Skip to main content

When Hackers Become Coworkers: Inside the Six-Month North Korean Operation That Drained $285M From Drift Protocol

· 16 min read
Dora Noda
Dora Noda
Software Engineer

The $285 million heist took 12 minutes. The setup took six months.

When attackers drained Drift Protocol — the largest perpetual futures DEX on Solana — at 16:05 UTC on April 1, 2026, they did not exploit a smart contract bug, manipulate an oracle, or break any cryptography. They simply submitted two transactions that the protocol's own Security Council had already signed. Four months earlier, in December 2025, those same attackers had walked through Drift's front door as a "quantitative trading firm," deposited over $1 million of their own capital, attended working sessions with contributors, and shaken hands with the team at industry conferences across multiple continents. They were not strangers, malicious URLs, or anonymous wallet addresses. They were colleagues.

This is the new face of crypto's most dangerous adversary, and it should reset every assumption DeFi has made about how to defend itself. The North Korean operatives behind the Drift exploit — most likely TraderTraitor / UNC4736, the same Lazarus Group offshoot tied to the $1.5 billion Bybit theft — did not need to defeat Drift's audits, governance, or multisig. They needed only to be patient enough to be trusted.

The 12-Minute Heist That Took Six Months to Build

The on-chain evidence reads like a thriller. According to Drift's incident post-mortem and BlockSec's forensic reconstruction, the attackers established their cover in late 2025 by onboarding an "Ecosystem Vault" on Drift, submitting trading strategy documentation, and joining multiple working sessions with the protocol's contributors. By February and March 2026, Drift team members were meeting their counterparts face-to-face at major industry conferences. By the time of the attack, the relationship was almost six months old — well past the threshold where most security teams stop scrutinizing a counterparty as an outsider.

The technical execution exploited a specific Solana primitive: durable nonces. Unlike Ethereum, where every transaction must reference a recent blockhash and expire within ~150 slots, Solana's durable nonces let users sign transactions today that can be broadcast days or weeks later. The feature is designed for offline signing, scheduled disbursements, and treasury workflows — convenience features that, in the hands of patient adversaries, become a time bomb.

On March 23, 2026, four durable nonce accounts appeared on-chain — two linked to Drift Security Council members, two controlled by the attacker. By that point, two of five council signers had already endorsed innocuous-looking transactions tied to those nonces. With a 2-of-5 threshold, the attacker had pre-collected the approvals needed to seize admin control. A planned council migration on March 27 briefly invalidated those signatures, but by March 30 a fresh durable nonce account tied to a member of the new multisig appeared — the attacker had simply re-collected the threshold under the new configuration.

Then came April 1. At 16:05:18 UTC, the first pre-signed transaction proposed transferring the admin key. One second later, the second pre-signed transaction approved it. The Security Council had effectively signed away its own keys months earlier, without ever realizing the transactions they would later be combined into.

Durable Nonces Plus Social Trust Equals a New Class of Governance Risk

The Drift incident is being filed under "multisig compromise," but that label undersells what actually broke. Multisig governance assumes that obtaining a threshold of signatures requires either compromising distinct keys (hard) or coordinating distinct humans into approving the same malicious action (very hard). Durable nonces collapse the second assumption: signers can be tricked into approving fragments of an attack one transaction at a time, weeks apart, with no awareness that their individual signatures will eventually be assembled into a single fatal sequence.

This is what BlockSec calls a transaction-intent gap: wallets and signing UIs show signers what bytes they are signing, but rarely the full semantic implications of what those bytes will do once combined with other signatures the attacker controls. The traditional defense — "more signers, hardware wallets, careful review" — does not address the underlying problem, because every individual signer behaved correctly. The system as a whole still failed.

Worse, the attacker did not have to compromise any signer's key. Phishing or social-engineering a busy contributor into approving a benign-looking durable nonce transaction is dramatically easier than stealing a hardware wallet seed. As one Drift insider told DL News after the breach, the lesson is uncomfortable for DeFi: "We have to mature, or we don't deserve to be the future of finance."

Lazarus's Pivot: From Smash-and-Grab to Long-Term Implantation

To understand why the Drift attack matters beyond Drift, look at the trajectory of North Korea's crypto operations.

