Key Findings

• Drift Protocol lost $285 million in a sophisticated attack attributed to North Korean-linked hackers on April 1, 2026

• Attackers used durable nonce accounts to pre-sign transactions and compromised multisig approvals to gain admin control

• The operation involved multi-week preparation with staged execution across multiple phases

• Stolen funds were rapidly drained from multiple vaults within seconds and laundered across wallets

• This marks the 18th confirmed North Korean-linked crypto theft in 2026, with over $300 million stolen year-to-date

• Drift's total value locked collapsed from $550 million to under $250 million, making this 2026's largest DeFi hack

Background

Drift Protocol is a Solana-based decentralized exchange that suffered the devastating security breach in early April 2026. The platform had been operating with approximately $550 million in total value locked before the incident. Blockchain cybersecurity firm Elliptic identified strong indicators linking the exploit to North Korea based on attack behavior and laundering methods consistent with previous DPRK operations.

Attack Preparation and Timeline

The attackers demonstrated exceptional operational discipline with a carefully staged multi-week campaign. On March 23, the threat actors established durable nonce accounts and secured approvals from at least 2 of 5 multisig signers without their knowledge. This enabled the pre-signing and delayed execution of malicious transactions.

On March 27, Drift migrated its Security Council, but by March 30, the attackers had regained access to 2 of 5 signers in the updated multisig setup. They maintained this access ahead of the final exploit.

On April 1, the attack entered its execution phase. The operation began with a legitimate test withdrawal by Drift, and approximately one minute later, the attackers deployed their pre-signed durable nonce transactions. They rapidly created, approved, and executed a malicious admin transfer that gave them complete takeover capability.

Attack Mechanism and Execution

The attackers demonstrated sophisticated technical knowledge in exploiting Drift's infrastructure. They used pre-signed durable nonce transactions as a timing mechanism, allowing them to orchestrate actions with precision despite not having direct access to all administrative functions.

Once they gained admin control through the compromised multisig approvals, the attackers immediately targeted key vaults. They drained approximately $155 million in JLP tokens along with other cryptocurrencies including USDC and other digital assets.

The entire draining operation unfolded rapidly, with most funds removed within an hour after the attackers allegedly compromised the admin private keys. This speed prevented Drift from initiating any meaningful defense or freeze of assets.

Fund Laundering and Asset Movement

The attackers demonstrated knowledge of effective money laundering techniques. Stolen funds were quickly swapped to USDC, creating a standardized asset that was easier to move across bridges and exchanges.

The assets were then moved to Ethereum and converted to ETH, taking advantage of Ethereum's larger liquidity and more numerous exchange options. The attackers prepared in advance by creating a wallet days earlier and testing their access to ensure the operation would function smoothly.

The rapid movement of funds across chains and into more liquid assets made it significantly harder for law enforcement and exchanges to freeze or recover the stolen cryptocurrency.

Attribution to North Korea

Elliptic identified multiple indicators suggesting the Drift Protocol exploit links directly to the Democratic People's Republic of Korea. The attack patterns, laundering methods, and operational behavior all align with previous North Korean-linked cryptocurrency thefts.

If confirmed, this incident would represent the 18th DPRK-linked crypto theft tracked in 2026 alone. The confirmed and suspected North Korean attacks have resulted in over $300 million in stolen assets just this year.

Beyond 2026, North Korean-linked actors are estimated to have stolen over $6.5 billion in cryptocurrency in recent years. Their activity is intensifying, with annual losses jumping 51% year-over-year. These stolen assets are believed to directly fund weapons programs and support the regime's broader criminal enterprises.

Response and Ongoing Investigation

Drift Protocol immediately halted operations following the discovery of the attack and notified law enforcement. The platform began coordinating with multiple security firms to determine the cause of the incident and understand the full scope of the compromise.

Drift is working with cryptocurrency bridges, exchanges, and law enforcement agencies to trace and freeze the stolen assets. The coordinated response reflects the complexity of tracking cryptocurrency across multiple chains and jurisdictions.

The incident demonstrates the critical need for enhanced security measures in DeFi protocols and the persistent threat posed by nation-state actors targeting cryptocurrency infrastructure.

Sources

• https://securityaffairs.com/190330/hacking/north-korea-linked-hackers-drain-285m-from-drift-in-sophisticated-attack.html

• https://www.ainvest.com/news/drift-hack-285m-theft-north-korean-flow-2604/

• https://www.linkedin.com/posts/cybercureme_north-korealinked-hackers-drain-285m-from-activity-7445844724168556544-_cNe