TL;DR Suspected North Korean hackers stole $285 million from Solana's largest perpetual futures exchange on April 1, 2026. No smart contract was exploited. The attackers spent three weeks tricking governance signers into pre-approving malicious transactions via Solana's durable nonce feature, then drained everything in 12 minutes. This post starts with what happened, then goes progressively deeper: mechanism, on-chain forensics, code, the six-month pattern across DeFi. Expandable sections contain verification links, code, laundering details. Stop wherever you've had enough.
Drift Protocol was Solana's flagship decentralized exchange: perpetual futures, spot markets, lending, $550 million in total value locked. On April 1, 2026, an attacker drained $285 million across 31 withdrawal transactions. Twelve minutes from first admin takeover to last withdrawal. Three weeks of preparation. $155.6 million in JLP tokens, $60.4 million in USDC, $11.3 million in cbBTC, $4.7 million in wETH, $4.1 million in FARTCOIN.
TRM Labs and Elliptic independently attributed the hack to North Korean state-sponsored actors (likely the Lazarus Group or TraderTraitor subunit). Wallet clustering, Tornado Cash origin funding, Pyongyang-timezone operational patterns, laundering methodology matching prior DPRK operations. The FBI has not issued formal attribution as of April 5, 2026.
Drift confirmed: "The attack did not exploit a vulnerability in its programs or smart contracts". Every function call the attacker made was a legitimate admin operation. The contracts executed exactly as designed. The attackers targeted people.
No bug. Four interlocking manipulations.
The attack combined four techniques. None worked in isolation. Together they gave the attacker full admin control without touching a line of Drift's code.
Drift's Security Council operated a 2-of-5 multisig wallet controlling admin privileges over the protocol's Anchor programs. The attacker induced two signers to pre-approve transactions that appeared routine but contained hidden authorizations for critical admin actions. This mirrors the $1.5 billion Bybit hack of February 2025: Safe{Wallet} developer compromise led to Bybit's CEO unknowingly signing a malicious transaction. Different chain, different protocol, identical root cause.
Those pre-approved signatures would normally expire in 60-90 seconds on Solana. But the attacker used durable nonces, a Solana-specific feature that lets transactions be pre-signed then held indefinitely for later execution. Once signed, the signer cannot revoke. The attacker created durable nonce accounts on March 23, collected the signatures, then sat on them for eight days.
While the signatures waited, the attacker manufactured collateral. On March 12, CarbonVote Token (CVT) was deployed: 750 million units minted, a Raydium liquidity pool seeded with ~$500. Three weeks of wash trading between controlled wallets built a credible price history near $1.00. Drift's Switchboard oracle feeds accepted the manufactured price as legitimate.
The final piece: on March 27, four days before the attack, Drift migrated its Security Council to a new 2/5 multisig configuration with zero timelock. No delay between governance approval and execution. No window for the community to detect a malicious proposal. The attacker secured new signatures for the updated configuration on March 30. Everything was in place.
Three weeks of staging. Ten seconds of execution.
TRM Labs flagged the operational pattern: staging activity began at 09:00 Pyongyang time on March 12. The timezone correlation was one of several DPRK attribution indicators.
initializeSpotMarket called with fake oracle. Withdrawal limits set to 500 trillion.Verify on-chain: attacker addresses
Solana primary wallet (created eight days before the exploit):
Ethereum wallets (~129,000 ETH total across four addresses):
Drift sent on-chain messages to all four on April 3 from 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105: "We are ready to speak".
Deep dive: why durable nonce signatures can't be revoked
A durable nonce account on Solana stores a 32-byte hash. When building an offline transaction, the first instruction must be AdvanceNonceAccount, which checks the stored hash against the transaction's blockhash field. Match: the nonce advances to a new value (preventing replay) and the remaining instructions execute. No match: the transaction fails.
To invalidate a pre-signed durable nonce transaction before the attacker executes it, someone must advance the nonce account's stored value. This requires the nonce authority's private key. In the Drift attack, the attacker controlled the nonce authority for all four nonce accounts. The moment the Security Council members signed, their revocation path disappeared. The transactions could sit indefinitely, executing whenever the attacker chose.
