Drift Protocol has revealed that the devastating $285 million hack on April 1, 2026, was the result of a six-month social engineering operation orchestrated by North Korean state-sponsored hackers. The attack, attributed to the DPRK-linked group UNC4736 (also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces), represents the largest DeFi hack of 2026 and the second-largest in Solana's history.
The sophisticated operation began in fall 2025 at crypto conferences, where attackers posed as quantitative trading firms to build relationships with Drift developers. The hackers used fake identities, deployed malware through shared tools and links, and eventually gained administrative access through compromised multisig signers. The attack leveraged durable nonces on Solana to pre-sign transactions and manipulated oracle price feeds using a fictitious CarbonVote token.
TRM Labs investigation confirms links to previous North Korean crypto attacks, including the $53 million Radiant Capital hack in October 2024. The stolen funds were rapidly bridged to Ethereum using Circle's Cross-Chain Transfer Protocol, with attackers moving hundreds of millions in USDC with unprecedented confidence and speed.
