On April 1, 2026, attackers TRM believes to be North Korean hackers drained USD 285 million from Drift Protocol — the largest DeFi hack of 2026 — through a months-long operation combining social engineering, oracle manipulation, and a governance takeover. The attack began with careful preparation starting March 11th, using funds from Tornado Cash to deploy a fake token called CarbonVote (CVT) with minimal liquidity. The attackers used social engineering to trick multisig signers into pre-signing hidden authorizations while manufacturing CVT as fake collateral that Drift's oracles treated as legitimate. Within 12 minutes on April 1st, 31 withdrawal transactions drained real assets including USDC and JLP from the protocol, with most stolen funds bridged to Ethereum within hours.