How North Korean Hackers Stole $285 Million From a Crypto Platform — and Why It Matters to Everyone
In just 12 minutes, hackers linked to North Korea drained $285 million from Drift Protocol, one of the biggest crypto trading platforms on the Solana blockchain. This wasn’t a glitch or a software bug—it was a carefully planned operation that began six months earlier with fake identities, in-person meetings, and digital trickery. If you’ve ever used an app that holds your money or data, this story shows how even “secure” systems can be undone by human trust.
A Heist Built on Fake Friendships
The attackers didn’t break into Drift’s code. Instead, they posed as employees of a legitimate quantitative trading firm—a type of investment company that uses math and algorithms to trade. Starting in October 2025, they attended major crypto conferences, shook hands with real developers, and built relationships over coffee and dinners. By the time April 2026 rolled around, they’d earned enough trust to get access to sensitive parts of the system.
Think of it like someone pretending to be a building inspector for months, showing up with a clipboard and official-looking badge, until the security guard finally lets them into the server room without double-checking their ID.
Once inside, they used a feature in Solana called “durable nonces”—a technical tool that lets users pre-approve transactions that can sit idle for weeks before executing. The hackers got insiders to sign off on these dormant authorizations, which later triggered 31 rapid withdrawals totaling $285 million.
The Fake Token That Fooled the System
To pull off the theft, the hackers also created a fake cryptocurrency called CarbonVote (CVT). They pumped a few thousand dollars into it, traded it back and forth between accounts they controlled (a practice called “wash trading”), and made it look like a real asset with market value. Then, they tricked Drift’s price oracles—software that tells the platform what assets are worth—into believing CVT was valuable collateral.
It’s like printing your own Monopoly money, then convincing a bank it’s real U.S. currency so you can use it to take out a loan. Once the system accepted CVT as valid, the hackers borrowed against it and instantly pulled out real money.
Blockchain analysis firms Elliptic and TRM Labs traced the attack back to North Korea’s Lazarus Group, a state-sponsored hacking unit known for funding the regime through cybercrime. This marks their 18th confirmed crypto heist in 2026 alone.
Ripple Effects Across the Crypto World
The fallout was immediate:
- Drift’s token price dropped over 40%
- Total value locked (TVL)—a measure of how much money users have deposited—plummeted from $550 million to under $250 million
- At least a dozen other apps built on Solana paused operations because they relied on Drift’s infrastructure
- Circle, the company behind USDC stablecoin, faced criticism for not freezing $232 million of stolen funds faster after they were bridged to Ethereum
What Does This Mean for Regular People?
You don’t need to own crypto to be affected by attacks like this. Every time a major platform is compromised, it shakes confidence in digital finance as a whole. Banks, payment apps, and even government services are increasingly using blockchain-like systems. If hackers can exploit trust and design flaws in one place, similar vulnerabilities might exist elsewhere.
More importantly, this shows that technology alone can’t guarantee security. Human judgment—like verifying who you’re really talking to—matters just as much as firewalls and encryption.
Key Takeaways
- North Korean hackers stole $285 million from Drift Protocol using social engineering and fake assets
- The attack took 12 minutes but was planned over six months through in-person deception
- They exploited “durable nonces” and manipulated price oracles with a fake token
- This is part of a growing trend of nation-state cybercrime targeting decentralized finance
- Trust, not just code, is a critical weak point in digital systems
— Editorial Team