Drift Protocol Hacked for $285 Million: North Korea Is the Prime Suspect

The Biggest DeFi Hack of 2026: $285 Million Drained in 12 Minutes

On April 1, 2026 — and no, it was not an April Fools’ joke — Drift Protocol, one of the largest decentralized trading platforms on the Solana network, was hacked for $285 million. The attack wiped out more than half of the protocol’s total value locked (TVL) and became the largest DeFi exploit of the year. 
Analysis by Elliptic, a leading blockchain forensics firm, identified “multiple indicators” that the attack was carried out by North Korean state-sponsored hackers, possibly the infamous Lazarus Group. If confirmed, this would be the 18th attack linked to North Korea tracked by Elliptic in 2026, with over $300 million stolen this year alone.

How the Attack Happened: A Surgical Operation

The Drift hack was not an opportunistic exploit of a smart contract bug. It was a meticulously planned operation over the course of a week, combining social engineering, oracle manipulation, and coordinated high-speed execution.

Phase 1 — Preparation (March 23–30)

Between March 23 and 30, the attackers set up durable nonce accounts on Solana — special accounts that allow transactions to be pre-signed without being executed immediately. At the same time, they obtained 2 out of the 5 required approvals from Drift’s Security Council multisig, reaching the minimum threshold to authorize administrative operations.
How did they obtain the keys? Through social engineering targeting Security Council members. The exact details were not disclosed, but the pattern is consistent with spear phishing attacks commonly used by the Lazarus Group.

Phase 2 — The Fake Token (CarbonVote Token)

The hackers created a fake token called CarbonVote Token (CVT), injected $500 in liquidity, and performed wash trading (trading with themselves) to deceive Solana’s price oracles into treating CVT as a legitimate asset with real volume.
With administrative keys compromised, they listed CVT as a new spot market on Drift and, crucially, increased withdrawal limits to 500 trillion in USDC and four other assets. This single move effectively disabled all internal security protections of the protocol.

Phase 3 — The Drain (April 1, 12 Minutes)

On April 1, the attacker first executed a legitimate transaction to avoid suspicion. Immediately afterward, they triggered the pre-signed malicious transactions. In 31 transactions over just 12 minutes, they drained:

•  66.4 million USDC 
•  42.7 million JLP 
•  23.3 million MOODENG 
•  5.6 million USDT 
•  5.2 million USDS 
•  2.6 million JUP 
•  583K RAY 
•  477K WETH 

The use of multiple signing keys across these transactions indicates the attackers had access to several authorized keys, not just one. This suggests a deep compromise of the protocol’s key management infrastructure.

The North Korean Connection

Elliptic noted that the on-chain behavior of the attack — premeditated, carefully staged, and involving structured cross-chain laundering — is consistent with previous Lazarus Group operations. Charles Guillemet, CTO of Ledger, directly compared the Drift hack to the $1.4 billion Bybit hack in 2025, which the FBI attributed to North Korea.
If confirmed, this would be another chapter in North Korea’s systematic campaign of crypto theft to fund its nuclear and ballistic missile programs. It is estimated that the country has stolen over $6 billion in crypto since 2017.

Market Impact

The repercussions were immediate:

•  SOL dropped 9%, hitting an intraday low of $78.60 
•  Solana’s market cap fell to $45.5 billion 
•  The DRIFT token dropped from $0.072 to $0.055 
•  The protocol immediately suspended deposits and withdrawals 
•  Wormhole warned of potential delays in cross-chain transfers 

The Solana Foundation responded quickly. Lily Liu and Vibhu Norby confirmed that the hack “was not caused by a vulnerability in a program or smart contract” — it was a human operational security failure, not a blockchain-level issue.

The USDC Question: Will Circle Freeze the Funds?

A significant portion of the stolen funds was converted into USDC, raising the inevitable question: will Circle freeze the addresses?
The company has previously frozen sanctioned addresses, including after the Ronin Bridge (Axie Infinity) hack in 2022.
The remaining funds were distributed across multiple wallets, with partial conversion into SOL. The attacker is now racing against time to launder the funds before they can be traced and potentially frozen.

What This Teaches About DeFi Security

The Drift hack exposes an uncomfortable truth: DeFi security is only as strong as its weakest human link. It doesn’t matter how well-audited the code is if administrative keys can be compromised through social engineering.
Key takeaways:

•  A 2/5 multisig is insufficient to secure hundreds of millions of dollars 
•  Durable nonce accounts can be weaponized 
•  Price oracles remain vulnerable to manipulation 
•  Social engineering is the most effective attack vector in DeFi 
•  Timelocks (24–48h delays) on administrative actions could have prevented the attack 

Disclaimer: This content is for informational purposes only and does not constitute investment advice. Always do your own research before making financial decisions.