Drift Protocol Update: North Korea Confirmed, Circle's Six-Hour Silence Exposed

Lazarus Group stole $285M in 12 minutes. Bridged $230M through Circle's CCTP during business hours. Circle did nothing for six hours.

North Korea's Lazarus Group confirmed behind Drift Protocol's $285M hack while Circle watched for six hours

North Korea's Lazarus Group pulled off the largest DeFi hack of 2026. They stole $285 million from Solana's top perpetual futures exchange in 12 minutes. Then they walked the money straight across Circle's USDC bridge during US business hours. Circle did nothing for six hours.

Blockchain analytics firm Elliptic confirmed the hallmarks of a North Korean operation. The on-chain behavior matched Lazarus Group tactics used in the $1.5 billion Bybit hack a year earlier. Patient. Sophisticated. Targeting the human layer, not the code. Ledger CTO Charles Guillemet posted on X that the modus operandi was "similar to the Bybit hack last year, widely attributed to DPRK-linked actors."

The attack didn't exploit a smart contract bug. It exploited Solana's own architecture. Durable nonces - a legitimate Solana feature that lets you sign a transaction today but execute it weeks later. Think of it like writing a signed check and leaving it in someone's drawer until they decide to cash it.

On March 23, the attacker set up durable nonce accounts and tricked two of Drift's five security council members into blind-signing transactions they didn't fully understand. Social engineering. Transaction misrepresentation. Two signatures on a five-person multisig was enough.

Four days later, Drift rotated its security council. New members. Fresh setup. Didn't matter. The attacker compromised two of the five new signers using the same tactic. Now they had pre-signed transactions from both the old and new councils sitting in their back pocket.

On April 1 at approximately 11:06 AM ET, Drift ran a routine test transaction. Sixty seconds later, the attacker cashed those pre-signed checks. Two transactions. Four Solana slots apart. Full admin control seized. Every withdrawal limit removed. Every vault drained. The attacker listed a fake token called CarbonVote Token as a new market, inflated its price via a tiny liquidity pool with just $700 in real liquidity, and used it as collateral valued at roughly $785 million to borrow and drain real assets across the protocol.

The stolen haul included 41 million JLP tokens worth $155 million, $60.4 million in USDC, $11.3 million in cbBTC, $5.65 million in USDT, $4.7 million in wrapped ETH, $4.5 million in DSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and smaller amounts across JUP, JITOSOL, and dozens of other tokens. On-chain researcher Vladimir S. compiled the breakdown in real time.

Then came the exit. The attacker converted stolen assets to USDC and bridged them from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol. Over 100 transactions. Approximately $230 million. All flowing through Circle's own centralized infrastructure between 12 PM ET and 6 PM ET on April 1. Squarely during US business hours. Circle did nothing.

On-chain investigator ZachXBT exposed the timeline. Circle had six hours to freeze the stolen funds while they transited its own bridge. The attacker accumulated 129,066 ETH on the Ethereum side and deposited SOL into both HyperLiquid and Binance, spreading the trail across multiple platforms.

Here is what makes this worse. Nine days before the hack, on March 23, Circle froze USDC balances across 16 unrelated business hot wallets as part of a sealed New York civil case. No public explanation. No transparency. The freeze disrupted operations for exchanges, casinos, and payment processors who had nothing to do with the case. Circle proved it could act fast when it wanted to.

Yet when confirmed stolen funds from a state-sponsored hacking group transited Circle's own infrastructure for six hours during regular business hours - silence. The attacker deliberately avoided converting to Tether, suggesting confidence that Circle wouldn't intervene. They were right.

Drift Protocol's total value locked collapsed from approximately $550 million to under $300 million. The DRIFT token crashed over 37%, trading at $0.043 - down 98% from its November 2024 all-time high of $2.65. A dozen Solana protocols with exposure to Drift liquidity paused operations or assessed losses. PiggyBank_fi reported $106,000 in exposure. Reflect Money paused minting and redemptions.

Security audits by Trail of Bits in 2022 and ClawSecure in February 2026 had cleared Drift. Neither caught the CVT market introduction or the governance changes that made the attack possible. The auditors checked the code. The attacker bypassed the code entirely.

This is the second time in 14 months that Lazarus Group has executed a nine-figure crypto heist by compromising the human layer rather than the smart contracts. Bybit lost $1.5 billion through a compromised Safe wallet UI. Drift lost $285 million through pre-signed durable nonces. Ronin Bridge lost $625 million through compromised validator keys. The pattern is identical every time. Find the people. Trick the people. The code is irrelevant.

As of April 3, 2026, the $285 million remains unrecovered. Elliptic has confirmed the North Korean attribution. Circle has made no public statement about the six-hour gap. Drift is attempting to rebuild but has lost more than half its TVL and nearly all its market credibility. Lazarus Group is $285 million richer and still operating. According to Chainalysis, North Korea was responsible for $2 billion in stolen crypto in 2025 - roughly 60% of all digital assets stolen globally. The Drift hack suggests 2026 will be worse.