North Korean Hackers Behind $285 Million Drift Protocol Attack

On April 2, 2026, Drift Protocol confirmed that attackers drained approximately USD 285 million in user assets on April 1, 2026. This is the largest DeFi hack of 2026 — and the second-largest exploit in Solana's history, behind only the USD 326 million Wormhole bridge hack in 2022. The attack did not begin on April 1. On-chain staging began weeks earlier, on March 11th, with a single withdrawal of 10 ETH from Tornado Cash. These ETH began moving hours later at around 12:00 AM GMT on March 12th — or around 09:00 Pyongyang time — and shortly after funded the deployment of CarbonVote (CVT), the token used to manipulate Drift.

The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense. The attacker manufactured an entirely fictitious asset — CarbonVote Token — with a few thousand dollars in seeded liquidity and wash trading, and Drift's oracles treated it as legitimate collateral worth hundreds of millions of dollars. Three lessons are immediately apparent. First, timelocks on governance and admin actions are a critical safeguard — their removal, as happened here on March 27, eliminated the detection window that makes intervention possible. Second, oracle design requires defense-in-depth: protocols should require minimum liquidity thresholds, time-weighted price validation, and circuit breakers before accepting any asset as collateral.