DPRK Lazarus Group Suspected in Drift Protocol $286 Million Solana Theft
Drift Protocol, the most important decentralized perpetual futures change on the Solana community, confirmed the exploit after watching its whole worth locked (TVL) collapse from roughly $550 million to underneath $250 million in a single morning, now standing at $232 million. Bitcoin.com Information was the primary to report on the problem. The DRIFT token dropped as a lot as 37%–42% within the hours that adopted, bottoming close to $0.04 to $0.05.
Reviews word that the assault started not with a code bug however with a Twister Money withdrawal. On March 11, the attacker pulled ETH from the Ethereum-based privateness protocol and used these funds to deploy the carbonvote token, or CVT, on March 12. Blockchain analysts famous the deployment timestamp corresponded to roughly 09:00 Pyongyang time, a element that raised rapid flags.
A number of stories element that over the next three weeks, the attacker seeded minimal liquidity for CVT on the Raydium decentralized change and used wash buying and selling to take care of a worth close to $1.00. Drift’s oracles learn that worth as authentic. The attacker had constructed pretend collateral that regarded actual to each automated system watching it.
“Earlier right now, a malicious actor gained unauthorized entry to Drift Protocol by a novel assault involving sturdy nonces, leading to a fast takeover of Drift’s Safety Council administrative powers,” the Drift workforce wrote.
The mission’s X account added:
“This was a extremely refined operation that seems to have concerned multi-week preparation and staged execution, together with using sturdy nonce accounts to pre-sign transactions that delayed execution.”
Ostensibly, between March 23 and March 30, the Drift attacker moved to the human layer. Utilizing a authentic Solana function known as sturdy nonces, the attacker reportedly induced members of Drift’s Safety Council multisig to pre-sign transactions that appeared routine. These signatures grew to become pre-approved entry keys, held in reserve till the attacker was prepared.
The opening closed on March 27, when Drift migrated its Safety Council to a 2-of-5 signature threshold and eliminated its timelock fully. A timelock sometimes forces a 24-to-72-hour delay on administrative actions, giving the neighborhood time to catch and reverse something suspicious. With out it, the attacker had zero-delay execution authority. The pre-signed transactions had been reside the second the timelock was gone.
On April 1, the attacker activated these transactions, listed CVT as legitimate collateral, raised withdrawal limits, and deposited a whole bunch of hundreds of thousands in CVT tokens in opposition to which Drift’s danger engine issued actual property. The protocol handed over hundreds of thousands in JLP tokens, hundreds of thousands in USDC, hundreds of thousands in SOL, and smaller quantities of wrapped bitcoin and ethereum. Thirty-one withdrawal transactions cleared in roughly 12 minutes.
The attacker transformed the stolen tokens to USDC utilizing Jupiter, bridged to Ethereum, and swapped into tens of 1000’s of ETH. Some funds had been routed by Hyperliquid, and a portion moved on to Binance. On April 3, Drift despatched an onchain message from an Ethereum handle to 4 hacker-controlled wallets. The publication cryptonomist.ch stories that the message learn:
“We’re prepared to talk.”
Safety companies Elliptic and TRM Labs have attributed the assault to DPRK-linked risk actors, citing the Twister Money origin, the Pyongyang-time deployment signature, the social engineering focus, and the post-hack laundering velocity. The Lazarus Group used the identical endurance and human-targeting method within the 2022 Ronin bridge hack. The U.S. authorities has tied these thefts to North Korea‘s weapons program funding, and Elliptic has tracked over $300 million stolen within the first quarter of 2026 alone.
The contagion unfold to greater than 20 protocols. Prime Numbers Fi reported losses within the hundreds of thousands. Carrot Protocol paused mint and redeem features after 50% of its TVL was affected. Pyra Protocol disabled withdrawals fully, leaving all person funds inaccessible. Piggybank misplaced $106,000 and reimbursed customers from its personal workforce treasury.
DeFi Improvement Corp., a Nasdaq-listed firm with a Solana treasury technique, confirmed on April 1 that it had no Drift publicity. Its danger framework excluded the protocol fully. That reality drew extra consideration than the corporate doubtless supposed.
The Drift incident produced one clear lesson that a lot of the trade already knew however had not totally utilized: a timelock isn’t optionally available. The elimination of that single safeguard on March 27 transformed a fancy, multi-week assault right into a 12-minute cash-out. Protocol governance with no delay mechanism is governance with an open door.
The following 48 hours following the DeFi assault had been described as crucial for Drift’s means to retain person belief and map a restoration path. As of April 3, no complete reimbursement plan had been introduced.
FAQ 🔎
What occurred to Drift Protocol? Attackers drained $286 million from Drift Protocol on April 1, 2026, utilizing pretend collateral and pre-signed administrative transactions to empty the protocol’s core vaults in 12 minutes. Who’s chargeable for the Drift Protocol hack? Safety companies, together with Elliptic and TRM Labs, have attributed the assault to DPRK-linked risk actors, citing laundering patterns and onchain timestamps in step with Lazarus Group tradecraft. Is my cash secure on Drift Protocol? Drift suspended all deposits and withdrawals following the assault; customers in affected protocols like Pyra and Carrot stay unable to entry funds as of April 3, 2026. What’s a sturdy nonce assault in Solana DeFi? A sturdy nonce assault makes use of a authentic Solana function to pre-sign transactions that look routine, holding them as reside authorization keys till the attacker chooses to execute them.
