In arguably one of the most audacious cryptocurrency thefts of the year, attackers believed to be linked to North Korea siphoned approximately $285 million in user funds from Drift Protocol on April 1, 2026. TRM Labs pointed out that the operation, completed in roughly 12 minutes, stands as the largest decentralized finance (DeFi) exploit of 2026 and the second-biggest breach in Solana blockchain history, trailing only the 2022 Wormhole incident.
Drift Protocol operates as Solana’s decentralized perpetual futures exchange, enabling traders to open leveraged positions without relying on traditional intermediaries.
The platform had accumulated billions in total value locked, making it an attractive high-stakes target for sophisticated adversaries.
Blockchain intelligence specialists at TRM Labs revealed that the assault was far from impulsive.
Preparations unfolded over nearly three weeks, beginning March 11 with the withdrawal of 10 ETH from Tornado Cash, a mixer frequently tied to illicit finance.
Hours later—around 9:00 a.m. Pyongyang time on March 12—these funds seeded the creation of a completely fabricated cryptocurrency called CarbonVote Token (CVT).
Between March 23 and March 30, the perpetrators leveraged Solana’s durable nonce feature to set up pre-signed transaction accounts.
Through targeted social engineering, they persuaded members of Drift’s Security Council multisignature group to approve seemingly harmless transactions that secretly embedded elevated administrative privileges.
In a fateful parallel move on March 27, Drift updated its Security Council to a 2-out-of-5 approval model with zero timelock delay, stripping away the final safeguard that could have allowed time for intervention.
While building their covert infrastructure, the attackers simultaneously engineered artificial legitimacy for CVT.
They minted 750 million tokens, injected a few thousand dollars of liquidity on the Raydium decentralized exchange, and conducted wash trades to fabricate a price history hovering near $1.
Drift’s price oracles, relying on this manipulated market data, accepted the fictitious asset as legitimate collateral potentially worth hundreds of millions.
On April 1, the pre-signed authorizations were activated in rapid succession.
The attackers first listed CVT as approved collateral, dramatically inflated withdrawal limits, and flooded the protocol with hundreds of millions in the fake token.
Thirty-one swift withdrawal transactions then emptied genuine assets—primarily USDC stablecoin and JLP liquidity provider tokens—from multiple vaults.
Within hours, the bulk of the stolen funds was bridged to the Ethereum network in large, confident transfers that moved millions at a time.
Drift Protocol responded swiftly by confirming the breach on April 2, suspending all deposits and withdrawals, and watching its native DRIFT token plunge more than 40 percent.
TRM Labs’ on-chain analysis—citing Tornado Cash usage, precise timing aligned with North Korean business hours, aggressive cross-chain bridging patterns, and laundering tactics mirroring the 2025 Bybit exploit—points strongly to state-sponsored North Korean involvement.
The incident exposes critical weaknesses beyond smart-contract flaws: inadequate multisignature hygiene, over-reliance on oracles lacking liquidity thresholds or circuit breakers, and the dangers of removing timelocks on governance actions.
TRM Labs further noted that security experts now urge DeFi projects to reinstate mandatory delays for administrative changes, demand full transaction transparency before multisig approvals, and strengthen oracle validation protocols to prevent similar manufactured-asset scams.
As investigators track the laundered proceeds across chains, the $285 million heist serves as yet another wake-up call that even seemingly more advanced decentralized platforms remain vulnerable when human and procedural safeguards fail. The TRM Labs report concluded that the crypto community awaits updates on potential recoveries and the broader regulatory fallout.