$285 Million Gone After Six Months of Lies and Twelve Minutes of Theft
$285 Million Gone After Six Months of Lies and Twelve Minutes of Theft
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
$285 Million Gone After Six Months of Lies and
Twelve Minutes of Theft
How a North Korean state-sponsored hacking group spent half a year posing as a quantitative trading firm before draining $285 million from Drift Protocol — the largest DeFi exploit of 2026.
On April 1, 2026 — April Fool’s Day — Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, was stripped of approximately $285 million in roughly twelve minutes. The Drift team’s first public statement included an unusual assurance: “This is not an April Fool’s joke.” It was not. What investigators have since uncovered is a methodical, state-sponsored intelligence operation that unfolded over six months, across multiple countries, at real industry conferences — and it never once required a single bug in Drift’s code.
The attack is the largest DeFi exploit of 2026 and the second-largest security incident in Solana’s history, trailing only the $326 million Wormhole bridge hack of 2022. Drift’s total value locked collapsed from approximately $550 million to under $250 million in the span of a single afternoon. The DRIFT token fell more than 40%. More than a dozen downstream protocols were forced to pause operations.
Reported amounts vary across sources: Elliptic calculated $286 million; Drift’s own post-mortem references approximately $270–285 million; Bloomberg initially reported “about $280 million.” We use $285 million as the most widely cited figure. The investigation remains active as of publication.
A Fake Firm, Real Handshakes
The operation began in the autumn of 2025. At a major cryptocurrency industry conference, a group of individuals approached members of the Drift Protocol core team presenting themselves as representatives of a quantitative trading firm. They were not anonymous voices behind keyboards — they were physically present, shaking hands, exchanging business cards, asking technically sophisticated questions about Drift’s product architecture. Nothing appeared out of the ordinary.
Over the following weeks, a shared Telegram group was created. Months of continuous communication followed — trading strategies, Vault integration solutions, technical deep-dives. The content and cadence of these conversations were indistinguishable from any legitimate DeFi collaboration. According to Drift’s published incident report, “these were not strangers; they were people Drift contributors had worked with and met in person” across multiple major industry conferences in different countries through February and March 2026.
The profiles used in this operation had fully constructed identities — employment histories, public-facing credentials, professional networks.
— Drift Protocol Incident Report, April 5, 2026Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift — a mechanism allowing professional traders to manage pools of user funds. They submitted detailed strategy documentation, participated in multiple working sessions with contributors, and, crucially, deposited over $1 million of their own capital. In the cryptocurrency world, real money is the most credible signal of legitimacy. No one doubted a partner who had placed seven figures on the table.
Security investigators later confirmed that the personas were fully fabricated. The SEAL 911 security team, which assisted Drift’s post-incident investigation, has assessed with medium-to-high confidence that the operation was carried out by UNC4736 — a North Korean state-affiliated threat group also tracked under the names AppleJeus and Citrine Sleet — the same group responsible for the $53 million Radiant Capital hack in October 2024. Attribution rests on both on-chain fund flows and operational pattern overlaps with previously documented North Korean campaigns. Mandiant has been separately engaged to conduct a full forensic investigation.
Two Intrusion Vectors, One Fatal Opening
Drift’s ongoing investigation has identified two primary attack vectors through which contributor devices were compromised. It is important to be precise here: some early reporting claimed three confirmed vectors, including “malicious files shared via Telegram.” Drift’s own incident update identifies two confirmed pathways, while the broader method of file and link sharing during collaboration was the delivery mechanism for both.
Vector 1 — Malicious Code Repository: One contributor cloned a code repository shared by the group under the guise of deploying a frontend for their Ecosystem Vault. This vector likely exploited a known vulnerability in VSCode and Cursor — flagged by the security community between December 2025 and February 2026 — which allowed arbitrary code execution simply by opening a file or folder, with no prompt, warning, or permission dialog of any kind.
Vector 2 — Malicious TestFlight Application: A second contributor was persuaded to download an application via Apple’s TestFlight platform, which the group presented as their wallet product for beta testing. TestFlight bypasses the App Store’s standard security review process, making it a known vector for distributing unreviewed malicious software.
