What Happened
Solana-based decentralized exchange Drift confirmed that attackers drained approximately $285 million from the platform on April 1, 2026. The attack was notable for what it wasn’t: Drift stated the breach did not exploit a vulnerability in its programs or smart contracts, and there is no evidence of compromised seed phrases.
Instead, it was a sophisticated social engineering operation. The attackers obtained sufficient multisig approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions, ultimately using that access to introduce a malicious asset and remove all pre-set withdrawal limits.
How the Attack Worked
Drift described the incident as involving “unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms.” Preparations for the hack were underway as early as March 23, 2026 — more than a week before execution.
The CarbonVote Token was central to the scheme. According to TRM Labs, the attacker manufactured an entirely fictitious asset with a few thousand dollars in seeded liquidity and wash trading, and Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars. The blockchain intelligence firm also noted that the CarbonVote Token was deployed at 09:30 Pyongyang time.
TRM Labs characterized the critical vulnerability not as a smart contract bug, but as a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense.
DPRK Attribution
Both Elliptic and TRM Labs have pointed to North Korea. On-chain indicators include the use of Tornado Cash for initial staging, as well as cross-chain bridging patterns and the speed and scale of post-hack laundering consistent with attacks previously attributed to North Korean threat actors, including the Bybit exploit of 2025.
Elliptic noted that, if confirmed, this would represent the eighteenth DPRK-linked incident it has tracked since the start of 2026, with more than $300 million stolen to date. The firm has linked DPRK crypto theft to the funding of the regime’s weapons programs, and estimates that DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years. Last year alone was a record: the North Korean cryptoasset theft operation is estimated to have netted $2 billion in 2025, approximately $1.46 billion of which came from the Bybit hack in February of that year.
The Broader Campaign
The Drift incident didn’t occur in isolation. The same day, multiple security vendors including Google, Microsoft, CrowdStrike, and Sophos attributed a supply chain compromise of the popular Axios npm package to a North Korean hacking group called UNC1069, which overlaps with BlueNoroff, CryptoCore, and Stardust Chollima.
The primary initial access pathway for these attacks remains social engineering — leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked as DangerousPassword and Contagious Interview. Combined gains from those twin campaigns total $37.5 million so far in 2026.
Elliptic’s broader warning is stark: the evolution of DPRK social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges — individual developers, project contributors, and anyone with access to cryptoasset infrastructure is a potential target.
Status
Drift said it is coordinating with multiple security firms to determine the full cause of the incident and is working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets