The attacker manufactured a token called CarbonVote with a few thousand dollars in seeded liquidity and wash trading. Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars. Thirty-one rapid withdrawals later, $285 million in real user assets was gone. The entire operation took under twenty minutes.
North Korea probably did it. Elliptic, TRM Labs, and Mandiant all point to on-chain patterns consistent with DPRK-linked operations. The social engineering methodology matches UNC4736, the same group behind the October 2024 Radiant Capital hack. The laundering patterns match. The scale matches. The attribution, while not formally confirmed, is credible.
But attribution is not the same as explanation. And the explanation for how this was possible has less to do with North Korea than it does with a series of decisions Drift made in the weeks before April 1.
The Timeline Nobody Is Talking About
March 23. Durable nonce accounts were set up. At least two of five multisig signers unknowingly approved transactions enabling delayed execution. The attackers had already pre-signed the drain before anyone at Drift knew anything was wrong.
March 27. Drift migrated its Security Council. Four days before the attack, the protocol removed the timelock on governance and admin actions. A timelock is the delay between when an admin action is approved and when it executes, the window during which anomalies can be detected and interventions made. Removing it eliminated the one mechanism that could have caught the pre-signed transactions before they fired.
March 30. New nonce activity confirmed the attackers had already regained access to two of five signers in the updated multisig following the Security Council migration. They had maintained control through a major governance change.
April 1. The attack executed. It took twenty minutes. $285 million was gone before the team could respond.
The North Korean operatives are sophisticated. They are also opportunistic. The timelock was removed four days before the attack. That is not a coincidence the attribution narrative explains. That is a security decision Drift made that the attackers exploited.
The Oracle Problem
A fake token with a few thousand dollars in liquidity should not be accepted as collateral by a protocol holding $550 million in user funds. That is not a sophisticated attack vector. That is a missing safeguard.
TRM Labs noted that effective oracle security requires minimum liquidity thresholds, time-weighted price validation, and circuit breakers before any asset is accepted as collateral. Drift had none of these in place for the CarbonVote token market that the attackers themselves introduced to the protocol through the Ecosystem Vault they had established six months earlier.
The CVT market introduction apparently slipped through security audits by Trail of Bits in 2022 and ClawSecure in February 2026, two months before the attack. ClawSecure gave Drift a passing grade seven weeks before $285 million was stolen. The audit did not catch a governance structure that allowed the removal of timelocks without additional review, oracle acceptance of low-liquidity tokens as collateral, or multisig signing processes that permitted pre-signed transactions to execute without verification of what they actually contained.
The Six Months of Trust
The social engineering operation Drift described in its April 5 disclosure is genuinely sophisticated. A fake quantitative trading firm approached contributors at a major conference in fall 2025. Over six months, these individuals appeared at multiple events across several countries, deposited over $1 million in real capital into an Ecosystem Vault, held working sessions, and maintained ongoing Telegram conversations about vault integrations. By March, Drift contributors had met these people face to face on multiple occasions.
This is a level of operational patience that is consistent with DPRK-linked actors. It is also a level of access that should have triggered due diligence that apparently did not happen.
The Ecosystem Vault they established gave them legitimate protocol-level access. The $1 million deposit established credibility. The ongoing relationship gave them visibility into Drift’s governance structure, including the Security Council migration that happened on March 27 and which they exploited four days later.
A $1 million deposit to build trust before a $285 million theft is a 285x return on investment. The social engineering budget was rational. The question is what Drift’s counterparty verification process looked like for entities gaining Ecosystem Vault access and whether $1 million in deposits was sufficient to bypass it.
Circle Sat on Its Hands
After draining the vaults, the attacker swapped $270.9 million into USDC and bridged it from Solana to Ethereum via Circle’s Cross-Chain Transfer Protocol. Then converted to ETH across multiple wallets.
ZachXBT noted the irony: millions in stolen USDC moved through Circle’s own bridge infrastructure while Circle failed to respond in time to freeze it. He contrasted this with Circle’s recent decision to freeze sixteen unrelated corporate hot wallets in a sealed US civil case, an action he had criticized as overreach. Circle had both the capability and the precedent to intervene. The stolen USDC moved anyway.
This connects directly to the broader stablecoin kill switch argument. Circle can freeze wallets. The question of when it chooses to is not purely technical. It is operational and legal. In this case the operational response was too slow to matter.
What Drift Is Not Saying
The April 5 disclosure is detailed, professional, and carefully written. It describes the sophistication of the attackers at length. It attributes the attack to DPRK-linked actors with medium-high confidence. It calls for an industry-wide security reset.
What it does not address is why the timelock was removed four days before the attack. Why oracle safeguards did not catch a fake token with minimal liquidity. Why six months of relationship-building with an unverified counterparty resulted in Ecosystem Vault access without triggering additional scrutiny. Why the Security Council migration on March 27 did not include a review of existing pre-signed transactions.
North Korea is a sufficient explanation for who did this. It is not a sufficient explanation for how the security architecture allowed it.
The most dangerous hackers do not look like hackers. That is true. It is also true that $285 million in user funds should not be drainable by a fake token and a governance change made four days before the attack. Those two things can both be true simultaneously.
User funds are gone. The attribution provides a villain. The security failures provide the lesson. One of these is more useful for the next protocol holding half a billion dollars in user assets.