The VSCode and Cursor vulnerability deserves particular attention. These are among the most widely used code editors in software development worldwide. The flaw — active and publicly flagged for at least two months before the Drift attack — meant that any developer who opened a repository shared by the attackers would silently execute arbitrary code on their machine. The attackers had six months to identify the right moment to share the right file with the right person.
Once devices were compromised, the attackers obtained what they needed: access to the private keys of multi-signature wallet signers. Drift’s security model required a 2-of-5 multisig approval for critical operations. Between late March and the days immediately before April 1, the attackers successfully obtained pre-signed authorizations from two signers — individuals who believed they were approving routine Vault operations with a trusted, half-year-old business partner.
The Technical Mechanism: Durable Nonces
The execution of the heist exploited a legitimate Solana feature called durable nonces — referred to in some reporting as “persistent nonces,” though “durable nonce” is the correct technical term used in Drift’s own statement. Understanding this mechanism is essential to understanding why the attack was so devastating.
On the Solana blockchain, ordinary transactions include a recent block hash that acts as a timestamp, causing transactions to expire if not executed within approximately two minutes. This prevents indefinite replay attacks. The durable nonce feature was designed to solve a real problem: when a transaction requires multiple signers, it’s impractical for all approvals to arrive within a two-minute window. Durable nonces allow a signed transaction to remain valid indefinitely, awaiting execution at any future point.
The attackers exploited exactly this feature. The pre-signed authorizations obtained from two compromised signers in late March used durable nonces, meaning they could sit dormant and be triggered at any moment of the attackers’ choosing. The signers had no reason to suspect anything unusual — they had been approving similar requests for months.
From an on-chain perspective, every one of the 31 withdrawal transactions appeared completely legitimate — correct multisig approval, correct format, correct signature verification. Drift’s smart contracts did exactly what they were designed to do.
— Based on Drift Protocol incident analysisThe attackers also prepared a final piece of the mechanism in advance: a manufactured asset called CarbonVote Token (CVT). With only a few thousand dollars in seeded liquidity and artificial trading volume, they caused Drift’s price oracle to treat CVT as legitimate collateral worth hundreds of millions of dollars. This inflated collateral position was the key that unlocked the vaults.
Anatomy of a Six-Month Operation
Attackers approach Drift contributors at a major crypto industry conference, posing as a quantitative trading firm. A Telegram group is established and months of technical discussions begin.
The group onboards an Ecosystem Vault on Drift, submits strategy documents, holds working sessions with contributors, and deposits over $1 million of real capital. A known VSCode/Cursor arbitrary code execution vulnerability is active and unflagged by the broader public.
Drift contributors meet the group again face-to-face at multiple international industry conferences. The relationship is now nearly six months old. Malicious repositories and a TestFlight application are shared during collaboration, compromising contributor devices. Pre-signed durable nonce transactions are obtained from two multisig signers.
On-chain staging begins. TRM Labs traces a 10 ETH withdrawal from Tornado Cash to attacker infrastructure — nearly three weeks before execution.
CarbonVote Token (CVT) is deployed and seeded with artificial liquidity to manipulate Drift’s price oracle.
At approximately 4:06 PM UTC, the first of 31 withdrawal transactions fires. Within roughly 12 minutes, $285 million is drained from Drift’s vaults. Stolen funds are bridged to Ethereum within hours. Attacker Telegram chats and all malicious software are simultaneously wiped.
Drift confirms the exploit and freezes all protocol functions. Mandiant is engaged for forensic investigation. SEAL 911 attributes the attack with medium-to-high confidence to UNC4736. Elliptic and TRM Labs confirm fund flow patterns consistent with North Korean state-sponsored hacking.
The Last Line of Defense That Wasn’t
One of the most important details to emerge from the post-mortem concerns a governance change made weeks before the attack. Drift’s security architecture had previously included a time-lock mechanism on significant transactions — a cooling-off window between when a transaction is approved and when it executes, giving other signers and the broader community a chance to detect anomalies.
