On April 1, 2026, attackers drained approximately $285 million in user assets from Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain. The actual vault drain took roughly 10 seconds. Drift confirmed the attack the following day, noting it was not an April Fools joke. The SEAL 911 security team attributed the operation with medium-high confidence to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus and Citrine Sleet.
Six Months of Groundwork
The operation began in the fall of 2025, when individuals presenting as a quantitative trading firm approached Drift contributors at a major crypto industry conference and expressed interest in integrating with the protocol. A Telegram group was established at that first meeting. Over the following months, the same individuals met Drift contributors face to face at multiple industry events across several countries, building what appeared to be a legitimate long-term business relationship.
Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, filled out the standard strategy form, participated in multiple working sessions with contributors, and deposited more than $1 million of their own capital to establish credibility. Interactions continued through February and March 2026. The individuals who appeared in person were not North Korean nationals. DPRK operations at this level routinely use third-party intermediaries carrying fully constructed professional identities, employment histories, and social networks built to withstand scrutiny.
The Infection Vectors
The technical compromise appears to have proceeded through 2 vectors. One contributor was persuaded to download a TestFlight application, Apple’s platform for distributing pre-release software that bypasses App Store review, presented as a wallet product the group was developing. A second contributor cloned a malicious code repository presented as a website-building tool for the group’s vault. That repository exploited a known vulnerability in VS Code and Cursor, widely flagged by security researchers between December 2025 and February 2026, in which simply opening a file or folder silently executes arbitrary code with no user prompt. Through these compromises, the attackers obtained the device access needed to gather multisig approvals.
The Attack: Fake Token, Hijacked Governance
On-chain staging began March 11 with a 10 ETH withdrawal from Tornado Cash. The attackers then manufactured an entirely fictitious asset, CarbonVote Token (CVT), minting 750 million units and seeding a few thousand dollars in liquidity while wash trading the price to near $1. Drift’s oracles subsequently treated CVT as legitimate collateral worth hundreds of millions of dollars. The CVT deployment was timed to approximately 9:30 AM Pyongyang time.
On March 27, Drift migrated its Security Council to a new 2-of-5 multisig configuration with zero timelock, eliminating the detection window that would have allowed intervention. Using the device access they had already obtained, attackers socially engineered 2 of the 5 required signers into pre-approving transactions that appeared routine but carried hidden authorizations for critical admin actions. Those approvals were held dormant using durable nonces, a legitimate Solana feature that allows transactions to be pre-signed and executed at a later date without expiring.
On April 1, 2 transactions fired 4 slots apart, seizing Security Council administrative powers. The attackers then introduced CVT as collateral and removed all preset withdrawal limits, draining the vaults through 31 rapid withdrawals in approximately 10 seconds. Stolen assets were consolidated into USDC and SOL and bridged to Ethereum via Circle’s Cross-Chain Transfer Protocol. On-chain investigator ZachXBT publicly criticized Circle for failing to freeze the stolen USDC despite the funds crossing during U.S. business hours.
Scale and Attribution
At $285 million, the Drift exploit is the largest DeFi hack of 2026 and the second-largest in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022. Drift’s total value locked collapsed from roughly $550 million to under $250 million. The DRIFT token dropped more than 40% following the attack.
TRM Labs and Elliptic independently assessed the attack as consistent with DPRK tradecraft, citing on-chain staging patterns, laundering methodology, and cross-chain fund flow indicators. Full analyses are available from TRM Labs and Elliptic. SEAL 911, with support from Mandiant, attributed the operation to UNC4736 with medium-high confidence, based on fund flows linking the attack to wallets associated with the October 2024 Radiant Capital hack and operational overlap with known DPRK-linked personas. UNC4736 is the same group behind the $53 million Radiant Capital hack and the X_TRADER/3CX supply chain compromise in 2023. If confirmed, this would represent the eighteenth DPRK-linked crypto theft tracked by Elliptic in 2026, with over $300 million stolen by North Korean actors so far this year.
The Drift attack did not unfold in isolation. It landed on the same day that multiple security vendors attributed a separate supply chain compromise of the Axios npm library to a North Korean hacking group, suggesting a coordinated two-front operation targeting both the DeFi finance layer and the broader software development ecosystem simultaneously.
Drift has frozen all protocol functions, removed the compromised wallet from the multisig, and is coordinating with security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets.
