● LIVE
SecurityWeb3

How North Korean Hackers Drained $285 Million From Drift Protocol in 12 Minutes

Mohana Priya By Mohana Priya
11 Min Read
How North Korean Hackers Drained $285 Million From Drift Protocol in 12 Minutes | The Central Bulletin

Last updated: 24 May 2026

Contents
Key HighlightsKey HighlightsMonths of Cover, Weeks of ContactThe 12-Minute WindowDormant Funds and Diverging PlaybooksAI in the Attack ChainWhat Drift Changes About DeFi SecurityThe TCB View

North Korean hackers drained $285 million from Drift Protocol in approximately 12 minutes in April 2026, marking one of the most brazen crypto heists in recent history, with the attackers using a combination of social engineering and high-speed transactions to execute the massive theft.

Key Highlights

  • North Korean hackers drained $285 million from Drift Protocol in approximately 12 minutes in April 2026
  • The attack was preceded by three weeks of in-person social engineering with protocol signers
  • Stolen funds moved across chains to Ethereum within minutes and have since been largely dormant

Key Highlights

  • North Korean hackers drained $285 million from Drift Protocol in approximately 12 minutes in April 2026
  • The attack was preceded by three weeks of in person social engineering with protocol signers
  • Operatives spent months building cover identities before physical contact was made
  • Stolen funds moved across chains to Ethereum within minutes and have since been largely dormant
  • AI tools are believed to have accelerated the reconnaissance and identity construction phases of the attack

The $285 million Drift Protocol exploit in April 2026 was not a vulnerability hack. There was no unaudited code path, no flash loan manipulation, no reentrancy bug. The attackers did not find a flaw in the protocol. They found a flaw in the people responsible for it. By the time Drift’s multisig signers realized what was happening, the funds were already moving across chains. The entire drain took approximately 12 minutes. The preparation took months.

CoinDesk published the most detailed account of the attack on April 30, drawing on sources familiar with the internal investigation. The picture that emerged is a case study in state sponsored social engineering at a level of sophistication that the DeFi security community has not previously documented in public.

Months of Cover, Weeks of Contact

The attack began not with a keyboard but with an identity. North Korean operatives, working under constructed personas, spent several months building credible professional profiles in the DeFi ecosystem. These were not crude fake accounts. They carried verifiable work histories, contributed to open source repositories, participated in governance discussions, and built social graphs with real participants in the DeFi community. The investment of time in the construction phase suggests a deliberate strategy: establish legitimacy before making contact with the target.

Contact with Drift Protocol personnel came approximately three weeks before the April drain. The method used was in person interaction, not remote communication. Operatives met with protocol contributors or signers at events or through connections that the fake personas had cultivated. Building a relationship physically, rather than through digital channels, removes many of the surveillance and monitoring tools that security teams use to flag suspicious contact. In person interactions are not logged by Slack, Discord, or email systems. They do not generate the metadata trails that on chain security tools or communication monitoring can flag.

You Might Also Like

Artificial Intelligence Workforce Disruption and Web3 Solutions
Clarity Act Gains Search Interest as SEC Proposes Tokenized Stock Framework
SEC Proposes Innovation Exemption for Tokenized Stock Trading
Artificial Intelligence Reshapes Global Workforce Landscape Anticipating Major Disruption

The 12-Minute Window

By the time the operatives executed the drain, they had established sufficient trust with signers to obtain authorization for what appeared to be a routine governance action. The details of the specific mechanism: whether through direct compromise of signing keys, social persuasion of authorized signers, or a combination of both: have not been fully disclosed. What is known is that once the attack commenced, $285 million left the protocol in approximately 12 minutes.

The funds moved from Drift’s Solana deployment across chains to Ethereum almost immediately after the drain. The speed of the cross chain movement suggests the laundering route was planned in advance, not improvised. Planning the exit route in advance was deliberate: the exit route is consistent with the broader operational pattern: extended preparation, rapid execution, then a transition to dormancy to allow surveillance attention to diminish before attempting to launder through mixers or exchanges.

Dormant Funds and Diverging Playbooks

As of the TRM Labs report published May 2, the Drift funds remained largely inactive on Ethereum. This contrasts sharply with the laundering behavior observed after the $292 million KelpDAO exploit, where funds moved from Arbitrum to Bitcoin via THORChain within days of the attack.

The divergence in laundering approaches suggests either separate operational teams with different playbooks or a deliberate strategy of distributing laundering timelines to reduce the pattern recognition that blockchain intelligence firms apply to DPRK attributed funds. If both attacks were executed by the same operational unit, the behavioral difference may reflect lessons learned from the KelpDAO experience: THORChain routed funds are traceable, and the move to Bitcoin did not successfully obscure the funds’ origin. Sitting on Ethereum and waiting may reflect a calculation that time and complexity are more effective than speed.

