North Korean hackers exploited governance vulnerabilities at Drift Protocol on April 1, 2026, stealing $285 million in assets after tricking security council members into signing malicious administrative transactions.

Key Points

• Attackers drained $285 million from the Solana-based perpetual futures exchange in approximately 12 minutes.
• The exploit utilized social engineering to manipulate multisig signers into authorizing transactions via durable nonces.
• Perpetrators manufactured a fake asset, CarbonVote Token, to manipulate oracle pricing and gain unauthorized collateral status.
• Drift Protocol’s total value locked dropped from $550 million to $252 million, with the DRIFT token price falling 40%.
• Forensic analysis by TRM Labs and Elliptic links the attack patterns to state-sponsored North Korean cyber operations.
• Nearly 20 interconnected DeFi protocols reported varying levels of exposure following the breach.

Why it Matters

This incident highlights a critical shift in cyber threats where attackers bypass secure smart contracts by targeting human administrative processes and governance structures. It demonstrates that traditional code audits are insufficient, forcing the DeFi industry to re-evaluate how multisig security and timelock protocols are managed to prevent catastrophic losses.