North Korean hackers orchestrated the largest DeFi hack of 2026, draining $285 million from Solana-based Drift Protocol on April 1st in what security experts are calling a highly sophisticated, multi-week operation. The attack began staging on March 11th with infrastructure preparation, including the creation of a fictitious 'CarbonVote Token' that was manipulated to appear worth hundreds of millions.
The exploit combined social engineering, oracle manipulation, and governance vulnerabilities rather than smart contract bugs. Attackers used 'durable nonces' - a legitimate Solana feature - to pre-sign administrative transactions weeks before execution, bypassing multisig security protocols in minutes. The breach was enabled by compromised admin keys and a zero-timelock Security Council migration implemented on March 27th.
Within hours of the attack, stolen funds were converted to USDC and bridged to Ethereum via Circle's Cross-Chain Transfer Protocol, with investigators noting the attackers' brazen confidence in moving hundreds of millions during US business hours. The incident has sparked criticism of Circle for not freezing the stolen USDC transfers and highlighted critical vulnerabilities in DeFi oracle design and governance practices.
