The Solana-based crypto protocol Drift suffered a $285 million exploit on April 1, 2026, following a sophisticated six-month intelligence operation linked to North Korean state-affiliated hacking groups.

Key Points

• Attackers drained $285 million in assets, including USDC, JLP, and SOL, by manipulating price-checking tools with 750 million fake CarbonVote Tokens.
• The breach was facilitated by a March 27 security update that reduced multi-signature requirements and removed critical transaction waiting periods.
• Forensic analysis by TRM Labs and Elliptic identified North Korean state-affiliated actors, citing behavioral patterns and on-chain staging consistent with previous hacks.
• The attackers gained access to private keys through social engineering, including the distribution of malicious TestFlight apps and exploitation of code repository vulnerabilities.
• The operation involved third-party intermediaries who spent months building trust with Drift contributors at international conferences before executing the 12-minute theft.

Why it Matters

This incident highlights the extreme lengths state-sponsored actors will go to infiltrate decentralized finance protocols through long-term social engineering and operational security lapses. The breach raises significant questions regarding the professional negligence of project teams managing hundreds of millions in user funds without adequate compartmentalization of signing keys.