This is fundamentally different from Ethereum's sequential nonce model. An Ethereum user can "cancel" a pending transaction by submitting a new one with the same nonce and higher gas. Solana's durable nonces offer no equivalent cancellation when the nonce authority is adversarial.
The defensive lesson: any Solana multisig using durable nonces must ensure the nonce authority is the multisig itself, not any individual signer or external entity. If the multisig controls the authority, any quorum of signers can advance the nonce to invalidate pre-signed transactions. Drift's configuration did not enforce this constraint.
Following $285 million across two chains
The laundering was industrial. Stolen assets swapped into USDC and SOL via Jupiter DEX on Solana. Over $230 million in USDC bridged to Ethereum through Circle's Cross-Chain Transfer Protocol across 100+ transactions over approximately six hours. Automated bots executed 590 transactions per minute for 34+ hours, generating over 860,000 total transactions. Funds scattered across 27 intermediate wallets then to 57,331 downstream addresses. Some SOL routed through Hyperliquid directly into Binance.
ZachXBT was blunt: "6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack". Circle did not freeze them in time.
The speed exceeded typical criminal laundering by an order of magnitude. It matched what TRM Labs identifies as the DPRK pattern: industrialized, multi-chain, maximizing throughput before any freeze order lands. CertiK reported $21,912 recovered from $59.5 million lost across all DeFi hacks in March 2026. A 0.04% recovery rate. For state-sponsored attackers with professional laundering infrastructure, the number rounds to nothing.
The DPRK laundering cycle: 45 days from theft to cash
Chainalysis documented a characteristic cycle across DPRK operations. Days 0-5: DeFi protocols, mixers (Tornado Cash primary). Days 6-10: cross-chain bridges, limited-KYC exchanges. Days 11-45: what TRM Labs calls the "Chinese Laundromat", a network of OTC brokers, underground banks, Professional Money Laundering Organizations across Southeast Asia that purchase stolen crypto at a discount, then settle via CNY, goods, direct payments to DPRK front companies.
The Drift attacker used Tornado Cash to seed initial operations. The sanctions on Tornado Cash had been lifted just months earlier following the Fifth Circuit ruling on March 21, 2025. The 590 transactions per minute sustained over 34 hours, generating 860,000+ total transactions, represents automated laundering infrastructure purpose-built for this scale. No human clicks a button 860,000 times.
Why Drift broke where Morpho bent
Morpho Blue provides the sharpest contrast. Its core is a 650-line Solidity smart contract. It has survived 25+ security audits from Spearbit, OpenZeppelin, Certora, ChainSecurity, Zellic. It carries a $2.5 million bug bounty on Immunefi. The core immutable contract has never been exploited.
Morpho experienced three incidents at layers above the core protocol, totaling $2.88 million. All recovered or covered.
The most notable: an April 2025 Bundler3 SDK misconfiguration misdirected Permit2 token approvals to a contract without access controls. A white-hat operator (c0ffeebabe.eth) intercepted $2.6 million before a malicious actor could move it. Morpho rolled back the SDK update within four minutes of receiving the alert. Zero permanent loss. An October 2024 oracle misconfiguration ($230K) was caused by a third-party market deployer setting incorrect decimal parameters for PAXG/USDC, inflating gold's price by 10^12. A May 2025 Aerodrome LP oracle manipulation ($49K, fully covered by the vault curator) exploited a custom oracle using raw pool reserves.
Code: the Aerodrome LP oracle vulnerability
The oracle calculated LP token price from raw pool reserves:
function latestRoundData() external view returns (...) {
uint256 totalSupply = LP_TOKEN.totalSupply();
(uint256 r0, uint256 r1, ) = LP_TOKEN.getReserves();
uint256 usdcValue = (usdcReserves * 1e12 *
USDC_PRICE_FEED.getPrice()) / 1e8;
uint256 cusdoValue = CUSDO.getAssets(cusdoReserves);
uint256 lpPrice = ((cusdoValue + usdcValue) * 1e18)
/ totalSupply;
return (0, int256(lpPrice), 0, 0, 0);
}
Using getReserves() directly makes this manipulable with a single flash loan. The attacker borrowed 6.66M USDC, swapped 3.5M into cUSDO to inflate pool reserves, borrowed against the overvalued LP collateral, reversed the swap, self-liquidated at the deflated price. $49K profit, bridged via Symbiosis to Tornado Cash. This is the canonical case for why oracles must never read raw reserves. Time-weighted average prices or external feeds with multiple independent sources resist this manipulation class entirely.