AI in the Attack Chain

TRM Labs noted in its May 2 report a belief that North Korea’s increasing use of AI is contributing to the improved quality and scale of its social engineering operations. For an attack like the Drift exploit, the AI applications are specific and credible.

AI can accelerate the construction of cover identities by generating consistent background detail at a scale that human operators cannot sustain manually. Maintaining multiple fake professional personas across months of public activity, including code contributions, governance forum participation, and social interactions, requires generating a large volume of plausible technical content. AI tools that can produce readable code commentary, coherent DeFi governance analysis, and contextually appropriate forum responses reduce the per persona labor cost substantially.

AI can also assist the reconnaissance phase by processing public information about protocol governance structures, signer identities, and organizational relationships at a speed that human research cannot match. Knowing which signers have the authority to approve which governance actions, which contributors have physical event schedules that create in person contact opportunities, and which governance processes have time pressure that reduces deliberate review time: all of these are derivable from public information but require significant synthesis effort. AI’s role in national security contexts, both offensive and defensive, is precisely why the Pentagon’s AI procurement strategy became a point of public debate in May 2026.

What Drift Changes About DeFi Security

The Drift exploit is the first major documented case of a DeFi protocol being drained primarily through social engineering of its human governance layer rather than exploitation of its code. That distinction requires a different defensive response than protocol level security audits can provide.

The first implication is that multisig governance with anonymous or pseudonymous signers is no longer a defensible security architecture for protocols with eight figure or larger treasuries. The KelpDAO hack prompted calls for cross chain bridge security reform. The Drift attack prompts something more fundamental: a rethinking of whether decentralized governance, as currently implemented, is adequate to protect institutional scale capital from state sponsored adversaries.

The second implication is that the DeFi security community needs to develop threat models that include state sponsored social engineering explicitly. Most current security frameworks focus on code level vulnerabilities, oracle manipulation, and flash loan attacks. The DPRK operation has now demonstrated twice in one month that the most effective attack vector for large protocols is not the code at all. It is the people.

With North Korea now accounting for 76% of all crypto theft value in 2026, the industry’s threat model needs to be rebuilt around a state level adversary with the patience, resources, and sophistication to spend months building cover identities before executing a 12-minute drain. That is a fundamentally different problem from fixing a reentrancy bug.

The TCB View

Twelve minutes to drain $285 million after months of preparation is the most efficient return on investment in the history of crypto crime. The Drift exploit should end the DeFi community’s self image as a system that solves trust with code. Code is only as trustworthy as the humans who govern it. A protocol with a multisig treasury and anonymous signers is not trustless. It is a protocol where trust has been delegated to people whose identities, motivations, and susceptibility to social engineering are unknown. North Korea spent months identifying those people and then met them in person. The defense against that attack vector is not a smarter smart contract. It is identity verification, operational security training, and governance structures that do not create single human contact attack surfaces for eight figure assets. As Consensus Miami 2026 brings institutional capital face to face with DeFi infrastructure, the Drift exploit is the most expensive evidence yet that the industry has been building faster than it has been securing.

Free Daily Briefing

Get the Daily Briefing

Crypto, AI, and Web3 intelligence. Free, every day.



TAGGED: , , , , , , ,
Share This Article
Mohana Priya
By Mohana Priya
Follow:
Mohana Priya is a staff reporter at The Central Bulletin specialising in crypto regulation, DeFi policy, stablecoin legislation, and Web3 legal frameworks. She has tracked legislative developments across the United States, the European Union, and Asia Pacific, covering bills including the GENIUS Act, the Crypto Clarity Act, MiCA implementation, and SEC enforcement actions against digital asset issuers. Her reporting focuses on translating complex regulatory language into clear analysis for institutional readers, compliance professionals, and retail investors navigating an evolving legal landscape. She monitors primary sources including Congressional filings, SEC and CFTC dockets, and official EU regulatory publications. Her work appears exclusively at The Central Bulletin.
Previous Article Bitcoin ETFs Pulled $629 Million in a Single Day as BTC Tests $78K | The Central Bulletin Bitcoin ETFs Pulled $629 Million in a Single Day as BTC Tests $78K
Next Article Web3 Developer Commits Fell 75 Percent in 2026. AI Is Filling the Gap. | The Central Bulletin Web3 Developer Commits Fell 75 Percent in 2026. AI Is Filling the Gap.