Over the weekend, the team behind Drift, which is a crypto protocol for perpetual futures trading on Solana, provided an update on a hack of the project that occurred on April 1. In the report, a six-month intelligence operation run by a criminal hacking group connected to the North Korean regime is pointed to as the source of the attack. However, some observers are also pointing fingers at the Drift team for reasons of incompetence or worse.
The hack pulled roughly $285 million out of Drift’s storage pools, which held stablecoins like USDC, along with JLP, SOL, and other crypto assets. Two blockchain tracking firms, TRM Labs and Elliptic, pieced together the full sequence.
It began in mid-March 2026. The attackers first moved money through a mixing service called Tornado Cash to hide their tracks and set up special accounts that let them prepare certain transactions in advance. On March 27, Drift’s security team switched to a new approval system that needed only two out of five key holders to sign off on major changes and removed any built-in waiting period that might have triggered an alert. The hackers then created 750 million brand-new fake tokens called CarbonVote Token, or CVT. They manipulated trading activity so Drift’s price-checking tools treated these worthless tokens as legitimate, high-value collateral that could back huge withdrawals.
On April 1, they fired off the pre-prepared transactions. This let them add the fake token to the platform, raise borrowing limits, dump hundreds of millions of the phony tokens into the system, and drain real assets through 31 fast withdrawals. The entire process took around 12 minutes. They quickly swapped the stolen funds into USDC on a Solana exchange and moved everything over to the Ethereum network to cover their tracks.
I beg everyone in crypto to read this in full.
I expected this to be another case of social engineering, likely some recruiter/job offer shit.
I was very wrong.
And the depth of the operation and personas makes me think they already have multiple other teams on lock.
😳 https://t.co/8ZTEDwqs9Y
— Tay 💖 (@tayvano_) April 5, 2026
Notably, this approach echoes a recent exploit on the Resolv protocol and its USR stablecoin. There, an attacker gained control of a privileged AWS signing key, minted nearly 80 million new USR tokens against only a few hundred thousand dollars in actual collateral, and cashed out about $25 million. Both cases hinged on private key access rather than a pure code vulnerability, combined with the ability to issue or collateralize assets far beyond normal limits.
TRM Labs and Elliptic flagged the North Korean connection within days of the April 1 incident. Indicators included on-chain staging that aligned with Pyongyang local time and behavioral patterns matching prior DPRK-linked activity.
Drift’s public update on X provided more details on how the operation allegedly unfolded over six months. In fall 2025, individuals posing as representatives of a quantitative trading firm approached Drift contributors at a major crypto conference. They continued the contact in person at events in multiple countries, established a Telegram group, discussed detailed trading strategies and vault integrations, and even onboarded their own Ecosystem Vault with over $1 million in deposits. The conversations and shared resources appeared routine for legitimate counterparties. After the hack, the group scrubbed their Telegram history and any associated software.
Forensics pointed to three potential vectors for the private key compromise involved in the attack: one contributor may have cloned a code repository that exploited a known VSCode or Cursor vulnerability allowing silent arbitrary code execution; a second was persuaded to download a TestFlight app framed as the firm’s wallet product; and a third vector remains under active review by law enforcement. With medium-to-high confidence, the SEAL 911 team attributed the effort to the same North Korean state-affiliated actors behind the October 2024 Radiant Capital hack. Additionally, the in-person individuals involved were not North Korean nationals but third-party intermediaries, a tactic consistent with DPRK tradecraft.
The more I sit on this, the more I can’t help but think we’re dealing with a civil negligence issue.
Sorry for how long this rant will be in advance, but I’m just so angry.
Drift Protocol was handling hundreds of millions in user money. They knew crypto is full of hackers -… https://t.co/qhdzuII0gc
— Ariel Givner (@GivnerAriel) April 5, 2026
In terms of the Drift team’s culpability in the incident, some have questioned why a protocol managing hundreds of millions would allow downloads of unvetted apps like the TestFlight wallet onto hardware tied to multi-signature access. Others highlighted the lack of stricter compartmentalization between development environments and signing keys, arguing that basic operational security should have prevented the breach regardless of the attacker’s sophistication. “The more I sit on this, the more I can’t help but think we’re dealing with a civil negligence issue,” crypto attorney Ariel Givner wrote on X.
At the same time, security researchers have warned that a genuine six-month intelligence campaign of this caliber suggests similar operations could already be underway against other projects. The level of patience and resource investment implies the actors did not limit themselves to a single target.
North Korea has relied on cryptocurrency theft as a consistent funding mechanism for years. Past major incidents include the 2022 Ronin Network drain of more than $600 million and repeated exchange compromises. In 2025 the regime’s hackers set a new annual record by stealing $2.02 billion, according to a Chainalysis report.
The combination of smoke and mirrors, remote collaboration, and high financial stakes in crypto creates conditions where determined, sophisticated groups, including intelligence agencies, can invest months in building trust before striking. And when hundreds of millions or even billions are potentially available, actors will pursue attacks through extensive, exhaustive means. The data also clearly shows that criminal use of crypto is on the rise, as both illicit transfers and physical attacks on known crypto holders hit new all-time highs last year.
Read the full article here
