Crypto

North Korea Spent Six Months Building Trust With a Solana DeFi Team. Then It Took $285 Million in 12 Minutes.

4 min read

On April 1, Drift Protocol, one of the largest decentralized exchanges built on Solana, lost roughly $285 million in what both independent blockchain forensics firms and the protocol itself now attribute, with medium confidence, to a North Korean state-sponsored hacking group tracked as UNC4736. It is the largest crypto hack of 2026 so far and the second-largest exploit in Solana’s history, trailing only the $326 million Wormhole bridge hack from 2022. What makes the Drift attack notable isn’t just the size of the loss. It’s that the attackers didn’t find a bug in Drift’s code. They spent roughly six months building a fake identity, gaining the trust of real people inside Drift’s organization, and then used that trust to walk straight through the protocol’s front door.

The operation began, according to Drift’s own post-incident account and reporting from TRM Labs, in the fall of 2025, when the attackers began posing as a legitimate quantitative trading firm and cultivating relationships with Drift contributors over months. On March 12, roughly three weeks before the theft, they created a fake token called CVT, seeded a small liquidity pool for it on the Solana decentralized exchange Raydium, and wash-traded it against itself to anchor an artificial price of roughly one dollar. They then deployed a price oracle they controlled to feed that fabricated price directly into Drift’s systems, a step that only works if you already have enough standing inside the protocol’s technical infrastructure to get a new oracle trusted in the first place.

The final trigger exploited a legitimate Solana feature called durable nonces, which lets a transaction be signed in advance and executed later, useful for coordinating multi-party approvals asynchronously, but dangerous if the people signing don’t fully understand what they’re pre-authorizing. The attackers convinced real members of Drift’s Security Council, the multisig group meant to be the protocol’s last line of defense against exactly this kind of attack, to blindly pre-sign dormant transactions as part of what looked like routine operational activity. When the attackers activated those pre-signed transactions, admin control of the protocol quietly transferred to them, no alarms, no visible compromise, just a routine-looking signature that turned out to hand over the keys.

Once they had control, the theft itself took minutes. The attackers drained USDC, SOL, JLP, wrapped Bitcoin, and several other assets directly from Drift’s vaults. The protocol’s total value locked collapsed from roughly $550 million to under $300 million in less than an hour, and by most accounts the core extraction, the actual movement of funds out of Drift’s control, took around 12 minutes once the pre-signed transactions were triggered.

The Drift hack fits a broader pattern crypto forensics firms have been flagging for over a year: attackers are increasingly targeting people and access rather than code. Industry crime reports have found that so-called infrastructure attacks, compromised private keys, wallet infrastructure, and privileged access rather than smart contract bugs, accounted for roughly three-quarters of all crypto theft losses in 2025, up sharply from prior years when code exploits dominated. The single largest incident in that shift was Bybit’s February 2025 hack, a $1.46 billion theft also attributed to North Korean operatives, which together with Drift suggests state-linked hacking groups have concluded that patient social engineering against real humans is now a more reliable attack path than hunting for smart contract vulnerabilities, which get audited, bug-bountied, and patched far more aggressively than they used to be.

That state-sponsorship angle isn’t incidental color. North Korea’s crypto theft operations are widely understood by US and allied intelligence agencies to directly fund the country’s weapons programs, meaning a hack like Drift’s isn’t just a business loss for the protocol’s users, it’s a real transfer of resources to a sanctioned state actor, with the $285 million presumably routed through the same laundering infrastructure, mixers, cross-chain bridges, over-the-counter brokers in jurisdictions with weak enforcement, that has moved Pyongyang’s previous crypto proceeds.

For anyone in the Philippines building on or trading through DeFi protocols, the practical lesson from Drift isn’t about smart contract audits, Drift’s code itself wasn’t the vulnerability. It’s that governance structures, multisig setups, and who gets to sign what processes are now squarely inside the attack surface, and that six months of patient, professional-looking outreach from a supposed trading counterparty is exactly the kind of thing a well-resourced state actor is now willing to invest in a single target. Philippine fintechs and crypto platforms building any kind of cross-chain or DeFi integration should treat operational security around admin keys and multisig approvals with at least as much scrutiny as they apply to smart contract code, since Drift is proof that a protocol can have technically sound code and still lose $285 million because the people running it trusted the wrong counterparty for six months.

crypto hack DeFi Drift Protocol Solana

Share this article

Share on X Share on LinkedIn Share on Facebook

Related Articles

Newsletter

By subscribing, you agree to our Privacy Policy.