TL;DR: On April 1, 2026, North Korean hackers drained $285 million from Drift Protocol. Solana’s largest decentralized exchange, in roughly 12 minutes. They didn’t exploit a code bug. They tricked multisig signers into pre-approving hidden transactions, then used a Solana feature called “durable nonces” to execute them weeks later. Both TRM Labs and Elliptic attribute the hack to DPRK state actors. The DRIFT token crashed 40%. This is the 18th confirmed North Korean crypto attack in 2026. Where does the money go? Into the most complete surveillance state on Earth, one that classifies every citizen at birth and monitors them until death.
April 1: Not a Joke
At 12:47 UTC on April 1, 2026, Drift Protocol’s vaults started emptying. Thirty-one withdrawal transactions fired in sequence. Within 12 minutes, $285 million in USDC and JLP tokens were gone.[1]
The largest single transfer: 41.7 million JLP tokens worth roughly $155 million. Ripped from the JLP Delta Neutral vault in seconds.[2]
By the time Drift’s team posted “investigating suspicious activity” on X, the stolen assets were already being bridged to Ethereum. Within hours, most of the $285 million had crossed chains and started moving through mixing services.[1]
Drift’s total value locked collapsed from $550 million to under $250 million in one hour. The DRIFT governance token dropped 40%.[2]
The Attack: Social Engineering Meets Solana’s “Convenience Feature”
This wasn’t a smart contract exploit. No code was broken. The attackers played people, not programs.
Here’s how it worked:[1][3]
Step 1: Create a Fake Token (March 11–23)
Three weeks before the heist, the attackers withdrew 10 ETH from Tornado Cash, a crypto mixing service, at around 9:00 AM Pyongyang time. They used it to deploy a fictitious token called CarbonVote (CVT). They minted 750 million units, seeded a few thousand dollars in liquidity on Raydium, and ran wash trades to build a fake price history near $1.[1]
Drift’s oracles accepted CVT as valid collateral. No minimum liquidity threshold. No time-weighted price validation. The fake token looked real enough for the protocol to treat it as worth hundreds of millions.
Step 2: Trick the Multisig Signers (March 23–30)
Drift’s Security Council, a five-member multisig, controlled the protocol’s admin functions. The attackers social-engineered at least two signers into pre-signing transactions that looked routine but contained hidden authorizations for critical admin actions.[1][3]
The key trick: durable nonces. Normal Solana transactions expire after a few minutes if not executed. But durable nonce accounts replace the expiring blockhash with a fixed code that keeps the transaction valid indefinitely. The attackers got signatures on transactions that sat dormant for over a week.[3]
Step 3: Remove the Last Safety Net (March 27)
Drift migrated its Security Council to a zero-timelock configuration. This meant approved transactions could execute instantly, no delay, no review period. TRM Labs called this “the protocol’s last line of defense.”[1]
It was gone before the attackers even pulled the trigger.
Step 4: Drain Everything (April 1)
Two transactions, four slots apart on the Solana blockchain: create and approve a malicious admin transfer, then approve and execute it. The attackers had full protocol-level control. They introduced a fraudulent withdrawal mechanism and emptied three core vaults: JLP Delta Neutral, SOL Super Staking, and BTC Super Staking.[2][3]
Total time from first transaction to full control: under 12 minutes.
North Korea Did It. Both Tracking Firms Agree.
TRM Labs and Elliptic, the two leading blockchain intelligence firms, independently attributed the Drift hack to North Korean state actors.
TRM Labs cited the 9:00 AM Pyongyang-time activity pattern, Tornado Cash staging, cross-chain bridging speed, and laundering methodology matching previous DPRK operations. The post-hack laundering moved “hundreds of thousands or millions in USDC” per transaction, faster than even the $1.5 billion Bybit laundering operation in 2025.[1]
Elliptic identified “multiple indicators” linking the exploit to DPRK, including on-chain behavior, laundering methodologies, and network-level indicators consistent with known North Korean techniques. The firm called it the 18th tracked DPRK operation in 2026, with over $300 million stolen this year alone.[2]
$6.75 Billion and Counting
Drift isn’t an isolated incident. It’s the latest entry in a ledger that gets worse every year.
According to Chainalysis:[4]
- 2024: $1.34 billion stolen across 47 incidents (102% year-over-year increase)
- 2025: $2.02 billion stolen (51% increase), including the $1.5 billion Bybit hack
- 2026 (through April): $300+ million stolen across 18 confirmed operations
- All-time total: $6.75 billion in stolen cryptocurrency
In 2025, DPRK-attributed attacks accounted for 76% of all crypto service compromises. North Korea isn’t just a major player in crypto theft. It is the crypto theft industry.[4]
Where Stolen Crypto Goes: The World’s Most Complete Surveillance State
Most coverage of DPRK crypto hacks focuses on nuclear weapons and ballistic missiles. Fair enough, the UN and multiple intelligence agencies confirm that stolen crypto funds those programs in defiance of international sanctions.[5]
But here’s what gets less attention: the same money funds the most sophisticated domestic surveillance apparatus on Earth.
