Crypto Heist: How North Korea Stole $286M in 12 Minutes

by

Imagine waking up to find your digital piggy bank ransacked, not by a masked bandit but by a state-sponsored hacker collective with a penchant for Pyongyang time zones. That’s exactly what happened to Drift Protocol, a Solana-based perpetual futures exchange, which lost $286 million in 12 minutes on April 1, 2026. Yes, April Fool’s Day-because nothing says “prank” like a quarter-billion-dollar heist.

DPRK Lazarus Group: The Crypto Grinches Who Stole Solana’s Christmas

Drift Protocol, the self-proclaimed “largest decentralized perpetual futures exchange” on the Solana network, watched its total value locked (TVL) plummet from $550 million to under $250 million faster than you can say “blockchain.” As of now, it’s sitting at a humble $232 million. Bitcoin.com News was first to break the story, because nothing says “journalism” like reporting on a digital bank robbery. The DRIFT token, meanwhile, took a nosedive, dropping 37%-42% and bottoming out near $0.04 to $0.05. Ouch.

The attack, as it turns out, wasn’t your run-of-the-mill code exploit. Oh no. It started with a Tornado Cash withdrawal on March 11, because nothing screams “legitimate transaction” like using a privacy protocol. The attacker then deployed the carbonvote token (CVT) on March 12, conveniently around 9:00 AM Pyongyang time. Coincidence? Probably not. Blockchain analysts noted this timestamp with the subtlety of a neon sign flashing “SUSPECT.”

The DRIFT token on April 3, 2026. Spoiler: It’s not pretty.

Over the next three weeks, the attacker seeded minimal liquidity for CVT on the Raydium decentralized exchange and engaged in wash trading to keep the price at a tidy $1.00. Drift’s oracles bought it hook, line, and sinker. The fake collateral looked so real, it could’ve fooled a blockchain auditor-and it did.

“Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,” the Drift team wrote, probably while frantically Googling “how to recover $286 million.”

The project’s X account added, with the kind of understatement usually reserved for obituaries:

“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”

Between March 23 and March 30, the attacker moved from the digital realm to the human one. Using Solana’s durable nonces, they convinced members of Drift’s Security Council to pre-sign transactions that looked routine. These signatures became the keys to the kingdom, held in reserve until the attacker was ready to strike. On March 27, Drift migrated its Security Council to a 2-of-5 signature threshold and removed its timelock. Because, you know, who needs a safety net when you’re juggling millions?

On April 1, the attacker activated the pre-signed transactions, listed CVT as valid collateral, raised withdrawal limits, and deposited hundreds of millions in CVT tokens. Drift’s risk engine, bless its heart, issued real assets in exchange. The protocol handed over millions in JLP tokens, USDC, SOL, and smaller amounts of wrapped bitcoin and ethereum. Thirty-one withdrawal transactions cleared in roughly 12 minutes. Faster than a pizza delivery, but with far more devastating consequences.

The attacker then converted the stolen tokens to USDC using Jupiter, bridged to Ethereum, and swapped into tens of thousands of ETH. Some funds were routed through Hyperliquid, and a portion moved directly to Binance. On April 3, Drift sent an onchain message to four hacker-controlled wallets that read: “We are ready to speak.” Because nothing says “we’re desperate” like a blockchain DM.

Security firms Elliptic and TRM Labs attributed the attack to DPRK-linked threat actors, citing the Tornado Cash origin, Pyongyang-time deployment, and the post-hack laundering speed. The Lazarus Group has a history of this, having pulled a similar stunt in the 2022 Ronin bridge hack. The U.S. government has tied these thefts to North Korea’s weapons program, because nothing says “global superpower” like funding missiles with stolen crypto.

The fallout spread to over 20 protocols. Prime Numbers Fi lost millions, Carrot Protocol paused functions after 50% of its TVL was affected, and Pyra Protocol disabled withdrawals entirely. Piggybank lost $106,000 and reimbursed users from its own treasury, because apparently they’re the only ones with a conscience.

DeFi Development Corp., a Nasdaq-listed company with a Solana treasury strategy, confirmed it had no Drift exposure. This announcement drew more attention than they probably wanted, because nothing says “look at me” like bragging about not losing money in a heist.

The lesson here? A timelock is not optional. Removing that safeguard turned a complex, multi-week attack into a 12-minute cash grab. Protocol governance without a delay mechanism is like leaving your front door wide open with a sign that says, “Free crypto inside.”

The next 48 hours were critical for Drift’s ability to retain user trust and map a recovery path. As of April 3, no reimbursement plan had been announced. But hey, at least they’re ready to speak. Progress?

FAQ 🔎

  • What happened to Drift Protocol? Attackers drained $286 million using fake collateral and pre-signed transactions to empty the vaults in 12 minutes. Faster than a Black Friday sale.
  • Who’s behind this? Security firms point to DPRK-linked actors, aka North Korea’s crypto heist squad. Pyongyang time zone was a dead giveaway.
  • Is my money safe? Drift suspended deposits and withdrawals. If you’re in affected protocols like Pyra or Carrot, your funds are as inaccessible as a locked safe with a lost key.
  • What’s a durable nonce attack? It’s a fancy way of saying the attacker used a legitimate feature to pre-sign transactions, holding them until it was time to strike. Sneaky.

Read More

2026-04-03 17:27