North Korea Lauches $285M Solana Heist

North Korea Lauches $285M Solana Heist

On April 1, 2026, a massive $285 million exploit hit the Solana-based Drift Protocol. This attack, however, wasn’t about finding flaws in the code. Instead, it was a six-month operation by North Korean state-linked actors targeting the people behind the decentralized finance (DeFi) platform.

Drift Protocol: A DeFi Star

Before the exploit, Drift Protocol was a leading platform on Solana. It allowed users to trade complex financial products and earn rewards. The protocol held about $550 million in total value locked and had passed security checks from top firms. But on that April morning, Drift confirmed the ongoing theft was no joke.

Token Plummets, Network Shaken

The native Drift token crashed over 36% within hours, losing 97% of its value from its yearly high. The attack also affected 11 to 20 other Solana protocols that relied on Drift. This event became the biggest DeFi exploit in Solana’s history.

A Six-Month Deception

The attack began in late 2025, not with code, but with a meeting at a crypto conference. Individuals posing as representatives of a successful trading firm approached Drift contributors. These people showed deep technical knowledge but were actually intermediaries for the North Korean actors.

Over the next few months, this fake firm built trust with Drift’s team. They created a dedicated Telegram group to discuss trading strategies. To prove their legitimacy, they even deposited over $1 million of their own money into a Drift vault. By March 2026, they had gained trusted insider status without hacking any passwords.

Exploiting Trust and Technology

The attackers shared a GitHub repository for a front-end integration. This repository contained a malicious configuration file. It exploited a vulnerability in the VS Code Cursor AI development tool. When a developer opened the workspace, the hidden code ran silently, compromising their device.

Additionally, they tricked a Drift contributor into downloading a fake wallet app for beta testing. With access to these compromised devices, the attackers could monitor the signing infrastructure used by the protocol’s security team.

Solana’s Durable Nonce and a Pre-Signed Trap

To take control without immediate alarms, they exploited Solana’s durable nonce feature. Normally, Solana transactions expire quickly to prevent replay attacks. Durable nonces allow transactions to be signed offline and held indefinitely.

Between March 23rd and 30th, 2026, the attackers convinced security members to pre-sign administrative transactions. These hidden authorizations would give the attackers full control once broadcast. A routine security migration on March 27th accidentally removed an administrative time lock, removing the last safety net.

The Theft Unfolds

On March 12th, 2026, the attackers minted about 750 million units of a fake token called Carbon Vote. They created a liquidity pool on the Radix decentralized exchange and used automated trading to inflate its price to $1.

On April 1st, they broadcast the pre-signed transactions, instantly taking over the protocol’s administration. They then listed their worthless Carbon Vote token as collateral within the protocol’s risk engine. The system, reading the fake price as real data, believed the attackers held $750 million in collateral.

Massive Drain and Laundering

The attackers disabled withdrawal limits and circuit breakers. In about 12 minutes, they drained $155 million in Jupiter liquidity tokens, along with native SOL and wrapped Bitcoin. These assets were moved from nearly 20 pools.

The stolen funds were quickly swapped into stablecoins using decentralized exchange aggregators. They were then moved to the Ethereum network using Circle’s cross-chain transfer protocol. Blockchain investigators criticized Circle for not freezing the transfers during the six-hour bridging process.

Once on Ethereum, the funds were converted into roughly 129,000 ETH and spread across thousands of wallets. A significant portion was already being laundered through established on-chain patterns.

Attribution and Future Threats

Security experts attribute the attack with high confidence to North Korea’s state-affiliated group, UNC4736. This is the same group responsible for the $50 million Radiant Capital hack in October 2024, using a similar strategy.

The Drift exploit shows a massive increase in the sophistication and scale of these state-sponsored attacks. DeFi is now facing well-funded entities aiming to finance national ambitions, not just opportunistic hackers.

The Human Element: The New Attack Surface

Traditional smart contract audits are now less effective when attackers bypass code entirely by targeting people. Security experts agree that the main threat has shifted from on-chain code to off-chain human interactions.

Every multi-signature signer, development device, and trusted partnership is now a potential entry point for state-level operations. By not having an administrative time lock, Drift allowed its human operators to potentially destroy the system instantly.

While DeFi has improved code security, relying on human trust remains a fundamental weakness. The security of decentralized protocols now depends heavily on the people who build and manage them.

Source: $285M Solana Hack: The Attack That Changed Crypto Forever (YouTube)