North Korea operates a layered surveillance system that makes China’s social credit look amateurish:
Songbun: Classification From Birth
Every North Korean is assigned a political loyalty class at birth, “core,” “wavering,” or “hostile” across roughly 50 sub-classifications. Your songbun determines your job, housing, food rations, medical care, education, and marriage prospects. Security officials maintain files on every citizen from age 17, updated every two years.[6]
Inminban: Neighbors Watch Neighbors
Every household belongs to a “people’s group” (inminban) of 30–40 families organized by geography. Group leaders conduct home inspections, monitor residents’ activities, and report suspicious behavior. Failure to report “treasonous” activity results in severe punishment, for you, not the suspect.[7]
Four Surveillance Agencies
The State Security Department (SSD), Ministry of Public Security, Ministry of State Security, and Military Security Command all run parallel surveillance networks. The SSD alone controls at least 50,000 personnel and maintains its own network of political prisons.[7]
Digital Expansion Under Kim Jong-un
Since taking power, Kim Jong-un has dramatically expanded digital surveillance capabilities. North Korea’s domestic internet (Kwangmyong) is fully state-controlled. Every device has mandatory monitoring software. Foreign media consumption is a criminal offense punishable by forced labor or execution.[8]
This system doesn’t run on enthusiasm. It runs on money. And increasingly, that money comes from stolen cryptocurrency.
The DeFi Security Problem Nobody Wants to Admit
Drift was Solana’s largest perpetual futures DEX. Over $550 million in total value locked. Five-member Security Council. Multisig protections.
None of it mattered.
The core failures:[1][3]
- No minimum liquidity thresholds for collateral acceptance: a token with a few thousand dollars in liquidity was treated as valid collateral worth hundreds of millions
- No time-weighted price validation: wash-traded prices were accepted at face value
- No circuit breakers for sudden large withdrawals
- Zero-timelock governance: admin changes executed instantly with no review period
- Durable nonce transactions signed without scrutiny: signers approved transactions they didn’t fully understand
CoinDesk reported that the critical vulnerability “was not a smart contract bug but a combination of social engineering and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense.”[3]
The biggest DeFi hack of 2026 didn’t require a single line of exploit code.
What This Means for You
If you had funds in Drift Protocol, check your wallet. Drift has paused all deposits and is working with law enforcement and blockchain intelligence firms to track the stolen assets.[9]
If you use any DeFi protocol, ask these questions:
- Does the protocol have timelocks on governance changes? (Drift didn’t.)
- Are there circuit breakers for unusually large withdrawals? (Drift didn’t have those either.)
- How is collateral validated? Is there a minimum liquidity requirement?
- Who controls the multisig, and what’s the signing process?
The broader point: Every dollar you put into a DeFi protocol is a dollar that state-sponsored hackers are actively trying to steal. North Korea has 18 confirmed operations in 2026 alone. They’re not slowing down. They’re scaling up.
The Bottom Line
North Korea doesn’t just surveil its own people. It steals from everyone else to pay for it.
$285 million from Drift Protocol. $1.5 billion from Bybit. $6.75 billion total across the last several years. The stolen crypto flows through Chinese and Southeast Asian OTC brokers, converts to fiat, and funds a regime that classifies citizens into loyalty castes, forces neighbors to spy on each other, and punishes unapproved media consumption with prison camps.
The next time someone tells you crypto is “decentralized” and “trustless,” remember: Drift’s vaults weren’t broken by code. They were emptied by a nation-state that social-engineered two people into signing the wrong transaction.
The protocol trusted humans. The humans were the vulnerability.
References
- TRM Labs: North Korean Hackers Attack Drift Protocol in $285 Million Heist (April 2, 2026)
- Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack (April 2, 2026)
- CoinDesk: How a Solana Feature Designed for Convenience Let an Attacker Drain $270 Million From Drift (April 2, 2026)
- Chainalysis: 2025 Crypto Theft Reaches $3.4 Billion (January 2026)
- 38 North: From Digital Kleptocracy to Rogue Crypto-Superpower (January 2026)
- Wikipedia: Songbun: North Korea’s Political Classification System
- Wikipedia: Mass Surveillance in North Korea
- Amnesty International: North Korea, the Surveillance State
- The Hacker News: Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK (April 3, 2026)