Blockchain analytics firm Elliptic identified multiple indicators suggesting North Korean state-sponsored hackers were behind the $285 million Drift Protocol exploit on April 1, 2026 - the largest DeFi hack of the year. The Solana-based decentralized exchange saw attackers gain unauthorized access through a sophisticated attack involving durable nonces, resulting in rapid takeover of administrative powers. The exploit preparation began as early as March 23, with attackers using social engineering to manipulate multisig signers into pre-signing hidden transaction authorizations.
The attack methodology mirrors previous North Korean operations, including early use of Tornado Cash, cross-chain bridging patterns, and the speed and scale of post-hack laundering consistent with the 2025 Bybit exploit. Elliptic noted this would represent the 18th DPRK-linked crypto theft tracked in 2026, with over $300 million stolen so far this year. North Korea reportedly stole a record $2 billion in crypto during 2025, with the US Treasury linking these funds to weapons of mass destruction programs. The sophisticated operation involved creating a fake token called CarbonVote with minimal liquidity that Drift's oracles mistakenly treated as legitimate collateral worth hundreds of millions.