The pattern across all three Morpho incidents: the core on-chain logic worked exactly as designed. Failures lived in SDK configuration, third-party oracle setup, market deployer errors. Morpho's defense was architectural minimalism (650 lines is hard to break), rapid incident response (four-minute rollback), decentralized risk allocation (curators absorb market-specific losses).
Drift's failure was the mirror image: governance centralization (2-of-5 multisig), zero timelock (no review window), no revocation mechanism for durable nonce signatures. Both protocols had their trust layers attacked. Morpho's held. Drift's collapsed.
The attack surface has moved. The data is unambiguous.
Between October 2025 and April 5, 2026: roughly $660-670 million stolen across 46+ major DeFi incidents. The ten largest:
Private key compromise, access control failure, social engineering: these account for roughly 60% of all dollar losses in this period. Over $410 million. Pure smart contract logic bugs represent the smaller share now. The shift is structural. One detail worth flagging: the Balancer V2 attack contract contained console.log instructions typical of AI-generated code, suggesting LLM-assisted exploit development.
Resolv Labs ($25M) is the starkest illustration. Eighteen prior security audits, all scoped exclusively to on-chain code. The attacker compromised their AWS KMS environment, controlled a privileged signing key, minted 80 million unbacked USR stablecoins. USR crashed from $1.00 to $0.025. Eighteen audits. Zero off-chain coverage.
North Korea now dominates this landscape at state scale. DPRK-linked actors have stolen an estimated $6.75 billion in cryptocurrency through 2025. $2.02 billion in 2025 alone: 59% of all crypto stolen globally that year. Bybit ($1.5 billion) remains the largest cryptocurrency theft in history. The Drift hack is the 18th tracked DPRK operation of 2026, across just four months.
Their evolution traces a clear arc. Asian exchanges directly (2017-2020). Bridge validators: Ronin at $625M, Harmony at $100M (2021-2022). Social engineering through fake recruiters, trojanized trading applications (2023-2024). Supply chain compromise of a Safe{Wallet} developer's laptop to inject malicious JavaScript: Bybit at $1.5B (February 2025). Governance infrastructure on non-EVM chains using platform-specific features: Drift at $285M (April 2026). Each generation targets a different trust layer. Each works until the industry hardens it. DPRK moves to the next.
Where this analysis falls short
Attribution is the weakest link. TRM Labs says "likely". Elliptic says on-chain behavior matches prior DPRK operations. Neither is certain. The FBI hasn't issued formal attribution as of April 5. Timezone correlation (09:00 Pyongyang) is suggestive but not conclusive: anyone can schedule operations for a timezone. Wallet clustering against prior DPRK addresses is stronger circumstantial evidence. SVRN's David Schwed suggested the attack's precision implies possible insider knowledge. That is an alternative hypothesis worth tracking, not dismissing.
The social engineering specifics are opaque. Drift confirmed the multisig was compromised but hasn't disclosed how the signers were induced to sign. Were they phished? Was a development tool compromised? Was someone recruited? Each scenario implies different defenses. Without that detail, the defensive lesson stays generic: don't sign what you don't understand. Not actionable at scale.
The Morpho comparison flatters Morpho's architecture while obscuring context. Morpho's total incident exposure was $2.88 million, all recovered. Drift lost $285 million, none recovered. But Morpho holds less TVL, runs simpler operations, has fewer governance attack surfaces. A 650-line lending primitive is easier to secure partly because it does less. The comparison is instructive, not equivalent.
The "attacks target people not code" framing risks becoming a slogan. Truebit lost $26.4M to a legacy smart contract bug this same period. SwapNet lost $13.4M to a contract vulnerability. The correct framing: the highest-value attacks have shifted to human targets. Code-level security remains necessary. It is now insufficient alone.
Eighteen audits didn't save Resolv. A 2-of-5 multisig didn't save Drift. Morpho's 650 lines of Solidity survived everything thrown at it because the trust boundary barely extends beyond the code itself. Drift's trust boundary extended to five humans. Two of them were enough.