North Korean $270M exploit exposed

The theft at Drift Protocol did not begin with a clever line of code. It began with a fake company. According to Drift’s incident update, attackers linked to North Korea spent about six months posing as a quantitative trading firm, building relationships with contributors, showing up at industry events, and slowly earning the kind of trust that security systems do not measure. Then, on April 1, they drained roughly $270 million from the Solana-based exchange in minutes. The exploit looked technical at the end because it was. But the operation was human from the start. That is what makes this case more revealing than a standard crypto hack. Drift was not undone by a simple smart-contract bug. Earlier reporting on the breach showed the attackers abused Solana’s “durable nonce” feature, which is meant to let users prepare transactions that can still execute later without expiring. In the wrong hands, that convenience became cover. The attackers appear to have used it to slip malicious transactions through a workflow that looked routine until it was too late. The final theft was fast. The setup was patient. That patience is one of the clearest fingerprints of North Korea’s cyber apparatus. Blockchain analytics firm Elliptic said the original exploit showed several hallmarks of DPRK-linked operations. Drift’s later write-up went further, attributing the campaign with medium-high confidence to a North Korean state-affiliated group after reviewing the social-engineering trail and the mechanics of the breach. Other outlets reporting on the post-mortem said the suspects operated under fake identities tied to a sham trading outfit and even put real money to work to appear legitimate. That detail matters. A con is stronger when it is expensive. The in-person meetings are the part that should make every crypto founder wince. This was not just phishing over Telegram or a poisoned PDF in an email. Drift says the attackers met team members around the world and used those encounters to deepen credibility. In crypto, where teams are distributed, pseudonymous, and used to moving quickly across chats, conferences, and shared wallets, social trust often fills the gaps left by formal process. That can feel efficient. It is also exactly where an intelligence operation wants to live. Once the attackers had enough access, the protocol’s on-chain safeguards did not save it. CoinDesk’s earlier reporting said the exploit hinged on administrative control rather than a direct theft of user keys or a flaw in Drift’s core code. The attacker gained the ability to push through actions that the system was designed to honor. That is the ugly lesson here. A protocol can be decentralized in theory and still depend on a handful of people making ordinary decisions under ordinary pressure. The money moved the way North Korean money usually moves. Elliptic said funds were quickly bridged out and laundered through the channels DPRK operators have used in earlier heists, the kind that US officials and blockchain investigators say help finance the regime’s weapons programs. Drift’s own documentation has long warned users about smart-contract risk, blockchain risk, and operational risk. What it could not capture was the simplest risk of all: someone shakes your hand, looks credible, waits half a year, and hands you the transaction that empties the vault.