Drift Protocol, the largest decentralised perpetual futures exchange on the Solana blockchain, suffered a $285 million exploit on April 1, 2026 — draining more than half its total value locked in approximately 12 minutes. Blockchain forensics firms TRM Labs and Elliptic have both attributed the attack, with medium confidence, to actors linked to North Korea’s Lazarus Group.
The attack was not a smart contract bug. According to Drift’s post-mortem and subsequent investigation, it was the culmination of a six-month social engineering operation in which DPRK-linked actors posed as a quantitative trading firm, built relationships with Drift contributors, deposited over $1 million of their own funds to establish credibility, and gradually embedded themselves in the protocol’s ecosystem.
The attackers then exploited Solana’s “durable nonces” feature — which allows transactions to be signed in advance and executed later — to trick Drift Security Council members into unknowingly pre-signing transactions that transferred administrative control to attacker-controlled addresses. Once in possession of the admin keys, the attackers whitelisted a fabricated token called “CarbonVote Token” (CVT) as valid collateral. CVT had been created weeks earlier, seeded with a $500 liquidity pool on Raydium, and wash-traded to establish an artificial $1 price. The attackers deposited hundreds of millions of CVT, used its manipulated oracle price to inflate their collateral position, and executed 31 rapid withdrawals — draining USDC, SOL, JLP, WBTC, and other real assets within 12 minutes.
Drift’s TVL collapsed from approximately $550 million to under $250 million. The DRIFT governance token fell more than 40%. A dozen Solana protocols with exposure to Drift liquidity paused operations or assessed losses.
On-chain analyst ZachXBT criticised Circle for failing to freeze stolen USDC as it was bridged from Solana to Ethereum via Circle’s own Cross-Chain Transfer Protocol.
What an investigator sees
The Drift attack demonstrates a further evolution in the Lazarus Group’s operational methodology. At Ronin in 2022, Lazarus compromised an employee through a fake LinkedIn job offer. At Bybit in February 2025, they compromised a third-party wallet provider’s developer. At Drift, they spent six months infiltrating the protocol’s governance structure, posing as legitimate ecosystem participants, depositing real money, and building trust — then used that trust to get legitimate signers to unknowingly authorise their own compromise.
The sophistication curve is accelerating. The attack combined social engineering, governance manipulation, oracle fraud, synthetic asset creation, and exploitation of a legitimate blockchain feature (durable nonces) into a single coordinated operation. No single security measure — audits, multi-sig, access controls — would have prevented it. The defence required was holistic operational security of the kind that most DeFi protocols do not maintain.
Combined with the Kelp DAO hack 17 days later, Lazarus-linked actors drained over $575 million from DeFi in April 2026 alone — through two completely different attack vectors against two completely different architectural targets. The adversary is not repeating itself. It is diversifying.