Drift Protocol has confirmed that the April attack, which drained approximately $280mn from the decentralized finance (DeFi) platform, was carried out by a North Korean state-sponsored threat group.
Drift Attributes $280mn Exploit to North Korean Hackers, Outlines Security Overhaul
4 June 2026 - 13:01 CEST
By Matt Neill
The confirmation places Drift among several high-profile DeFi platforms targeted in what appears to be a sustained campaign by North Korean actors in 2026. The incident has intensified industry focus on state-level threats and prompted major security reviews across the sector.
The DRIFT token was trading at approximately $0.016 on 4 Jun, down around 80% from its level before the 1 Apr exploit.
North Korea confirmed as attacker
In a blog post published on 3 Jun, Drift said cybersecurity firm Mandiant’s independent forensic investigation attributed the attack to UNC6862, a North Korean threat group with ties to state-sponsored operations.
The tactics aligned with previous North Korean campaigns, including the October 2024 Radiant Capital hack. The exploit combined Solana durable nonce accounts – which allow transactions to be signed in advance – with social engineering to gain approval from at least two members of Drift’s security council multisig. No smart contract vulnerability or compromised seed phrases were involved.
Relaunch as recovery engine
Drift is overhauling its platform with a strong security focus. Noah Prince, formerly head of protocol engineering at Helium – a decentralized wireless network now operating on Solana – will join as head of protocol to strengthen the codebase and protections.
Former members of risk management firm Gauntlet have also been brought in to review the liquidation engine, refine funding rates and market parameters, and provide ongoing risk monitoring.
The platform will relaunch as a USDT-based perpetual futures exchange on Solana. This follows a $147.5mn strategic support package led by Tether in April, which includes a shift from USDC to USDT as the primary settlement currency.
Broader implications
The attack adds to a growing list of major DeFi exploits attributed to North Korean groups this year, including the $292mn breach of Kelp DAO in April. These incidents have raised concerns about systemic risks and forced protocols to reassess security assumptions and asset listing standards.
