On April 1, 2026, $285 million left Drift Protocol in 128 seconds. The attacker had been in the room — literally, at conferences, in working sessions, in Telegram groups with Drift contributors — for six months before that. If you are still thinking about the Drift Protocol hack as a code exploit, you are thinking about the wrong part.
What the On-Chain Record Showed
The attack had three parts, each useless without the others.
The fake token. On March 12 — three weeks before the drain — someone created a Solana token called CarbonVote Token (CVT). They minted 750 million units for $1.19, seeded a Raydium liquidity pool with $500, then wash-traded it between their own wallets for weeks. The goal was to create a price history that looked credible. The oracle reporting that price wasn’t fooled — it was theirs.
The durable nonce. Solana has a feature that lets users pre-sign transactions and hold them, bypassing the normal expiry window. It’s designed for multisig workflows and offline signing. On March 23, four durable nonce accounts were created — two controlled by the attacker, two linked to legitimate Drift Security Council members. By the time the new multisig went live days later, the attacker already had two of five keys from pre-signed approvals they had obtained through social engineering. The multisig was seven days old when it was already compromised.
The execution. On April 1, Drift ran a routine test withdrawal from its own insurance fund. One minute later, the pre-signed nonce transactions fired. Drift’s State account changed hands in two transactions, four Solana slots apart. Then the CVT token — nearly worthless in reality — was deposited as collateral against permissive parameters the attacker had just set. And the withdrawals began.
In 128 seconds: $159M in JLP, $71M in USDC, $11M in cbBTC, and more across 18 tokens. The vaults were nearly empty before most people knew anything was happening.
Six Months Before the Clock Started
The on-chain setup took ten days. But the operation behind it took six months.
Around October 2025, a group posing as a quantitative trading firm approached Drift contributors at a major crypto conference. They were technically fluent. They had verifiable professional backgrounds — employment histories, credentials, public-facing identities that held up under normal vetting. They set up a Telegram group at that first meeting and stayed in it.
Over the following months, they kept showing up. At conferences in multiple countries. At industry events. They weren’t strangers sending cold LinkedIn messages — they were colleagues. People Drift contributors had met in person, had worked sessions with, and had built what felt like a normal professional relationship with over half a year.
Between December 2025 and January 2026, they onboarded an Ecosystem Vault on Drift, which required strategy documentation and direct contributor engagement. They deposited over $1 million of their own capital. They participated in working sessions. They asked detailed, informed product questions — the kind that only someone who understood the protocol would ask.
Then, as integration conversations deepened, they began sharing links, repositories, and applications described as frontend deployments for their vault. One contributor may have cloned a code repository. Another may have downloaded a TestFlight application presented as a wallet product. Drift has not confirmed which vector succeeded — both remain under forensic investigation.
The malware vector, if it was the repository, exploited a known vulnerability in VS Code and Cursor — two of the most widely used code editors in software development — that the security community had been flagging since late 2025. Simply opening a file or folder was enough to silently execute arbitrary code on the device. No clicks. No permissions dialog. No warning.
Once inside those devices, the attackers had what they needed to obtain multisig pre-approvals. Everything that happened on-chain in March traces back to that access.
When the drain was complete, the group scrubbed everything. Telegram chats deleted. Malicious software wiped. The trading firm that had spent six months building a relationship simply ceased to exist.
Drift, working with the SEAL 911 security team, attributed the operation with medium-high confidence to UNC4736 — a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet. The connection: on-chain fund flows linking back to the actors behind the October 2024 Radiant Capital hack, and operational overlaps with known DPRK-linked activity.
The Governance Failure Nobody Wants to Talk About
Separate from the social engineering, the attack exposed something about how Drift was structured.
Drift ran a 2-of-5 multisig with no timelock. That meant any two signers could authorize instant, irreversible admin-level changes — no delay, no review window, no circuit breaker. After the hack, a comparison circulated showing where Drift sat relative to its Solana DeFi peers:
| Protocol | Multisig | Timelock |
|---|---|---|
| Jupiter Lend | 4/7 | 12 hours |
| Kamino | 5/10 | 12 hours |
| Solstice | 3/7 | 1 day |
| Drift | 2/5 | None |
Chaos Labs founder Omer Goldberg put the structural failure plainly: “The protocol’s signer key had full control over market creation, oracle assignment, withdrawal limits. There was no timelock, no multisig threshold, and no delays.” The full drain sequence, once admin control was transferred, took less than fifteen seconds.
