North Korean hackers execute $285 million crypto exploit on Drift exchange across global DeFi market

This April, the decentralized exchange Drift suffered a staggering $285 million exploit, marking the largest DeFi hack of the year so far.

The attack dwarfs almost everything seen recently, trailing only behind Bybit’s $1.4 billion hack in 2025, which also pointed fingers at North Korean state-backed hackers.

Unlike previous incidents, this operation was notable for its in-person element.

Attackers posed as a quantitative trading firm and directly engaged Drift contributors at major crypto conferences across multiple countries over six months.

The DEX team later described the contact as “deliberate and targeted,” highlighting a new chapter in North Korea’s crypto playbook.

How the Hack Unfolded

The exploit cut Drift’s total value locked (TVL) by more than half in just 12 minutes.

The attackers used a token called CarbonVote (CVT) to manipulate oracles and trick the system into recognizing it as legitimate collateral.

They deployed sophisticated social engineering tactics, convincing multi-signature signers to approve transactions granting elevated permissions.

Blockchain forensics firm TRM Labs reported that the attackers used Tornado Cash to pre-move funds and simulate CVT activity, inflating its apparent demand.

Suggested Readings (News continues below)

Climate change drives emperor penguins toward extinction and threatens wildlife survival in Antarctica

Michael Patrick Dies At 35 After Battling Motor Neuron Disease In Northern Ireland Hospice

UK Authorities Lift Bird Flu Restrictions as Poultry Keepers Resume Outdoor Farming in Yorkshire England

US Embassy Warns American Citizens of Rising Kidnapping and Terrorism Risks Across 23 Nigerian States

Once approved, withdrawal limits were increased, and millions were siphoned off in real assets such as USDC. TRM noted that the speed of laundering exceeded previous hacks, including Bybit’s.

North Korea Expands Its Crypto Strategy

Experts believe North Korea is systematically using DeFi hacks, along with infiltrating crypto firms via remote or even in-person roles, to generate consistent revenue streams.

According to security researcher Taylor Monahan, roughly 40 protocols have had suspected DPRK contacts since “DeFi summer.”

A separate investigation revealed that operatives posing as IT workers earned approximately $1 million per month since November 2025, funneling funds through Payoneer to Chinese accounts.

These tactics rely on falsified identities, remote device access, and internal tracking systems to maximize returns while avoiding detection.

Defense Tactics Are Evolving

Tech companies have begun countering infiltration strategies with creative security measures.

For instance, conducting interviews that force suspects to insult North Korea’s supreme leader has emerged as a surprisingly effective screening method.

However, as the Drift hack demonstrates, North Korean actors adapt rapidly, moving beyond virtual infiltration to physical, in-person engagement, meaning defenses must continue evolving.

Impact and Consequences

This exploit is a stark reminder that DeFi platforms remain vulnerable to state-backed actors.

Beyond financial losses, the incident undermines confidence in decentralized systems and could trigger tighter regulations worldwide.

North Korea continues to fund its weapons programs through crypto, raising broader geopolitical concerns.

What’s Next?

Drift and other exchanges are reviewing internal security protocols and considering new safeguards against social engineering.

Meanwhile, regulators may accelerate oversight of DeFi platforms, particularly regarding multi-signature approvals, oracle integrity, and vetting external collaborators.

The crypto community will likely see increased caution at conferences, with participants scrutinizing every approach and connection.

Summary

• Drift lost $285 million in the largest DeFi hack of 2026.
• Attackers employed in-person tactics, social engineering, and token manipulation.
• North Korea is believed to be behind both Drift and prior Bybit hacks.
• The operation signals a shift from online-only to hybrid, physical infiltration methods.
• Exchanges are now reassessing security protocols to prevent future attacks.

Bulleted Takeaways

• Drift hack represents the largest DeFi exploit of 2026, second-largest in Solana history.
• North Korean hackers adapted to in-person social engineering tactics.
• Hackers used Tornado Cash and token manipulation to bypass safeguards.
• Prolonged infiltration networks generate millions monthly through falsified identities.
• Security measures are evolving, but threats remain dynamic and sophisticated.