That time-lock was removed. A migration by Drift’s security committee changed the multisig configuration to a 2-of-5 threshold with zero time-lock, eliminating the protocol’s final backstop. When the pre-signed durable nonce transactions fired on April 1, there was no delay, no window for human intervention, and no safety net. The 31 withdrawals executed at machine speed.
Security analysts reviewing the incident have noted that independent security audits — including one by Trail of Bits in 2022 and another by ClawSecure in February 2026 — gave Drift passing grades. The CVT market introduction and the governance change eliminating the time-lock apparently fell outside the scope of those reviews, or arrived after them. The vulnerability was not in the code. It was in the humans, and in the governance decisions humans make.
North Korea’s Systematic Cryptocurrency Campaign
The Drift incident is not an isolated event. It is the latest chapter in a sustained, state-level cryptocurrency theft operation run by the North Korean government. Elliptic has identified this as the eighteenth cryptocurrency theft attributed to North Korean actors in 2026 alone, with over $300 million stolen in the year’s first months. Across recent years, North Korean-affiliated actors have been linked to more than $6.5 billion in stolen crypto assets — funds the U.S. government has directly linked to financing North Korea’s weapons programs, including the construction of new destroyers, nuclear-powered submarines, and reconnaissance satellites.
What the Drift case demonstrates — and what distinguishes it from most cybercrime — is the operational sophistication involved. This was not a phishing email campaign or a dark web tool purchase. This was a structured intelligence operation: manufactured identities with convincing professional histories, face-to-face engagement across multiple countries over six months, more than a million dollars of real capital invested as cover, and then a precisely timed strike at a calculated moment of maximum vulnerability.
On the same day as the Drift attack, a separate North Korean-affiliated group, UNC1069, was exposed for using fake LinkedIn and Slack identities to target Node.js open-source maintainers — illustrating simultaneous operations at the financial layer (cryptocurrency theft) and the software supply chain layer (open-source ecosystem infiltration).
CrowdStrike’s January 2026 assessment described North Korean hacking operations as falling into two categories: large, high-value targeted attacks like Drift, and persistent lower-value thefts against smaller fintech companies operating at higher frequency. Both streams serve the same purpose: generating reliable revenue for the North Korean regime under international sanctions.
What the Industry Must Reckon With
The Drift hack exposes three failures that go beyond this single protocol and demand a reckoning across decentralized finance.
Social engineering has outpaced technical defenses. The industry’s security conversation has been dominated for years by smart contract audits, formal verification, and bug bounty programs. All of those are necessary. None of them would have stopped this attack. When the adversary is willing to spend six months, appear at conferences in person, and invest real money to build trust, no amount of code review catches the threat — because the vulnerability is human judgment, not program logic.
Multisig security is only as strong as its weakest signer’s device. Drift’s 2-of-5 multisig was, in theory, a robust protection. In practice, when a sophisticated attacker has six months to identify, cultivate, and then silently compromise individual signers, the threshold becomes a puzzle to be solved rather than a wall to be breached. The absence of a time-lock transformed a defense into a formality. Any DeFi protocol holding significant user assets must consider mandatory delays on large transactions — delays long enough for anomalies to be noticed by humans, not just machines.
The cryptocurrency industry is a geopolitical battleground. North Korea is not a criminal gang. It is a nation-state systematically looting the global cryptocurrency ecosystem to fund its military. That scale of adversary demands responses beyond individual protocol security improvements — it requires coordinated action from exchanges, bridges, on-chain intelligence firms, and ultimately international law enforcement and regulatory bodies. The blockchain analysis work done by Elliptic, TRM Labs, and ZachXBT after the fact is valuable. But the industry needs mechanisms to act faster, and to freeze stolen funds before they are fully laundered across chains.
Drift Protocol has frozen all protocol functions and removed compromised wallets from its multisig structure. The protocol is working with Mandiant, SEAL 911, law enforcement, and multiple cross-chain bridges and exchanges. As of April 7, 2026, stolen funds have not been recovered. The investigation is ongoing.
