units of a fabricated token called CarbonVote Token (CVT), seeded a liquidity pool on Raydium with roughly $500, then wash-traded it to build an artificial price history near $1. Drift's oracles accepted this manufactured token as legitimate collateral worth hundreds of millions.

With a compromised admin key — obtained through the social engineering campaign — the attackers listed CVT as valid collateral on Drift, raised withdrawal limits to extreme levels, and deposited hundreds of millions in worthless CVT against the artificial pricing. Then came the 31 withdrawals: tens of millions in USDC, JLP, and other tokens gone in minutes.

The Governance Failure Nobody's Talking About

On March 27, five days before the attack, Drift migrated its Security Council to a 2-of-5 threshold configuration with zero timelock. That means any two signers could approve critical admin actions — including listing new collateral and raising withdrawal limits — with no delay window for detection. The attackers had already convinced multisig signers to pre-sign transactions that "appeared routine but carried hidden authorizations."

A timelock of even 24 hours would have given the team a window to spot the CVT listing. Instead, they removed the only safety mechanism that could have prevented a $285 million loss.

Where the Money Went

Initial staging funds came from a 10 ETH withdrawal through Tornado Cash, deployed at approximately 09:00 Pyongyang time on March 12. After the exploit, most stolen funds were bridged to Ethereum within hours. TRM Labs noted the speed and aggressiveness of the bridging exceeded "even the Bybit laundering of 2025," with individual transfers moving millions in USDC at a time.

Drift's TVL collapsed from roughly $550 million to under $300 million in less than an hour. The DRIFT token dropped over 40%. A dozen other Solana protocols paused operations as a precaution. Drift has suspended deposits and withdrawals and is working with law enforcement and TRM to track the cross-chain movements.