North Korea-linked Drift Protocol exploit drains $285M in 12 minutes

North Korea-linked hackers exploited the Drift Protocol on April 1, stealing about $285M in one of the largest DeFi hacks of 2026. Drift says the attack was a six-month intelligence operation aimed at a governance compromise. The Drift Protocol exploit used a fake token (CarbonVote/CVT) to manipulate Drift price oracles, making malicious collateral appear legitimate. Attackers then abused Solana durable nonces with pre-signed transactions to automate withdrawals—31 rapid transfers in roughly 12 minutes. Drift also highlights a social-engineering phase starting around October 2025, when attackers posed as a quantitative trading firm and built relationships with contributors before targeting multisig/admin access. Elliptic and TRM Labs attributed the activity to DPRK. Market read-through for traders: DRIFT fell more than 40%, and Drift TVL reportedly dropped from ~$550M to under $250M. Some Solana-dependent protocols paused operations. The incident renewed scrutiny of cross-chain controls tied to USDC/Circle’s CCTP, with commentary suggesting faster freezes could have reduced damage. If you trade DRIFT, expect higher volatility, tighter risk limits on Solana perp/DeFi liquidity, and potential knock-on hedging flows tied to USDC and derivatives.