North Korea behind $286m Drift Protocol hack, investigators say

Blockchain analysts have pointed the finger at North Korean hackers after $286 million was drained from Solana-based trading platform, Drift Protocol, on Wednesday.

Speaking to DL News, security research firm Cyvers said that the exploit was similar to the Bybit exchange hack of 2025, when North Korean cybercriminals made off with between $1.4 and $1.5 billion in crypto.

“This closely mirrors the Bybit hack, different technique, same root issue: signers unknowingly approving malicious transactions,” Cyvers said.

The security firm added that hackers had socially engineered multisignature signers for the platform.

Drift Protocol is a non-custodial trading platform allowing users to use leverage without an expiry date. On Wednesday, it announced it was under attack after blockchain sleuths flagged $286 million had been drained from the protocol.

Its attack comes just months after decentralised exchange and automated market maker Balancer was hacked for $128 million.

How it happened

Blockchain analytics firm Elliptic on Thursday said they had linked the attack to the Democratic People’s Republic of Korea, claiming the on-chain behavior, laundering methodologies and network-level indicators match those of previous attacks from North Korean actors.

“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs,” the firm said in a blog post.

Security firm Peckshield said the attackers drained Drift Protocol’s liquidity by getting hold of the platform administrator’s private keys.

Cyvers told DL News that Drift’s administrators were essentially conned into thinking they were signing legitimate transactions.

“The attackers manipulated legitimate signers into approving malicious transactions without realizing it, typically by presenting them as routine or urgent actions through convincing messages or interfaces,” CEO & Co-Founder of Cyvers, Deddy Lavid, said.

Circle criticised

A huge amount of the crypto left the protocol in the form of USDC, leading some to criticise stablecoin issuer Circle for not working fast enough to freeze the funds.

Circle mints USDC and has the power to freeze funds by activating a function on the token’s smart contract to prevent specific wallet addresses from transferring or receiving tokens.

Blockchain sleuth and crypto detective ZachXBT wrote on X Friday that Circle was slow to act following the Drift hack.

According to the blockchain forensics expert, various bridges were used over six hours — including its own product, cross-chain transfer protocol — but the crypto giant did not step in and stop funds moving.

“Despite the attacker laundering funds over six consecutive hours across Circle’s own native bridge, no USDC was frozen,” ZachXBT wrote.

Circle did not respond to questions from DL News. 

Mathew Di Salvo is a news correspondent with DL News. Got a tip? Email at mdisalvo@dlnews.com.