Drift breach exposed crypto’s human weak point

Drift Protocol has said the theft of about $270 million to $286 million from its platform was the result of a six-month operation by North Korea-linked actors who built trust slowly, posed as a legitimate trading firm and used face-to-face meetings, capital deposits and carefully timed social engineering to prepare the strike. The Solana-based exchange’s account adds a new layer to an attack that security researchers had already described as one of the largest decentralised finance hacks of 2026.

The attack matters because it appears to have relied less on a simple coding flaw than on patience, deception and operational discipline. Drift said the attackers met contributors in multiple countries, presented themselves as a trading outfit and even placed roughly $1 million of their own capital into the ecosystem before moving. That account broadly matches a wider pattern identified by investigators and Western officials, who have described North Korean cyber operations as increasingly sophisticated, well resourced and heavily focused on digital assets.

Blockchain intelligence firms had already pointed to Pyongyang-linked actors soon after the April 1 exploit. Elliptic said multiple indicators suggested a link to the Democratic People’s Republic of Korea and estimated the stolen assets at more than $286 million. TRM Labs put the figure at about $285 million and said the attackers drained funds in roughly 12 minutes, making it the biggest DeFi hack so far this year and the second-largest security incident in Solana’s history after the 2022 Wormhole breach.

According to TRM’s reconstruction, preparations on-chain began on March 11. The attackers created infrastructure, minted a fake token called CarbonVote Token, seeded limited liquidity and built an artificial price history that Drift’s systems treated as legitimate. Between March 23 and March 30, they also set up multiple durable nonce accounts, a standard Solana feature that allows transactions to be signed in advance and executed later. Investigators say those tools were combined with social engineering that persuaded members of Drift’s Security Council to pre-sign transactions whose true purpose was concealed.

That sequence turned a routine operational feature into a weapon. TRM said the decisive weakness was not a smart-contract bug but a combination of hidden authorisations, pre-signed approvals and a zero-timelock migration of the Security Council on March 27 that removed a final layer of delay and scrutiny. Once the pieces were in place, the attacker listed the fabricated token as collateral, expanded withdrawal capacity and pulled out real assets including USDC and JLP across a burst of transactions. Most of the proceeds were then bridged to Ethereum within hours.

The case is also a reminder that digital-asset platforms are now confronting intelligence-style operations rather than straightforward smash-and-grab thefts. Reuters reported last year that North Korean cyber operatives had created front companies in the United States to lure cryptocurrency developers with fake jobs and infect them with malware. Another Reuters report this week said Google had linked a separate supply-chain compromise involving widely used software to a North Korean group known for targeting the financial and crypto sectors.

Officials in Washington have long argued that such thefts help bankroll Pyongyang’s weapons ambitions and sanctions evasion. Reuters, citing the U. S. government, reported this week that North Korea uses stolen crypto to fund weapons and other programmes. A Treasury statement from November 2025 said North Korea-affiliated cybercriminals had stolen more than $3 billion over the previous three years, largely in cryptocurrency, often through malware and social engineering. Elliptic said DPRK-linked actors were believed to have stolen more than $6.5 billion in cryptoassets over recent years.

For the crypto industry, Drift’s account sharpens a growing debate over where the biggest risks now sit. The sector has spent years focusing on code audits, smart-contract reviews and bridge security, but this incident suggests that governance processes, signer behaviour, device hygiene and in-person trust models may be just as critical. The fact that attackers were willing to wait half a year, build credible cover and commit their own funds shows how the line between cybercrime and covert statecraft is fading.