A sophisticated North Korean intelligence operation behind the $285 million Drift hack has sent shockwaves through the Solana ecosystem, revealing a meticulously planned campaign that blended social engineering with technical exploitation. The attack, which culminated on April 1, 2026, resulted in the theft of approximately $285 million in assets, including USDC, SOL and JLP, from the protocol’s storage pools.
According to an analysis released by the Drift team, the breach was not a sudden failure but the result of a six-month operation that began in the fall of 2025. The attack has been attributed with medium confidence to a state-sponsored hacking group known as UNC4736, a collective also tracked under the monikers AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces.
The precision of the heist highlights a growing trend in state-sponsored cybercrime: the move away from simple phishing toward long-term “intel ops.” By infiltrating the project’s operational environment and manipulating internal security protocols over several months, the attackers were able to execute a drain of funds in a window of just 12 minutes.
The “CarbonVote” Gambit: How the Theft Was Executed
The technical execution of the hack relied on a sophisticated manipulation of Drift’s collateral systems. The attackers created 750 million fake tokens, dubbed “CarbonVote Tokens” (CVT), which had no intrinsic value. Through a series of coordinated actions, the hackers manipulated trading activity to deceive Drift’s price-checking tools, tricking the system into recognizing these worthless tokens as legitimate, high-value collateral.
This deception allowed the attackers to artificially inflate their borrowing limits. Once the system accepted the CVT as valuable, the hackers dumped hundreds of millions of the phony tokens into the protocol to back massive withdrawals of real assets. In a rapid-fire sequence, they executed 31 separate withdrawals, draining the storage pools of USDC, SOL, and JLP.
To obscure their trail, the attackers utilized a mixing service called Tornado Cash starting in mid-March 2026 to set up accounts and prepare transactions in advance. Following the theft, the stolen funds were quickly swapped into USDC via a Solana exchange and moved to the Ethereum network to further complicate tracking efforts.
Internal Failures and the Six-Month Timeline
Even as the technical exploit was complex, the success of the operation was facilitated by critical changes to Drift’s internal security posture. On March 27, 2026, the project’s security team transitioned to a new approval system. This new system reduced the requirement for signing off on major changes to only two out of five key holders and, crucially, removed the built-in waiting period that typically triggers alerts for significant modifications.
This window of vulnerability provided the attackers with the perfect opportunity to fire off their pre-prepared transactions on April 1. The lack of a waiting period meant the changes to borrowing limits and the addition of the fake token occurred almost instantaneously, leaving the security team with no time to intervene before the assets were gone.
The broader operation began much earlier, in the fall of 2025, focusing heavily on social engineering. This phase likely involved the deployment of fake personas to gain trust or information within the project’s ecosystem, a hallmark of DPRK-linked activity. Blockchain tracking firms TRM Labs and Elliptic helped piece together this timeline, noting that the fund flows used to stage the operation traced back to previous North Korean attacks.
Profiling UNC4736 and the “Golden Chollima” Offshoot
The group responsible, UNC4736, has a documented history of targeting the cryptocurrency sector for financial gain dating back to at least 2018. They are most notorious for the 2023 X_TRADER/3CX supply chain breach and the October 2024 $53 million hack of Radiant Capital.
In a January 2026 assessment, cybersecurity firm CrowdStrike identified “Golden Chollima” as an offshoot of Labyrinth Chollima. According to the report, this specific wing of the DPRK’s cyber apparatus targets small fintech firms across the U.S., Canada, South Korea, India, and Western Europe. CrowdStrike noted that the group typically maintains a consistent operational tempo of smaller-value thefts to ensure a baseline of revenue generation for the North Korean regime.
The Drift hack represents a significant escalation in both scale and sophistication. By moving from “baseline revenue” thefts to a high-value, multi-month intelligence operation, UNC4736 has demonstrated an ability to conduct deep-cover infiltration of decentralized finance (DeFi) protocols.
Key Takeaways from the Drift Breach
- Collateral Manipulation: The use of 750 million fake “CarbonVote Tokens” proved that price oracles and collateral-checking tools can be deceived through manipulated trading activity.
- Security Regression: Reducing key-holder requirements from five to two and removing waiting periods created a critical vulnerability that the attackers exploited.
- Long-Term Infiltration: The attack was the culmination of a six-month social engineering campaign, proving that “intel ops” are now a primary threat to DeFi.
- State-Sponsored Funding: The theft underscores the Democratic People’s Republic of Korea’s ongoing reliance on cryptocurrency theft to fund its regime.
As the industry grapples with the fallout, the Drift incident serves as a stark warning about the intersection of social engineering and protocol governance. The ability of state-sponsored actors to embed themselves within a project’s operational fabric for half a year before striking suggests that traditional security audits may not be sufficient to stop determined intelligence agencies.
The Drift team continues to monitor the movement of the stolen funds across the Ethereum network. Further updates regarding the recovery of assets or additional attribution details are expected as blockchain forensics continue.
Do you think DeFi protocols need stricter, mandatory waiting periods for all governance changes? Share your thoughts in the comments below.