DPRK operatives posed as a quant trading firm for six months at crypto conferences before draining $285M from Drift Protocol on April 1, 2026.

Don't scroll Twitter for crypto news
One email. Five minutes. Everything that matters today
North Korea Stole $285M From Drift in Six Months, April 2026
On April 1, 2026, hackers linked to North Korea's UNC4736 drained $285 million from Drift Protocol on Solana in under 12 minutes, executing a plan six months in the making that began with in-person meetings at crypto conferences across multiple countries. The attack is the largest DeFi hack of 2026 and the second-largest exploit in Solana's history.
Around 40 DeFi protocols have had contact with suspected DPRK operatives, per security researcher Taylor Monahan. Web Snack tracks how state-sponsored threats target crypto.
How UNC4736 Spent Six Months at Conferences Before Striking Drift
Starting in fall 2025, a group presenting itself as a quantitative trading firm began approaching Drift contributors at a major crypto conference. The individuals who showed up were not North Korean nationals. Drift's post-mortem explained that DPRK uses third-party intermediaries for face-to-face relationship building – people with fully constructed identities, verifiable employment histories, and professional networks built to withstand scrutiny from any serious counterparty.
Over the next six months, members of this group appeared at multiple major industry conferences in several countries, each time seeking out specific Drift contributors. A Telegram group was created after the first meeting, and months of detailed conversations followed on trading strategies and vault integrations. Between December 2025 and January 2026, the group deposited over $1 million into a Drift Ecosystem Vault – a step that looks unremarkable when onboarding a legitimate trading firm.
UNC4736, also tracked as AppleJeus, Citrine Sleet, and Gleaming Pisces, has targeted the crypto sector for financial theft since at least 2018. Prior operations include the 2023 X_TRADER/3CX supply chain breach and the $53 million Radiant Capital hack in October 2024. TRM Labs and Elliptic both connected the Drift attack to the same group within days of the incident; on-chain staging on March 11 began at approximately 09:00 Pyongyang local time.
CarbonVote Token, Durable Nonces, and 12 Minutes to $285M
Technical preparation started on March 11, 2026 – three weeks before execution. Attackers withdrew 10 ETH from Tornado Cash and used those funds to deploy CarbonVote Token (CVT), a worthless asset minted and then wash-traded to simulate real demand. Drift's oracles registered CVT as valid collateral. In parallel, the group persuaded multisig signers to pre-sign hidden authorizations through durable nonce accounts – a method that holds transactions and executes them at a chosen future time.
The attackers also removed Drift's last administrative safeguard through a zero-timelock Security Council migration, eliminating any delay between a governance action and its execution. Circuit breakers – designed to block withdrawals if assets drain too fast – had their thresholds raised to 500 trillion. When the pre-signed transactions triggered on April 1, five vaults holding USDC, JLP, SOL, and other assets emptied in roughly 12 minutes.
Three potential access vectors have been identified. One contributor may have cloned a repository that exploited a VS Code or Cursor vulnerability for silent arbitrary code execution. A second was persuaded to install a TestFlight app the group presented as their wallet product. A third vector is still under active law enforcement review. Mandiant and the SEAL 911 team attributed the operation to UNC4736 with medium-to-high confidence, tracing fund flows back to the October 2024 Radiant Capital hack.
Why the Drift Attack Rewrites the Risk Model for DeFi Protocols
Before April 1, DPRK attacks on crypto protocols were primarily remote: fake job applicants on video calls, malicious npm packages, fraudulent recruitment campaigns. The Drift case is different. In-person contact at real industry events – not a virtual interview – became the entry point for a state-sponsored theft at this scale. The profiles the group used appeared to have taken months to build, both personal and professional.
Michael Barnhart, former Mandiant investigator and now head of nation-state threat intelligence at DTEX, told Recorded Future News that two of the three intermediaries involved likely had no idea they were part of a North Korean operation. "We've seen cutouts but we've never seen the cutouts at this extreme," Barnhart said, comparing the tactic to the 2017 assassination of Kim Jong-nam, where two women were misled into carrying out the attack without knowing it. Verified LinkedIn profiles and real capital deposited into protocol vaults are no longer reliable signals of a legitimate counterparty.
Post-drain laundering moved fast. Around $225 million in assets were swapped to Ethereum and dispersed across 57,331 wallets using automated bots running at 590 transactions per minute for over 34 hours – more than 860,000 transactions in total. TRM Labs noted the speed exceeded even the Bybit laundering of 2025, when DPRK stole $1.4 billion from the exchange.
Drift's Investigation and the Industry's Next Problem
Drift froze all protocol functions and removed compromised wallets immediately after the attack. The team is coordinating with TRM Labs, Elliptic, SEAL 911, Mandiant, bridges, exchanges, and law enforcement to trace and freeze the stolen assets. No recovery timeline has been confirmed publicly.
In December 2025, Chainalysis placed total DPRK crypto theft for 2025 at $2.02 billion – a 51% increase from the prior year and a new annual record. The $285 million Drift drain arrives early in 2026, adding to that trajectory. The U.S. Treasury has confirmed North Korea routes stolen crypto to fund its weapons program.
For any DeFi protocol managing significant user assets, the Drift post-mortem signals something specific: the attack surface now includes the humans running the protocol. Any contributor who installs software from a business contact, clones a repository shared by a counterparty, or downloads a test app from a new relationship is a potential entry point. A security audit won't catch that.
If you manage crypto assets or work on a DeFi protocol, knowing how this attack actually unfolded matters. Web Snack breaks down the mechanics behind crypto's biggest security events every week.
P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.
Like this story? There's more tomorrow
Join Web Snack – no fluff, just value
