Blockchain intelligence companies have been actively tracking the cross-chain movement of the $285 million in stolen funds from the Drift Protocol hack, with TRM Labs and Elliptic providing real-time analysis of the money laundering operation. The sophisticated nature of the fund movement has led security experts to definitively attribute the attack to North Korean state-sponsored hackers, specifically citing the Tornado Cash funding origin, deployment signatures matching Pyongyang time zones, and laundering patterns consistent with previous Lazarus Group operations.
The attackers demonstrated remarkable operational security and planning, beginning their infrastructure setup on March 11 with a 10 ETH withdrawal from Tornado Cash. They then systematically built their attack vector over three weeks, creating the fake CarbonVote token, establishing minimal liquidity on Raydium DEX, and conducting wash trading to maintain artificial price stability. The actual execution phase lasted just 12 minutes but involved pre-signed transactions that had been prepared weeks in advance using Solana's durable nonce feature to bypass normal multisig protections.
SecurityWeek reports that the hackers used compromised administrative keys to disable Drift's anti-drain systems just 25 seconds before the heist, modifying circuit breakers designed to prevent rapid asset withdrawals by raising limits to 500 trillion tokens. The attack methodology represents a significant evolution in DeFi exploits, moving beyond simple smart contract vulnerabilities to target human governance processes and oracle manipulation. This sophisticated approach has prompted security firms to recommend enhanced focus on governance security and human-factor protections rather than just code audits.
