What Happened
On April 1, 2026, attackers drained approximately $285 million from Drift Protocol, a Solana-based decentralised perpetuals exchange, in roughly 12 minutes. It's the largest DeFi hack of 2026 and Solana's second-biggest exploit after the $326 million Wormhole bridge hack in 2022.
This wasn't a smart contract bug or a flash loan attack. It was a carefully orchestrated social engineering campaign that ran for six months before the attackers pulled the trigger. TRM Labs and Elliptic have both linked the attack to North Korean state-sponsored hackers, with TRM attributing it with medium confidence to UNC4736, a DPRK-linked group.
Key Facts
- Amount stolen: ~$285 million (USDC, SOL, JLP, wBTC, liquid staking tokens)
- Time to drain: ~12 minutes, 31 withdrawal transactions
- Attack type: Social engineering + governance exploit + oracle manipulation
- Attribution: DPRK/UNC4736 (medium confidence, per TRM Labs)
- Impact: Drift TVL fell from ~$550M to under $250M
- Preparation time: ~6 months
Six Months of Setup
The execution on April 1 was the last step in a campaign that started in late 2025. Here's what the attackers did to get there.
Step 1: Social Engineering the Multisig Signers
Drift's admin operations were protected by a multisig wallet requiring multiple signers to approve transactions. The attackers targeted these signers individually, tricking them into pre-signing transactions that appeared routine but contained hidden authorisations. TRM Labs described it as signers being tricked into approving what looked like normal operational transactions.
This is the part that matters most. The attackers didn't break the multisig. They convinced the humans behind it to hand over the keys.
Step 2: Exploiting Durable Nonces
Here's where it gets technical. Solana has a feature called durable nonces. Normally, Solana transactions expire if they're not submitted within a short window. Durable nonces bypass this. They let you pre-sign a transaction and execute it later, with no expiration.
Between March 23 and March 30, the attackers created durable nonce accounts and loaded them with pre-signed transactions obtained through the social engineering phase. These were essentially time bombs sitting on-chain, waiting to be detonated.
Step 3: Weakening the Governance
On March 27, Drift migrated its Security Council to a 2-of-5 signature threshold with zero timelock. That meant admin actions could execute instantly with just two approvals, with no delay window for the community or team to spot and block suspicious activity. The attackers either influenced this change or exploited the window it created.
Step 4: Creating a Fake Token
The attackers minted 750 million units of a completely fictitious asset called CarbonVote Token (CVT). They seeded it with a few thousand dollars in liquidity and used wash trading to build an artificial price history at around $1 per token. Drift's oracles accepted CVT as legitimate collateral, valuing the attacker's holdings at hundreds of millions of dollars.
With fake collateral accepted as real, the attacker could borrow and withdraw real assets against it.
12 Minutes
On April 1, the pre-signed transactions fired. The attacker systematically drained three core vaults: JLP Delta Neutral, SOL Super Staking, and BTC Super Staking. Roughly $155 million came from JLP tokens alone. The rest was a mix of USDC, SOL, cbBTC, wBTC, and liquid staking tokens.
31 transactions. 12 minutes. $285 million gone.
The stolen funds were immediately swapped to USDC using Solana DEX aggregators, bridged to Ethereum, and converted to ETH. Each bridging transaction moved hundreds of thousands or millions in USDC. The attacker wasn't subtle about it.
Why North Korea
Both TRM Labs and Elliptic linked the attack to DPRK-backed actors. The evidence is circumstantial but consistent:
- On-chain behaviour and laundering patterns match previously observed DPRK techniques
- The staging began with a 10 ETH withdrawal from Tornado Cash on March 11, deployed at approximately 9:00 AM Pyongyang time
- This is the eighteenth DPRK-linked crypto operation tracked in 2026, with over $300 million stolen year-to-date according to Elliptic
- DPRK-linked actors have stolen over $6.5 billion in crypto assets across recent years
- The operational sophistication and months-long preparation align with state-sponsored capabilities rather than opportunistic hackers
TRM attributes the attack with medium confidence to UNC4736. DPRK crypto theft has been linked to funding the regime's weapons programmes and evading international sanctions, which is why these operations draw attention from intelligence agencies rather than just law enforcement.
What This Means for Security
You don't need to be running a DeFi protocol for this to be relevant. The attack vectors here apply well beyond crypto.
Social Engineering Still Beats Technical Controls
Drift had a multisig. It didn't matter because the attackers went after the people, not the code. This is the same pattern we see in enterprise breaches and SaaS compromises. Technical controls are only as strong as the humans who operate them.
If your critical operations depend on a small group of individuals approving actions, those individuals are targets. Treat them accordingly: security awareness training, hardware-based authentication, out-of-band verification for unusual requests, and operational security practices.
Zero Timelock Is Zero Safety Net
Drift removed the timelock on its Security Council five days before the attack. Whether that was manipulated or coincidental, the lesson is the same. Timelocks exist to give defenders a window to detect and respond to malicious actions. Removing them, even temporarily, eliminates that safety net. Any governance change that reduces security controls should trigger heightened scrutiny, not less.
Pre-signed Transactions Are a Double-Edged Sword
Durable nonces are a legitimate Solana feature designed for offline signing workflows. But they also let attackers stockpile pre-signed transactions and execute them all at once. If your platform supports deferred or pre-signed operations, monitor for unusual patterns: accounts creating multiple pre-signed transactions, transactions signed by privileged keys sitting dormant, or batched executions.
Oracle Manipulation Remains a Systemic Risk
The attacker created a worthless token, gave it a fake price history, and Drift's oracles accepted it as hundreds of millions in collateral. This has happened before and will happen again. Any system that makes financial decisions based on external data feeds needs strong validation: multiple oracle sources, liquidity depth checks, circuit breakers for sudden collateral changes, and human review for assets being listed as collateral.
Monitor Your External Attack Surface
Social engineering attacks often start with reconnaissance. Exposed employee information, public infrastructure details, and visible technology stacks give attackers the context they need to craft convincing pretexts. Luna scans your internet-facing assets for exposed services, misconfigurations, and information leakage that could feed into a targeted attack. Start a scan and see what's visible from the outside.