What looked like a routine DeFi exploit on April 1, 2026 turned out to be one of the most sophisticated cyberheists in crypto history. Drift Protocol, the largest decentralised perpetual futures exchange on the Solana blockchain, was drained of approximately $286 million in user assets in under 12 minutes. Blockchain intelligence firms TRM Labs and Elliptic have since attributed the attack to a North Korean state-affiliated group, and Drift’s own postmortem confirmed what investigators suspected: the operation began not in April, but nearly six months earlier.
What Is Drift Protocol?
Drift Protocol is a decentralised exchange built on the Solana network that allows traders to open leveraged perpetual futures positions without a centralised intermediary. Prior to the attack, the platform held approximately $550 million in total value locked, making it one of the most significant DeFi protocols in the Solana ecosystem. Its scale, its governance structure, and the trust its contributors placed in external partners made it precisely the kind of target North Korean state-linked hackers have repeatedly pursued in recent years.
A Partnership That Was Never Real
According to Drift’s detailed incident update published on April 5, the attack traces back to a major crypto industry conference in October 2025. A group of individuals posing as representatives of a quantitative trading firm approached Drift contributors, expressed interest in a vault integration, and established what appeared to be a legitimate business relationship. They were technically fluent, carried verifiable professional backgrounds, and demonstrated a clear understanding of how the protocol operated.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, held multiple working sessions with contributors, deposited over $1 million of their own capital, and built a functioning operational presence inside the ecosystem. Drift contributors met individuals from the group face to face at multiple major industry conferences across several countries through February and March 2026. By the time the attack launched on April 1, the manufactured relationship was nearly half a year old.
How the Attackers Got Inside
The compromise appears to have come through two vectors. The first was a known vulnerability in VSCode and Cursor — two of the most widely used code editors in software development — that the security community had been flagging since late 2025, where simply opening a file or folder in the editor was sufficient to silently execute arbitrary code with no prompt or warning. A malicious TestFlight application served as the second entry point. Once devices belonging to Drift contributors were compromised, the attackers had access to what they needed most: the ability to obtain multisig approvals that would make the final drain possible.
The Fake Token That Fooled the System
In parallel with the social engineering campaign, the attackers were constructing a financial illusion on-chain. On March 11, the attacker withdrew ETH from Tornado Cash and used those funds to deploy a fictitious token called CarbonVote Token, or CVT. Over the following weeks, they seeded minimal liquidity for CVT on the Raydium decentralised exchange and used wash trading to maintain a price near $1.00. Drift’s price oracles read that price as legitimate, treating CVT as genuine collateral worth hundreds of millions of dollars. The entire construction cost the attackers only a few thousand dollars.
Why the Oracles Did Not Catch It
Price oracles are automated systems that pull market data to determine the value of assets used as collateral in DeFi protocols. Because the attackers carefully maintained a consistent price for CVT through wash trading over several weeks, the oracles had no statistical basis to flag the token as suspicious. Security audits by Trail of Bits in 2022 and ClawSecure as recently as February 2026 had given Drift passing grades, but the CVT market introduction and the governance changes that followed slipped through without triggering any alerts.
The 12-Minute Drain on April 1
The exploit did not involve a bug in Drift’s code. It used durable nonces — a legitimate Solana transaction feature — to pre-sign administrative transfers weeks before executing them, bypassing the protocol’s multisig security in minutes. A critical governance change on March 27 made the final attack possible: Drift had migrated its Security Council to a new 2/5 threshold configuration with zero timelock, eliminating the delay window that would have allowed detection and intervention before the drain executed.
On April 1 at approximately 1:30 AM Eastern Time, the pre-signed transactions were submitted. Most of the stolen funds were bridged to Ethereum within hours, with the attacker converting stolen tokens to USDC, swapping into tens of thousands of ETH, routing some funds through Hyperliquid, and sending a portion directly to Binance. According to DefiLlama, Drift’s total value locked collapsed from approximately $550 million to under $250 million following the attack. The DRIFT token dropped more than 40% within hours. The Drift team posted on X that this was “not an April Fools joke” as they urged users to immediately stop interacting with the protocol.
North Korea’s Fingerprints Are All Over It
Attribution points to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas. Elliptic noted the on-chain behaviour, laundering methodology, and network-level indicators are all consistent with techniques observed in previous DPRK operations. If confirmed, this incident would represent the 18th DPRK-linked crypto theft Elliptic has tracked in 2026, pushing the year’s total losses beyond $300 million. DPRK-linked actors are believed to have stolen over $6.5 billion in crypto assets in recent years, with the U.S. government linking those proceeds directly to the funding of North Korea’s weapons programmes.
Contagion Across the Solana Ecosystem
The damage extended well beyond Drift itself. PiggyBank reported around $106,000 in exposure through its delta-neutral strategies and moved quickly to cover users using team funds. Reflect Money paused minting and redemptions for USDC+ and USDT+. Ranger Finance temporarily halted deposits and withdrawals, with potential exposure estimated at over $900,000. In total, more than 20 Solana protocols reported contagion effects in the days following the exploit.
What Happens Next for Drift and DeFi?
Drift has suspended all deposits and withdrawals and engaged cybersecurity firm Mandiant to support its investigation. The team has removed compromised wallets from its multisig structure and flagged attacker-controlled addresses across exchanges and bridges. The protocol floated the possibility of an airdrop for affected users, though that proposal drew immediate backlash from the community who argued compensation, not tokens, was what victims needed.
For the broader DeFi industry, analysts suggest the Drift attack marks a turning point. The weakest link in decentralised finance is no longer the smart contract code — it is the human beings trusted to govern it. As long as protocols rely on small groups of identifiable contributors holding multisig keys, state-sponsored actors with the patience to spend six months building a fake identity will keep finding a way in.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency markets are highly volatile. Always conduct your own research before making any investment decisions.
