North Korea-linked exploit at Drift Protocol siphoned $286 million in 10 seconds using a fake token and social engineering

The largest DeFi hack this year took place last week on April 1 as Drift Protocol, one of the largest perp DEXs on the Solana network, experienced an exploit that saw roughly $286 million vanish from the protocol. The attack was tied to North Korean-linked hackers and the entire hack transpired in just 10 seconds. What’s astonishing about this hack however was the meticulous nature of it. No code was broken and no smart contract had a bug. Investigations from crypto forensics firms like Elliptic and TRM Labs actually point to a much more calculated hack. North Korean attackers spent three weeks manufacturing a fake token called CarbonVote, seeding it with a few thousand dollars to make it look real, while at the same time social-engineering two of Drift’s five multisig Security Council signers into pre-signing hidden authorizations they didn’t fully understand. Following this, they then used a Solana feature called “durable nonces” to hold those signatures in reserve for over a week, waiting for the right moment. All it took was a single transaction on April 1. > Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers. This was a highly sophisticated operation that appears to have involved… > > — Drift (@DriftProtocol) April 2, 2026 As noted by Elliptic, this attack was the 18th crypto hack linked to North Korea just this year, pulling around $300 million out of the space. Four days after the hack, Ledger’s CTO went on record to highlight the alarming nature of the hack and that AI is driving the cost of attacks like this “down to zero.” Guillemet didn’t name Drift, but he described its exact mechanics. AI doesn’t just help attackers find code bugs faster, it makes social engineering more convincing, phishing more personalized, and the preparation work that North Korean operators spent three weeks doing on Drift cheaper and more scalable by an order of magnitude. He also pointed to a compounding problem on the defensive side: as more developers rely on AI-generated code, vulnerabilities could spread faster than human reviewers can catch them. “There is no ‘make it secure’ button,” he said. “We are going to produce a lot of code that will be insecure by design.” Hacks and exploits caused $1.4 billion in crypto losses over the past year, and Guillemet’s projection is that the curve gets steeper, not flatter. The Drift hack is the clearest proof of concept for that warning. The attackers never touched the code, they targeted the two humans holding the keys. AI doesn’t need to break a smart contract if it can generate a convincing enough pretext to trick a multisig signer into approving a transaction they don’t fully understand. Guillemet expects the industry to split: critical systems like wallets and core protocols will invest heavily in security and adapt, but much of the broader software ecosystem may struggle to keep pace. His recommended fixes, formal verification using mathematical proofs, hardware isolation for private keys, are structurally sound but require a level of institutional discipline that most DeFi protocols, including Drift, haven’t yet built in. “When you have a dedicated device not exposed to the internet, it is more secure by design,” he said. The Drift Security Council had no such buffer. Two signatures, zero timelock, and a fake token was all it took. What Happens Next: Drift’s Recovery and Industry Response What happens next for Drift Protocol is far from clear and the early signals are already dividing the industry. In the immediate aftermath, Anatoly Yakovenko suggested a potential recovery path: issuing an IOU-style token airdrop to affected users, mirroring Bitfinex’s 2016 playbook after its $72 million hack. The idea is simple: socialize losses now, repay users over time if the protocol recovers. But the context is very different. Drift’s TVL has been cut nearly in half, deposits and withdrawals remain suspended, and unlike Bitfinex, it lacks a centralized revenue engine to backstop those liabilities. That has led to immediate pushback: IOU tokens, in this case, risk becoming purely speculative instruments with no clear path to redemption. At the same time, on-chain activity is raising new concerns. Onchain Lens flagged that a wallet linked to the Drift team moved 56.25 million DRIFT tokens (≈$2.44 million) to centralized exchanges including Bybit and Gate shortly after the exploit, a move that typically precedes selling pressure and has fueled speculation about insider positioning during a liquidity crisis. Meanwhile, the attacker’s funds have already been bridged across chains, most notably to Ethereum, reducing the probability of meaningful recovery with each passing day. The broader implication is that this incident won’t end with Drift. It is likely to accelerate industry-wide scrutiny around DeFi governance itself, from multisig security standards and timelock requirements to oracle design and execution controls. What comes next hinges on three variables: whether Drift can present a credible recovery plan, whether any portion of funds can be traced or frozen, and whether this finally forces structural reform, or becomes just another expensive lesson the industry moves past. There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.