The message Drift Protocol posted to X on April 1, opened with an unusual disclaimer: “This is not an April Fools joke.” Within hours, the reason became clear. A $285 million exploit had wiped out more than half of the Solana-based decentralized perpetual futures exchange’s total value locked — and the attack had been in preparation for six months.
A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers. The incident, which took place on April 1, was confirmed as a highly sophisticated operation involving multi-week preparation and staged execution.
Drift is the largest decentralized perpetual futures exchange on Solana, a blockchain network. It allows users to trade leveraged financial positions without a centralized intermediary. The protocol held approximately $550 million in user assets before the attack. According to TRM Labs, the drain took roughly 12 minutes, making this the largest DeFi hack of 2026 and the second-largest exploit in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022.
A Six-Month Long-Con Operation
A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing the exploit. The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault. They then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals.
On-chain staging began on March 11, nearly three weeks before the April 1 execution, with a 10 ETH withdrawal from Tornado Cash. The funds began moving at around 12:00 AM GMT on March 12 — approximately 9:00 AM Pyongyang time — and shortly after funded the deployment of CarbonVote Token (CVT), the fictitious asset used to manipulate Drift’s price oracles.
The Fake Token That Fooled an Oracle
A key element of the attack was entirely manufactured. The attacker created CarbonVote Token (CVT), minting around 750 million units, seeded a small liquidity pool of approximately $500 on the Raydium decentralized exchange, and used wash trading — artificial back-and-forth trades between attacker-controlled wallets — to build a price history near $1. Over time, this artificial price was picked up by oracles, making the token appear legitimate.
An oracle, in the context of blockchain protocols, is a system that feeds real-world price data into smart contracts so that a protocol knows the value of the assets it holds. By manufacturing a fake price history for a worthless token, the attackers tricked Drift’s oracles into treating CVT as legitimate collateral worth hundreds of millions of dollars.
Durable Nonces: The Governance Weapon
The attack’s most novel element exploited a legitimate Solana feature called durable nonces. By securing two misleading approvals from Drift’s five-member Security Council multisig, the attacker pre-signed transactions that remained valid for more than a week, then used them to seize protocol-level control in minutes.
A multisig — short for multi-signature — is a governance structure where multiple people must approve any administrative action, so compromising one person is insufficient. Durable nonces allow transactions on Solana to be pre-signed and executed later, a feature designed for operational convenience. In this attack, the attackers obtained two of the five required signatures through social engineering — presenting the signers with what appeared to be routine transactions — and held those approvals dormant until execution day.
When Drift executed a legitimate Security Council migration on March 27, the attacker adapted. By March 30, new nonce activity appeared tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration.
On April 1, two transactions, four slots apart on the Solana blockchain, created and approved a malicious admin transfer, then executed it. Within minutes, the attacker had full control of Drift’s protocol-level permissions and used it to introduce a fraudulent withdrawal mechanism and drain the vaults.
DPRK Attribution and Laundering
Investigators attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas.
Stolen assets were consolidated and swapped into USDC and SOL, then partially bridged to Ethereum using Circle’s Cross-Chain Transfer Protocol. On Ethereum, portions were converted into ETH while some funds moved through centralized exchanges. On-chain investigator ZachXBT publicly criticized Circle for failing to freeze the stolen USDC despite it crossing during U.S. business hours, contrasting that inaction with Circle’s recent decision to freeze unrelated corporate wallets in a civil case.
If confirmed, the Drift incident would represent the eighteenth DPRK-linked crypto theft Elliptic has tracked in 2026, with over $300 million stolen to date. DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years, with proceeds linked to funding North Korea’s weapons programs.
The Drift exploit did not occur in isolation. It landed on the same day multiple security vendors attributed the Axios npm supply chain attack to North Korean group UNC1069 — a simultaneous two-front operation against the software development ecosystem and the crypto finance layer that funds Pyongyang’s strategic programs.
Read: North Korea’s Lazarus Group Behind the Axios npm Supply Chain Attack
Drift has frozen all protocol functions, removed the compromised wallet from the multisig, and is coordinating with security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets. A detailed postmortem is expected. The DRIFT token fell more than 20% following news of the exploit.
