driftprotocol

On April 1, 2026, Drift Protocol, the largest perpetual futures exchange on Solana, experienced a significant security breach, resulting in the theft of approximately $285 million. This incident marks the largest DeFi hack of 2026 and the second-largest in Solana's history. Unlike typical DeFi exploits that target smart contract vulnerabilities, this breach was a sophisticated administrative takeover attributed to North Korean state-sponsored actors.

▎How the Breach Occurred

The attack involved a multi-week execution strategy that combined social engineering with technical manipulation of Solana's infrastructure:
• Durable Nonces Manipulation: Attackers tricked members of Drift’s Security Council into pre-signing transactions, allowing them to store valid signatures for later use.
• Admin Takeover: Using these signatures, the hackers gained unauthorized control over the protocol’s multi-signature administrative powers.
• Fake Collateral: They whitelisted a fictitious asset called CarbonVote Token (CVT) and manipulated Drift's oracles to recognize it as valuable collateral.
• The Drain: The attackers deposited 500 million CVT and used it to withdraw $285 million in real assets like USDC, SOL, and ETH.

▎Impact and Current Status

The exploit was executed rapidly, draining primary vaults in approximately 10 seconds. Key impacts include:
• Total Loss: Around $285 - $286 million.
• TVL Drop: Total value locked fell from ~$550 million to under $250 million (over 50% loss).
• Protocol Status: Deposits and withdrawals were immediately suspended.

▎Recovery and Investigation

Drift is collaborating with law enforcement and exchanges to freeze stolen assets, while analysis indicates that the attackers began laundering the funds shortly after the breach. Users are advised to monitor Drift’s official channels for updates on recovery efforts and potential reimbursement plans for affected users.$SOL #DriftProtocol #breach #solana

🇰🇵North Korean-linked group Lazarus Group continues to dominate crypto exploits — total damage now exceeds $3B.

Key attacks:

🔸 2017 — Bithumb ($7M, phishing)
🔸 2018 — Coincheck ($625M, malware)
🔸 2020 — KuCoin ($280M, stolen credentials)
🔸 2022 — Ronin Network ($625M, fake job offer)
🔸 2022 — Horizon Bridge ($100M, private key exploit)
🔸 2023 — Atomic Wallet / Alphapo / CoinsPaid / Stake / CoinEx ($292M total)
🔸 2024 — WazirX ($235M, multisig breach)
🔸 2025 — Bybit ($1.5B, multisig)
🔸 2026 — Drift Protocol ($285M, fake collateral)

From phishing to multisig exploits — tactics evolve, but the result is the same. 🤷

Crypto security isn’t improving as fast as attackers are.

#LazarusGroup #NorthKoreaHackers #DriftProtocol

The story of how North Korean state hackers drained $285 million from Drift Protocol on April Fool's Day 2026 doesn't begin with a line of malicious code. It begins at a crypto conference sometime in the fall of 2025, with a handshake.
That's the detail that makes this the most unsettling DeFi hack of the year and possibly the most sophisticated social engineering operation in crypto history. The attackers, attributed with medium-high confidence to a North Korean state group known as UNC4736 (also called AppleJeus or Citrine Sleet), didn't brute-force their way in. They spent six months building genuine human relationships inside Drift's team.
The playbook was meticulous. Posing as a legitimate quantitative trading firm, they approached Drift contributors at multiple major industry conferences in different countries throughout late 2025 and early 2026. They were technically fluent. They asked smart questions about trading strategies and protocol architecture. They deposited over $1 million of their own money to establish credibility. A Telegram group was set up, meetings happened in person, and over months of substantive conversations, they became from Drift's perspective trusted working partners.
Then came the quiet infection. Investigators identified two likely attack vectors: one contributor may have cloned a malicious code repository the group shared, disguised as a frontend tool for their vault. Another was reportedly tricked into downloading a wallet app through Apple's TestFlight a tool that, ironically, was also used to remove Bitchat from China this week. Simply opening a file in a VS Code folder was enough to silently execute code and give the attackers remote access. No warning. No prompt. Just a compromised device.
On April 1, using pre-signed multisig transactions that had been sitting dormant for over a week, the attackers executed the drain in roughly 12 minutes. $285 million gone. Most of it was bridged to Ethereum within hours. The DRIFT token collapsed over 40%. The Telegram group and all associated malware were immediately scrubbed. The "trading firm" vanished.
Security experts are blunt about what this means: DeFi's reliance on multisig governance, long considered a gold standard of security, may not be enough when the adversary is willing to spend six months and a million dollars becoming your colleague first. "Crypto teams are now facing adversaries that operate more like intelligence units than hackers," noted one blockchain security firm. It's an uncomfortable reality but one the industry needs to reckon with.
#DriftProtocol #northkorea #DeFiHack #CryptoSecurity