Drift Hack Likely DPRK-Linked, Cost Protocol $285M Through Pre-Signed Transactions

Blockchain forensics firm Chainalysis has published a detailed post-mortem of the April 1, 2026 attack on Solana's Drift Protocol, attributing the $285 million theft to a months-long social engineering campaign with on-chain signatures "consistent with previously attributed DPRK operations" — though formal attribution to North Korea remains pending. The drained sum represented more than half of Drift's total value locked and triggered cascading disruption across at least 20 other Solana DeFi protocols.

Chainalysis frames the incident not as a smart-contract failure but as a coordinated human-targeting operation. "What's now becoming clear is that this was a long-term, highly coordinated operation," the firm's research team wrote, with on-chain evidence showing staging activity from Tornado Cash as early as March 10, and Drift's own investigation suggesting the social engineering began as far back as Fall 2025. "As DeFi infrastructure grows more layered and operationally complex, incidents like this highlight that the greatest risks are no longer just in smart contracts, but in the systems, and people, that surround them," the post reads.

Posing as a quant fund

The post-mortem reconstructs the attack in four phases. The first lasted roughly six months. Individuals posing as a quantitative trading firm approached Drift contributors at crypto conferences, opened ongoing conversations across Telegram and in-person meetings, and onboarded a vault on Drift with more than $1 million in capital to build credibility. "This was relationship-building designed to gain proximity and credibility inside the ecosystem while clandestinely infiltrating Drift's systems through social engineering methods," Chainalysis wrote.

The second phase was the creation of a fake collateral asset. On March 12, the attackers issued a token called CarbonVote Token (CVT), controlling roughly 80% of supply. They wash-traded it through a small Raydium pool to anchor a $1 price, then fed that artificial price into Drift through an oracle they also controlled.

Pre-signing the takeover

Phase three is the most novel: the attackers used Solana's durable nonces feature, which allows transactions to be signed in advance and executed later, to get Drift's Security Council members to unknowingly pre-approve the protocol takeover. Chainalysis compares it to "signing a check today and leaving it somewhere to be cashed later."

According to Drift's investigation, at least two Security Council members signed transactions they did not fully understand — what the post calls "a classic case of blind signing." A March 26 migration to a new 2/5 threshold multisig with zero timelock removed the only remaining detection window. "Instead of stealing keys directly," Chainalysis wrote, "the attacker got legitimate signers to unknowingly pre-approve the attack in advance."

On April 1 at 16:05:18 UTC, the first pre-signed transaction proposed transferring admin control. One second later, at 16:05:19 UTC, the second approved and executed it. "Within two transactions, executed just one second apart, the attacker had full administrative control," the firm wrote.

The drain

With admin permissions, the attackers whitelisted CVT as collateral, raised borrowing limits to extreme values, deposited 500 million CVT, and withdrew real assets across 18 token types. The largest losses included $159.3 million in JLP, $71.4 million in USDC, $11.3 million in cbBTC, $5.6 million in USDT, $4.7 million in WETH, $4.5 million in dSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and $3.6 million in JitoSOL. Drainage continued for approximately 2.5 hours, with the final transaction at 18:31 UTC.

Bridging to Ethereum began within 23 minutes of the admin takeover. Funds were swapped to USDC, moved cross-chain, then consolidated through DEXs and converted to ETH. "This overlapping sequence of drainage and laundering demonstrated a high degree of operation coordination," Chainalysis wrote.

The Drift hack remains the second-largest security failure in Solana's history and the largest crypto exploit of 2026 to date. Drift announced in May it would relaunch the protocol following the post-mortem, with Keystone Finance among the projects citing Drift's recovery timeline in their own roadmaps.