DPRK Drift Protocol Hack

On April 1, 2026, attackers drained about $285 million from Drift Protocol on Solana, then converted a large share into USD Coin and moved roughly $232 million of that stablecoin from Solana to Ethereum through Circle’s own Cross-Chain Transfer Protocol. On-chain investigators said Circle had hours in which those tokens were visible and still transferable. (chainalysis.com, bitcoinethereumnews.com) Drift is a decentralized finance exchange for perpetual futures, which are bets on price moves that do not expire on a set date. It runs on Solana, and Chainalysis said the April 1 theft wiped out more than 50% of Drift’s total value locked in a few hours. (drift.trade, chainalysis.com) The break-in did not start with a coding bug in a trading screen. Drift and Chainalysis said the attackers spent months building relationships with contributors, then used Solana’s durable nonce system, which lets people pre-sign transactions for later use, to trick Security Council members into approving the wrong actions. (chainalysis.com, cointelegraph.com) Once they had admin control, the attackers whitelisted a fake token called CVT as collateral and assigned it an artificial price. Chainalysis said they deposited 500 million CVT and borrowed out real assets including USD Coin, Solana, and Ether against collateral that was effectively worthless. (chainalysis.com) Several security firms said the operation matched Democratic People’s Republic of Korea tradecraft. Elliptic said it saw multiple indicators pointing to North Korea, and The Hacker News reported Drift attributed the campaign with medium confidence to a state-sponsored group tracked as UNC4736, also known as AppleJeus and Citrine Sleet. (elliptic.co, thehackernews.com) The fight after the hack centered on USD Coin, not on Drift’s smart contracts. Circle’s legal terms say it can block addresses and freeze associated USD Coin in its sole discretion, but the same risk document also says USD Coin transactions are not reversible and Circle is not obligated to track or determine the provenance of balances for users. (circle.com) That is the strange part of a regulated stablecoin inside decentralized finance. Traders treat USD Coin like digital cash, but the issuer can still act like a bank compliance team when it chooses, which means the token is both bearer asset and permissioned liability at the same time. (circle.com, circle.com) In the Drift case, critics argued that Circle’s own infrastructure made the tension impossible to ignore. Reports last week said the attacker used Circle’s Cross-Chain Transfer Protocol to bridge stolen USD Coin while no freeze happened during the key window, even though the funds were already tied to a live exploit. (msn.com, cryptobriefing.com) Circle’s position, reported on April 10, was that freezes tied to the incident were executed under legal obligation rather than ad hoc internal discretion. That answer may satisfy lawyers, but it leaves decentralized finance users with a simpler fact: the most important dollar in crypto still depends on how fast one company decides it can move. (cryptotimes.io, circle.com)