In 2025, DPRK actors stole $2.02 billion across 30+ incidents — accounting for 76% of all service compromises and pushing the regime's cumulative crypto theft past $6.75 billion since tracking began. The defining incident of that year was the $1.5 billion Bybit theft in February 2025, still the largest single heist on record. The Bybit attack used a malicious JavaScript injection delivered through a compromised Safe{Wallet} developer machine — a sophisticated supply-chain technique, but still external: the attackers were never on Bybit's payroll, never sat in their meetings, never built relationships with their team.

Compare that to 2026. KelpDAO was drained for ~$290 million on April 18, with preliminary attribution again pointing at Lazarus. Drift cost $285M and required a $150M Tether-led bailout just to keep depositors whole. Both attacks involved insider positioning that would have been unthinkable for the smash-and-grab Lazarus of 2022.

The shift is structural. Lazarus's traditional crypto playbook — exemplified by the Ronin Bridge ($625M, 2022) and Bybit — relied on penetrating perimeter defenses: malicious LinkedIn job offers to engineers, weaponized PDF resumes, supply-chain compromises of dev tools. These attacks still work, but they are getting more expensive. As more protocols deploy hardware wallets, multisig, and key-ceremony hygiene, the cost of breaking in from the outside rises. The cost of being invited inside, by contrast, falls — because the crypto industry hires fast, hires globally, and hires anonymously.

The DPRK IT Worker Army Hiding in Plain Sight

The Drift compromise sits at the intersection of two North Korean programs that have, until recently, been treated as separate threats: Lazarus's elite hacking units and the regime's massive remote IT worker scheme.

In March 2026, the U.S. Treasury's Office of Foreign Assets Control sanctioned six DPRK-linked individuals and two entities for orchestrating fraudulent IT employment that generated nearly $800 million in 2024 alone to fund the regime's WMD and ballistic missile programs. Among the sanctioned: Nguyen Quang Viet, CEO of Vietnam-based Quangvietdnbg International Services, who allegedly converted ~$2.5 million into crypto for North Korean actors between 2023 and 2025.

The scale is staggering. A recent Ethereum Foundation-backed probe identified 100 DPRK operatives currently embedded in crypto firms, and the UN Panel of Experts has long estimated that thousands of DPRK nationals work remotely for companies worldwide. CNN's August 2025 investigation found DPRK operatives have penetrated the supply chains of nearly every Fortune 500 company, often through "facilitators" — typically Americans willing to host laptops in their homes for a fee, providing US IP addresses for the operatives to log into.

The tactics have also evolved beyond passive employment. According to Chainalysis's analysis, DPRK operatives have shifted toward impersonating recruiters at prominent Web3 and AI firms, building convincing multi-company "career portals," and weaponizing the resulting access to introduce malware, exfiltrate proprietary data, or — as in Drift's case — establish trusted business relationships that pay off months later.

Detection is hard but not impossible. SpyCloud and Nisos have documented recurring patterns: AI-generated profile photos, reluctance to appear on video, demands for crypto-only payment, residency claims that don't match IP geolocation, refusals to use company-provided devices, and email-handle conventions that lean heavily on birth years, animals, colors, and mythology. None of these signals is decisive on its own. Together, they form a profile that any DeFi hiring manager should be able to recite.

Why Audits, Multisig, and KYC All Fail Against Nation-State Insiders

The most uncomfortable implication of Drift is that the entire DeFi security stack was designed for a different threat model.

Smart contract audits examine code, not contributors. A clean audit from Trail of Bits, OpenZeppelin, or Quantstamp tells you the protocol's bytecode does what it claims. It tells you nothing about who has admin keys, who can call upgrade functions, or who is sitting in the Discord channel where Security Council members coordinate signatures. Drift's contracts were not exploited. Its people were.

Multisig governance assumes honest signers. A 2-of-5 or 4-of-7 multisig defends against a single key compromise or a single rogue insider. It does not defend against a coordinated social-engineering campaign that tricks several legitimate signers into approving fragments of an attack across weeks of pre-signed durable nonce transactions. Even raising the threshold to 5-of-9 only makes the attacker's job marginally harder if they have unlimited time and a credible business cover.

