North Korea Hackers Nab $270M in Bold Drift Protocol Scam

North Korean hackers pulled off the biggest Solana DeFi heist ever. They spent six months posing as legit traders to steal $270 million from Drift Protocol on April 1, 2026. This attack shows state hackers now play the long game in crypto theft.

Drift, a top platform for perpetual futures on Solana, saw its vaults drained in under a minute. The team called it no April Fools joke. They linked it to a North Korean group after deep checks.

Attackers Build Trust Over Six Months

Hackers first showed up in fall 2025 at a big crypto event. They acted as Vortex Quant, a quant trading firm with solid resumes and tech know-how.

They joined Drift’s Ecosystem Vault, put in over $1 million of real cash, and chatted trading plans on Telegram. Drift team met them face-to-face at conferences in several countries through early 2026.

One key fact stands out. The group waited nearly half a year before striking, turning patience into profit.

This slow build let them slip past basic checks. They held work sessions across time zones and proved their setup worked.

Durable Nonce Trick Drains Vaults Fast

The hit used Solana’s durable nonce feature. This lets users pre-sign deals offline, so they last without quick network ties.

Attackers got two out of five sign-offs from Drift’s Security Council multisig. They did this by hacking devices with a fake TestFlight app and a flaw in VSCode or Cursor editors.

Pre-signed deals hid in nonce accounts for over a week. On April 1, they fired them off.

Here is how it went down in steps:

• Create fake CarbonVote Token and pump its price with wash trades.
• Shift Security Council powers with no delay.
• Add the fake token as collateral, worth fake millions.
• Lift withdrawal caps.
• Pull funds like 41 million JLP and 2,200 wETH in 10 seconds.

No code bugs in Drift; humans got fooled by the setup.

Funds went through Jupiter swap, Backpack DEX, Wormhole bridge to Ethereum, then mixers.

North Korean Group Leaves Clear Tracks

Drift pinned it on UNC4736 with medium-high confidence. This North Korea-linked crew goes by Citrine Sleet or AppleJeus too.

On-chain trails match their 2024 Radiant Capital hack, per Mandiant. Fund paths hit known DPRK wallets.

Elliptic and TRM Labs backed this. They count 18 North Korea crypto grabs in 2026 so far, over $300 million total.

Past year, the group took $2 billion. Stolen crypto funds North Korea’s weapons push, say experts.

They use fake IDs and middlemen for meets. Not all reps were Korean; pros with built histories.

DeFi Faces New Security Headaches

Drift halted deposits and pulls right away. TVL crashed from $550 million to $252 million. DRIFT token fell 30 percent.

Linked projects like Reflect paused payouts. Users rushed out liquidity.

The team works with cops and pros like Mandiant. They warn all DeFi: check every multisig device.

Multisig feels safe, but long cons beat it when hackers invest time and cash.

Durable nonces help big players but open replay risks. Signers can’t pull back old nods easy.

This tops all native Solana DeFi losses. It beats past bridge hits.

Drift eyes recovery. Some USDC might freeze via Circle.

This scam shakes faith in DeFi guards. State foes now mimic users deep. Protocols must vet partners harder, watch nonces close, and train on social tricks.

Users feel it too. High yields tempt, but admin keys stay weak spots. Spread funds, pick DAO-run spots, and eye audits.

The crypto world grows fast, yet old risks linger. North Korea’s win spotlights a grim truth: tech alone won’t stop smart spies.