In arguably one of the most daring cryptocurrency thefts of the year, attackers believed to be linked to North Korea have seized approximately $285 million in user funds from North Korea. Drift Protocol On April 1, 2026. TRM Laboratories He pointed out that the operation, which was completed in approximately 12 minutes, was the largest decentralized finance operation to date (DeFi) The exploit of 2026 and the second largest breach in the history of the Solana blockchain, only behind the 2022 Wormhole incident.
Drift Protocol Solana operates as a decentralized perpetual futures exchange, allowing investors to open leveraged positions without relying on traditional brokers.
The platform had billions of dollars in total value locked up, making it an attractive, high-risk target for sophisticated competitors.
Blockchain intelligence experts at TRM Labs revealed that the attack was far from impulsive.
Preparations lasted about three weeks, starting with the withdrawal of 10 soldiers on March 11. ETH Mostly from Tornado Cash, a mixer with links to illicit finance.
Hours later, around 9 a.m. Pyongyang time on March 12, these funds seeded the creation of a completely made-up cryptocurrency called CarbonVote Token (CVT).
Between March 23 and March 30, the perpetrators took advantage of Solana’s robust one-time feature to create pre-signed transaction accounts.
Through targeted social engineering, they persuaded members of Drift’s Security Council multi-signature group to approve seemingly innocuous transactions that secretly involved elevated administrative privileges.
In an inevitable parallel move on March 27, Drift updated the Security Council to a 2 out of 5 approval model with zero time-lock delay, eliminating the last safeguard that could have allowed time for intervention.
While building your secrets infrastructureThe attackers simultaneously engineered artificial legitimacy for the CVT.
They minted 750 million tokens, injected several thousand dollars of liquidity into the Raydium decentralized exchange, and executed wash trades to create a price history near $1.
Based on this manipulated market data, Drift’s price oracles accepted the fictitious asset as legitimate collateral potentially worth hundreds of millions.
On April 1, pre-signed authorizations were activated in rapid succession.
The attackers first listed CVT as approved collateral, significantly increased withdrawal limits, and flooded the protocol with hundreds of millions of fake tokens.
31 quick withdrawals later drained real assets, mainly US Dollar stablecoin and JLP liquidity provider tokens from multiple vaults.
The bulk of the stolen funds were bridged to the Ethereum network within hours, in large, secure transfers that moved millions simultaneously.
Drift Protocol responded quickly, confirming this. chewing On April 2, it suspended all deposits and withdrawals and watched its native DRIFT token fall by more than 40 percent.
TRM Labs’ on-chain analysis—Citing the use of Tornado Cash, precise timing consistent with North Korean business hours, aggressive cross-chain bridging patterns, and laundering tactics mirroring the 2025 Bybit exploit—strongly indicates a state-sponsored attack north korea participation.
The incident reveals critical weaknesses beyond smart contract flaws: inadequate multi-signature hygiene, over-reliance on oracles without liquidity thresholds or circuit breakers, and the dangers of removing time constraints on governance actions.
TRM Labs also noted: security experts now insist DeFi Projects that will reintroduce mandatory delays for administrative changes, require full transaction transparency before multi-signature approvals, and strengthen Oracle verification protocols to prevent similar generated asset frauds.
While investigators are following the incident acquitted The $285 million heist moving across chains serves as another wake-up call that even seemingly more advanced decentralized platforms remain vulnerable when human and procedural protections fail. TRM Laboratories The report concluded that the crypto community is awaiting updates on potential recoveries and broader developments. regulator fall out.
