The Drift Protocol hack stands as one of the most elaborate cryptocurrency thefts ever recorded. Attackers did not find a bug, write an exploit, and strike overnight. They spent six months building relationships, attending conferences, depositing real money, and embedding themselves inside a live trading platform before making their move.
What Is Drift Protocol?
Drift Protocol is a decentralized trading platform built on the Solana blockchain. It operates as a non-custodial exchange, meaning users retain full control of their funds as they trade leveraged positions without a central intermediary. At the time of the attack, the platform held around $550 million in total value locked, making it a high-value, high-complexity target.
On April 1, 2026, it became the biggest DeFi hack of the year.
How the Attack Unfolded
The breach drained approximately $280 million from the platform in around 12 minutes. To pull this off, the attackers needed administrative control, and they got it by hijacking Drift’s Security Council, the group of trusted parties responsible for authorizing high-level protocol actions.
Weeks before the April 1 execution, the attackers manufactured a fictitious asset called CarbonVote Token, or CVT. They seeded minimal liquidity on a Solana decentralized exchange and used wash trading to hold CVT’s price artificially near $1. Drift’s price oracles read that figure as legitimate. The fake token now had a credible-looking value the protocol would accept as collateral.
The on-chain staging began March 11, when the attackers withdrew ETH from Tornado Cash. Blockchain analysts later noted that the CarbonVote deployment timestamp corresponded to approximately 9:00 AM Pyongyang time, an immediate red flag in hindsight.
Then came the governance angle. The attackers socially engineered Drift’s Security Council members into pre-signing transactions that hid malicious functionality inside what looked like routine approvals. Solana’s durable nonce feature allowed those pre-signed transactions to sit dormant and ready for weeks. On March 27, the Security Council migrated to a 2/5 multisig structure and removed timelocks, which meant fewer approvals stood between the attackers and execution and no delay window remained to catch anything suspicious.
On April 1, the attackers executed everything. They listed CVT as approved collateral, deposited hundreds of millions worth of the fake token into Drift at the artificial price, and ran 31 withdrawal transactions in under 12 minutes. The protocol’s safeguards never fired. Within hours, the attackers bridged most of the stolen assets to Ethereum, moving hundreds of millions in USDC at a pace that outstripped even the laundering speed seen in the 2025 Bybit hack.
Six Months of In-Person Deception
The technical execution makes the Drift Protocol hack remarkable. The preparation phase makes it extraordinary.
Starting in fall 2025, a group posing as a quantitative trading firm began approaching Drift contributors at major crypto conferences across multiple countries. These were not North Korean nationals. The threat actors sent non-Korean intermediaries to handle all face-to-face contact, a deliberate tactic to avoid raising suspicion.
Those intermediaries were technically fluent and thoroughly prepared. They demonstrated deep familiarity with how Drift worked, discussed trading strategies at length, and methodically built personal rapport with contributors across multiple events over six months. A Telegram group started at the first meeting and stayed active throughout, filled with substantive conversations about vault integrations and trading approaches that mimicked normal institutional onboarding.
Between December 2025 and January 2026, the group deepened their cover further. They onboarded an Ecosystem Vault on Drift, completed standard integration processes, held working sessions with the team, and deposited over $1 million of real capital into the platform. Every step mirrored what a legitimate trading firm would do.
Drift’s post-mortem described the operation as a “structured intelligence operation requiring organizational backing, significant resources, and months of deliberate preparation.” The attackers built complete fake identities with employment histories, public-facing credentials, and professional networks designed to survive due diligence.
How Attackers Got Inside Contributors’ Devices
Drift believes two contributors served as the primary entry points. The attackers targeted the first through a malicious code repository shared during what appeared to be normal collaboration. Investigators believe this likely exploited a vulnerability in VSCode or Cursor, executing code silently without the contributor noticing. The second contributor received a malicious TestFlight application, presented as a wallet product, that carried embedded malware.
Both methods fit the operation’s pattern perfectly. Everything arrived wrapped in context that made sense at the time. The Telegram group the attackers used for communications vanished immediately after the theft.
Who Is Behind the Drift Protocol Hack
Blockchain intelligence firms attributed the attack to a North Korean state-sponsored group with medium-high confidence. On-chain evidence pointing to this group includes the Tornado Cash origin, the Pyongyang-time deployment signature, cross-chain bridging patterns, and the speed and scale of post-hack laundering, all consistent with previous DPRK operations.
The group operates under several tracking identifiers, including UNC4736, AppleJeus, and Citrine Sleet. Security researchers link it to North Korea’s Reconnaissance General Bureau and to the 3CX supply chain attack in 2023 and the $50 million Radiant Capital hack in October 2024. Mandiant is currently conducting device-level forensic analysis, and formal attribution remains pending.
One separate detail drew public criticism. Independent researcher ZachXBT flagged that attackers bridged approximately $232 million in USDC from Solana to Ethereum over six hours before anyone froze the funds, pointing at a slow response from Circle, the stablecoin issuer.
Where Things Stand Now
Drift has frozen all protocol functions and removed compromised wallets from the multisig setup. The team flagged attacker addresses across exchanges and bridge operators to block further fund movement. The protocol is working with law enforcement and security firms including Mandiant to trace the stolen assets.
The Drift Protocol hack now ranks as the second-largest exploit in Solana’s history, behind only the $325 million Wormhole bridge attack in 2022, and the largest DeFi hack of 2026.
Final Thoughts
The Drift Protocol hack forces a rethink of what security means in decentralized finance. Protocols have spent years hardening their code, auditing smart contracts, and building multi-signature controls. This attack bypassed all of it by targeting people first and programs second.
Six months of patience. Fake identities with real professional histories. Over a million dollars deposited as cover. Conferences attended across multiple countries. The Drift Protocol hack did not succeed because software failed. It succeeded because the attackers turned trust itself into an attack vector, and no security audit catches that.
