Drift Protocol reveals its $285 million exploit was the culmination of a six-month social engineering campaign by a DPRK-linked group that posed as a quantitative trading firm.
Drift Protocol published a detailed post-mortem on April 5 attributing its $285 million exploit to a North Korean state-affiliated hacking group that spent six months infiltrating the Solana-based decentralised exchange under the guise of a quantitative trading firm. The report, corroborated by blockchain analytics firms TRM Labs and Elliptic, identifies the attackers as UNC4736, a threat group also tracked as AppleJeus, Citrine Sleet, and Golden Chollima, linking the operation to the same apparatus responsible for the $1.5 billion Bybit hack in February 2025.
The April 1 attack drained approximately $285 million in user assets from Drift, making it the largest decentralised finance exploit of 2026 and the second-largest in Solana's history, behind only the $326 million Wormhole bridge hack in February 2022. Unlike typical DeFi exploits that target smart contract vulnerabilities, the Drift breach relied primarily on social engineering and abuse of a legitimate Solana blockchain feature called durable nonces, which allowed the attackers to pre-sign transactions weeks before execution.
The revelation transforms what initially appeared to be a sophisticated technical exploit into something far more troubling: a patient, state-backed intelligence operation that penetrated a major DeFi protocol's governance structure from within. The implications extend well beyond Drift, raising fundamental questions about how decentralised protocols can defend against adversaries willing to invest months of human intelligence tradecraft before striking.
How Fake Traders Infiltrated Drift's Inner Circle
According to Drift's post-mortem and reporting by CoinDesk, the operation began in the autumn of 2025 when individuals posing as representatives of a quantitative trading firm made contact with Drift contributors at industry conferences. The operatives were not North Korean nationals, DPRK threat actors at this level are known to deploy third-party intermediaries for face-to-face relationship-building, according to TRM Labs. A Telegram group was established following the initial meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations.
The attackers deepened their credibility by depositing more than $1 million into Drift and integrating an Ecosystem Vault, the protocol's mechanism for third-party strategy providers to manage user funds. This gave them a legitimate operational footprint within Drift's ecosystem. The social engineering extended to the technical level: the attackers reportedly compromised the devices of at least two of Drift's five Security Council multisig signers through a malicious TestFlight application and an exploitation of a known vulnerability in the VSCode and Cursor code editors that was active between December 2025 and February 2026.
By securing two of the five multisig signatures, the attackers gained sufficient authority to pre-sign administrative transactions. According to CoinDesk, the initial nonce was set as early as March 23, with four nonce accounts created, two controlled by the attacker and two by legitimate Security Council members. The pre-signed transactions, kept valid indefinitely by Solana's durable nonce feature, remained dormant until conditions were ripe for execution.
The Durable Nonce Exploit That Bypassed Solana's Safety Net
The technical mechanism at the heart of the attack exploited Solana's durable nonce system, a feature designed to allow transactions to be signed offline and submitted later. Under normal Solana operation, every transaction includes a recent blockhash that expires after approximately 60 to 90 seconds, preventing stale transactions from being replayed. Durable nonces override this safety mechanism by replacing the expiring blockhash with a fixed one-time code stored in a special on-chain account, keeping the transaction valid indefinitely.
The critical window opened on March 27, when Drift migrated its Security Council to a 2-of-5 signature threshold and, in what the post-mortem identifies as the decisive security lapse, removed its timelock entirely. A timelock typically enforces a 24-to-72-hour delay on administrative actions, giving the community time to detect and reverse suspicious changes. Without it, the attacker gained zero-delay execution authority over the pre-signed transactions that had been dormant since March 23.
On April 1, the attack unfolded in under a minute. According to on-chain data analysed by TRM Labs, two transactions executed four slots apart on the Solana blockchain were sufficient to create and approve a malicious admin transfer, then authorise and execute it. The attacker used this control to list CarbonVote, a fabricated token they had deployed on March 12 using funds withdrawn from Tornado Cash and maintained at an artificial $1.00 price through wash trading on Raydium, as valid collateral. They then deposited hundreds of millions in CVT tokens, against which Drift's risk engine issued real assets, draining the protocol's vaults.
A Pattern of Escalating DPRK Crypto Theft
The Drift hack fits a clear pattern of increasingly sophisticated cryptocurrency theft operations attributed to North Korean state actors. According to TRM Labs' 2025 Crypto Crime Report, DPRK-linked groups have stolen more than $5 billion in cryptocurrency since 2017, with the pace and scale of attacks accelerating. North Korean operations accounted for approximately 35% of all stolen cryptocurrency funds in 2024, and individual DPRK attacks were nearly five times larger on average than those conducted by other threat actors.
The Bybit hack of February 2025, which the FBI attributed to the Lazarus Group, set a new benchmark at $1.5 billion, the largest cryptocurrency theft in history and, according to Guinness World Records, the largest digital heist of any kind. That attack similarly exploited the human layer, compromising a developer machine connected to the multisig platform Safe{Wallet} to authorise a malicious yet seemingly legitimate transaction during a routine cold-to-hot wallet transfer.
UNC4736, the group identified in the Drift attack, has its own track record. The unit was previously linked to the $53 million hack of DeFi platform Radiant Capital in October 2024 and the X_TRADER/3CX supply chain compromise in 2023. The Drift operation's six-month timeline and use of in-person intermediaries represent an evolution in tradecraft, suggesting that DPRK-affiliated groups are investing substantially more human intelligence resources into pre-attack preparation as DeFi protocols improve their technical defences.
DeFi Security Faces a Reckoning Over Human Vulnerabilities
The Drift post-mortem identifies several specific failures that enabled the attack: the removal of the timelock on the Security Council multisig, insufficient verification procedures for pre-signed transactions, and the lack of anomaly detection for durable nonce usage patterns. Drift has stated it is working on a recovery plan and has engaged law enforcement, though the protocol has not yet disclosed whether any funds have been frozen or recovered.
The broader DeFi ecosystem faces uncomfortable questions. Smart contract audits, which have become standard practice, would not have prevented an attack that exploited governance processes and human trust rather than code vulnerabilities. The Drift hack, combined with the Bybit breach, suggests that the most dangerous attack vector in cryptocurrency is not a buggy line of Solidity or Rust but the humans who hold administrative keys.
Industry observers point to several potential mitigations: mandatory timelocks on all administrative actions, stricter multi-party computation for multisig operations, and real-time monitoring of durable nonce account creation. Solana's core developers may also face pressure to revisit the durable nonce feature's design, potentially introducing maximum validity windows or additional on-chain safeguards. For DeFi protocols managing hundreds of millions in user deposits, the lesson from Drift is that technical security is necessary but insufficient, operational security, personnel vetting, and governance design are now equally critical attack surfaces that demand the same rigour applied to code.