Uniswap founder Hayden Adams went further: “We have to stop letting centralized things call themselves DeFi. Admin key can drain all funds? CeFi. Otherwise DeFi means nothing.”
Circle Watched $230 Million Move and Did Nothing
Over six hours following the drain, more than $230 million in stolen USDC crossed Circle’s own Cross-Chain Transfer Protocol — burned on Solana, minted on Ethereum, across more than 100 transactions, during US business hours.
Circle did not freeze a dollar of it.
ZachXBT flagged this publicly: “Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.”
The attacker had even parked the stolen USDC for one to three hours before moving it — apparently confident Circle would not act. They chose USDC specifically over USDT. They were right.
What made the inaction harder to accept: nine days earlier, Circle had frozen USDC across 16 unrelated business hot wallets — exchanges, casinos, forex firms — as part of a sealed US civil lawsuit. No public explanation. No advance warning. But a confirmed nine-figure theft moving through their own infrastructure in real time went untouched.
The gap between capability and obligation is the real issue. As one observer noted: “Circle could freeze it. But they’re not required to.” Proposed frameworks like the GENIUS Act would eventually change that calculus — but on April 1, no rule required Circle to move.
The Bigger Picture on DPRK
The Drift hack was not unusual for North Korean state hackers. It was the 18th such Elliptic-tracked operation in 2026 alone, pushing DPRK crypto theft past $300 million for the year before April was over. Total attributed theft now exceeds $6.75 billion.
The playbook is consistent. In October 2024, Radiant Capital lost $53 million after attackers posed as an ex-contractor and delivered malware through a ZIP file on Telegram. Bybit lost $1.5 billion the same way. The Drift operation ran the same logic at six times the scale and six times the patience.
MetaMask developer and security researcher Taylor Monahan did not soften the wider implication after Drift’s disclosure. She listed at least 40 DeFi platforms she believes have been infiltrated by North Korean IT workers at some stage. “The seven years of blockchain dev experience on their resume is not a lie,” she added, then warned that the depth of the Drift operation “makes me think they already have multiple other teams on lock.”
One detail Drift was careful to note: the individuals who appeared in person at conferences were not North Korean nationals. DPRK operations at this scale deploy third-party intermediaries — people with fully constructed identities, employment histories, and professional networks built specifically to survive due diligence. Non-Koreans working for Koreans.
Patrick Collins called it the scariest hack of 2026 — scarier than Bybit, despite being smaller — because of what it proved: “Meeting somebody in person isn’t going to be the obstacle we historically thought it would be.”
What It Means
Private key compromises account for 88% of all stolen crypto, according to Chainalysis’s 2026 data. Social engineering is the entry point for almost every major theft. The industry has known this for years and responds to each incident the same way: shock, postmortem, a few weeks of governance discussion, then back to building as if the next team won’t be targeted the same way.
Somewhere right now, another protocol is running a minimal multisig with no timelock. Another contributor just accepted a GitHub invite from someone they met at a conference. North Korea didn’t find a hole in DeFi’s code. They found a hole in DeFi’s culture.
The $501.19 seed investment returned $285 million. At that return on investment, the only question is why they didn’t start sooner.
Related Glossary Terms
- Private Key — The cryptographic secret that controls a wallet or signing authority
- Multisig — Wallets or contracts requiring multiple approvals before transactions execute
- Oracle — A mechanism that feeds external price data to smart contracts
- Social Engineering — Manipulating people rather than systems to gain unauthorized access
- DeFi — Decentralized Finance: financial protocols built on public blockchains
Sources
- Rekt.news — Drift Protocol Rekt (April 9, 2026)
- Drift Protocol — Incident Background Update (April 4, 2026)
- Chainalysis — Lessons from the Drift Hack
- QuillAudits — Drift Protocol Hack Analysis
- Elliptic — DPRK Attribution (April 2, 2026)
- ZachXBT — Circle criticism (April 1, 2026)
- Taylor Monahan — DPRK infiltration thread (April 4, 2026)