DPRK Lazarus Group Suspected in Drift Protocol $286 Million Solana Theft
Drift Protocol, the most important decentralized perpetual futures alternate on the Solana community, confirmed the exploit after watching its complete worth locked (TVL) collapse from roughly $550 million to underneath $250 million in a single morning, now standing at $232 million. Bitcoin.com Information was the primary to report on the difficulty. The DRIFT token dropped as a lot as 37%–42% within the hours that adopted, bottoming close to $0.04 to $0.05.
Experiences observe that the assault started not with a code bug however with a Twister Money withdrawal. On March 11, the attacker pulled ETH from the Ethereum-based privateness protocol and used these funds to deploy the carbonvote token, or CVT, on March 12. Blockchain analysts famous the deployment timestamp corresponded to roughly 09:00 Pyongyang time, a element that raised rapid flags.
A number of stories element that over the next three weeks, the attacker seeded minimal liquidity for CVT on the Raydium decentralized alternate and used wash buying and selling to keep up a worth close to $1.00. Drift’s oracles learn that worth as official. The attacker had constructed faux collateral that regarded actual to each automated system watching it.
“Earlier at present, a malicious actor gained unauthorized entry to Drift Protocol by means of a novel assault involving sturdy nonces, leading to a speedy takeover of Drift’s Safety Council administrative powers,” the Drift staff wrote.
The undertaking’s X account added:
“This was a extremely subtle operation that seems to have concerned multi-week preparation and staged execution, together with using sturdy nonce accounts to pre-sign transactions that delayed execution.”
Ostensibly, between March 23 and March 30, the Drift attacker moved to the human layer. Utilizing a official Solana characteristic known as sturdy nonces, the attacker reportedly induced members of Drift’s Safety Council multisig to pre-sign transactions that appeared routine. These signatures grew to become pre-approved entry keys, held in reserve till the attacker was prepared.
The opening closed on March 27, when Drift migrated its Safety Council to a 2-of-5 signature threshold and eliminated its timelock totally. A timelock sometimes forces a 24-to-72-hour delay on administrative actions, giving the neighborhood time to catch and reverse something suspicious. With out it, the attacker had zero-delay execution authority. The pre-signed transactions had been stay the second the timelock was gone.
On April 1, the attacker activated these transactions, listed CVT as legitimate collateral, raised withdrawal limits, and deposited tons of of hundreds of thousands in CVT tokens towards which Drift’s danger engine issued actual belongings. The protocol handed over hundreds of thousands in JLP tokens, hundreds of thousands in USDC, hundreds of thousands in SOL, and smaller quantities of wrapped bitcoin and ethereum. Thirty-one withdrawal transactions cleared in roughly 12 minutes.
The attacker transformed the stolen tokens to USDC utilizing Jupiter, bridged to Ethereum, and swapped into tens of hundreds of ETH. Some funds had been routed by means of Hyperliquid, and a portion moved on to Binance. On April 3, Drift despatched an onchain message from an Ethereum deal with to 4 hacker-controlled wallets. The publication cryptonomist.ch stories that the message learn:
“We’re prepared to talk.”
Safety companies Elliptic and TRM Labs have attributed the assault to DPRK-linked risk actors, citing the Twister Money origin, the Pyongyang-time deployment signature, the social engineering focus, and the post-hack laundering velocity. The Lazarus Group used the identical persistence and human-targeting strategy within the 2022 Ronin bridge hack. The U.S. authorities has tied these thefts to North Korea‘s weapons program funding, and Elliptic has tracked over $300 million stolen within the first quarter of 2026 alone.
The contagion unfold to greater than 20 protocols. Prime Numbers Fi reported losses within the hundreds of thousands. Carrot Protocol paused mint and redeem features after 50% of its TVL was affected. Pyra Protocol disabled withdrawals totally, leaving all consumer funds inaccessible. Piggybank misplaced $106,000 and reimbursed customers from its personal staff treasury.
DeFi Growth Corp., a Nasdaq-listed firm with a Solana treasury technique, confirmed on April 1 that it had no Drift publicity. Its danger framework excluded the protocol totally. That truth drew extra consideration than the corporate probably supposed.
The Drift incident produced one clear lesson that a lot of the business already knew however had not totally utilized: a timelock shouldn’t be non-compulsory. The removing of that single safeguard on March 27 transformed a fancy, multi-week assault right into a 12-minute cash-out. Protocol governance and not using a delay mechanism is governance with an open door.
The following 48 hours following the DeFi assault had been described as important for Drift’s capacity to retain consumer belief and map a restoration path. As of April 3, no complete reimbursement plan had been introduced.
FAQ 🔎
What occurred to Drift Protocol? Attackers drained $286 million from Drift Protocol on April 1, 2026, utilizing faux collateral and pre-signed administrative transactions to empty the protocol’s core vaults in 12 minutes. Who’s chargeable for the Drift Protocol hack? Safety companies, together with Elliptic and TRM Labs, have attributed the assault to DPRK-linked risk actors, citing laundering patterns and onchain timestamps according to Lazarus Group tradecraft. Is my cash protected on Drift Protocol? Drift suspended all deposits and withdrawals following the assault; customers in affected protocols like Pyra and Carrot stay unable to entry funds as of April 3, 2026. What’s a sturdy nonce assault in Solana DeFi? A sturdy nonce assault makes use of a official Solana characteristic to pre-sign transactions that look routine, holding them as stay authorization keys till the attacker chooses to execute them.