KYC and background checks fail against fabricated identities. Nation-state operatives use stolen US identities, AI-generated photos, and laundered employment histories that pass standard verification. The Treasury's March 2026 sanctions specifically called out the use of "compliant exchanges, hosted wallets, DeFi services, and cross-chain bridges" by these networks — the same KYC-rated infrastructure that the rest of the industry assumes is safe.

Pseudonymous contributors are a feature, not a bug — until they aren't. DeFi's culture celebrates pseudonymity. Many of the most respected developers in the space operate under aliases, contribute via GitHub commits and Discord handles, and never meet their colleagues in person. That culture is incompatible with the Drift threat model, where six months of trust-building is precisely what the attacker invested.

What Defense-in-Depth Looks Like for the New Threat Model

Drift is not the end of this story; it is the template. Every protocol with admin keys, governance multisig, or significant treasury exposure is now vulnerable to the same playbook. Several practical hardening measures have emerged from the post-mortem analyses.

Transaction-level intent verification, not signer-level trust. Tools like BlockSec's transaction simulation, Tenderly Defender, and Wallet Guard surface the full economic effect of a transaction — including potentially malicious effects across pre-existing nonces — before signers approve. The default UX of "sign this hash" must die.

Aggressive timelocks for governance actions. A 24- to 72-hour timelock on admin key transfers, contract upgrades, and treasury moves gives the community time to detect anomalous proposals. Drift's admin handover happened in two transactions one second apart. A 48-hour delay would have been a 48-hour window for the Security Council to notice that they were about to lose control.

Hardware Security Modules with operational segregation. HSMs prevent a compromised developer machine from extracting signing keys, but they do not prevent durable nonce abuse. Combine HSMs with mandatory multi-party computation (MPC) workflows that explicitly forbid signing under durable nonces for governance roles.

In-person verification for high-trust roles. The DPRK playbook depends on remote-only employment. Requiring physical presence — at conferences, offices, or notarized in-person meetings — for anyone with admin access, audit privileges, or treasury responsibilities raises the operational cost dramatically. (Drift's attackers did meet contributors in person, but only after a long online buildup designed to make those meetings feel like routine business calls. In-person verification works only if it gates initial trust, not if it confirms a relationship that has already been established.)

Contributor reputation systems and on-chain identity attestations. Worldcoin proof-of-personhood, Gitcoin Passport, and similar systems are imperfect, but they raise the cost of fabricating an identity that has multi-year on-chain history, attestations from known contributors, and verifiable activity across protocols.

Public hire transparency for security-critical roles. A norm where protocols publicly disclose who holds admin keys, who sits on Security Councils, and who has audit access — even if those individuals operate under pseudonyms — creates community-wide visibility. A team-of-five Security Council with one new member added quietly two weeks before an exploit is exactly the pattern future investigations should be looking for.

The Operational Reckoning DeFi Cannot Postpone

The Drift incident is a $285 million tuition payment for a lesson DeFi has been delaying since 2022: protocol security is not the same as code security. Code can be audited, fuzzed, formally verified, and bug-bountied into reasonable robustness. People — the developers, signers, contributors, and partners who hold keys, approve upgrades, and shape governance — cannot be audited the same way.

North Korea has noticed. The same regime that sent a malicious Safe{Wallet} JavaScript payload at Bybit in 2025 sent a polished business development team to Drift in 2026. The next attack will not look like either. It will look like whatever pattern of trust the next target has not yet learned to question.

For protocols building today, the practical question is not "are we vulnerable to a Lazarus zero-day." It is "if a sophisticated adversary spent six months becoming our friend, how much could they steal." If the honest answer is "most of our TVL," that is the security gap that needs closing — before the next durable nonce window opens.

BlockEden.xyz operates production-grade RPC and indexer infrastructure for Sui, Aptos, Solana, Ethereum, and 25+ other chains, with hardware-secured key custody, multi-party operational controls, and contributor verification policies designed for the post-Drift threat environment. Explore our infrastructure services to build on a foundation hardened against the adversaries DeFi actually faces in 2026.

Sources

Share on Twitter