Drift got gutted.
North Korean hackers—those crypto-loving Pyongyang pros—sucked $285 million from DeFi platform Drift in a blistering 10-second frenzy. Eight days of prep, one admin key slip-up, and poof: vaults empty. It’s not just theft; it’s a masterclass in DeFi’s fragility, served with a side of North Korean audacity.
Look, we’ve seen this movie before. Pyongyang’s crews have vacuumed up over $6.5 billion in crypto since forever. But this? Precision surgery on Solana’s blockchain. They minted a junk token called CVT 20 days early, prepped a fresh wallet with micro-transactions for seven token types, then waited.
Five hours pre-heist, they snagged Drift’s admin key. Multisig? Sure, but only 2-of-5 needed. One carryover signer proposes a transfer; a co-signer jumps in one second later. Zero-second timelock. Boom—instant control. Drift calls it a “highly sophisticated operation” involving durable nonce accounts for pre-signed, unexpiring transactions. Sophisticated? Or just exploiting lazy safeguards?
How Did North Korean Hackers Crack Drift So Fast?
Twenty-five seconds before the drain, they wielded that key like a scalpel. Created a fake CVT collateral market. Pumped its fake oracle to value worthless tokens at hundreds of millions. Set tier to max borrowing power. Nuked deposit penalties. Then—chef’s kiss—they jacked the circuit breakers from blocking fast drains to allowing 500 trillion in value. All bundled in one transaction at 16:05:39 UTC.
“The fake market creation and the circuit breaker modifications were bundled into a single on-chain transaction at 16:05:39 UTC. Twenty-five seconds later, the withdrawals began. The entire weaponisation took less time than it takes to order coffee,” PIF Research Labs notes.
Two seconds after dumping 500 million CVT (oracle-valued at $100M+), the siphon kicked in. JLP vault? Totally emptied. USDC, cbBTC, USDS, dSOL, wETH—gone in 10 seconds across five vaults. Elliptic pins it on North Korea. PIF Research Labs maps the prep: nonce tricks for rapid-fire execution, infrastructure days ahead.
Drift’s scrambling—coordinating with security firms, bridges, exchanges, law enforcement. Postmortem incoming. But here’s my unique jab: this reeks of 1990s bank vault cracks, digital edition. Remember those insider jobs where guards looked the other way? Drift’s 2-of-5 multisig is that sleepy guard—trusting, vulnerable, begging for a bribe. North Korea didn’t break in; Drift handed the blueprint.
Why Drift’s Defenses Were a Joke
DeFi touts decentralization as armor. Ha. Drift’s circuit breakers? Meant to halt mass drains. Hackers? Dialed limits to absurdity. Safety systems disabled like flipping a switch. Admin keys in multisig sound secure—until you realize 40% approval greenlights Armageddon.
And the laundering? Picasso-level. Funds hit 27 getaway wallets, then bots splintered to 57,331 addresses. $225M swapped to Ethereum, parked in three spots. 34 hours of chaos: 590 transactions per minute across chains and CEXes. Over 860,000 txns. Good luck tracing that, cops.
But wait—Drift’s not alone. North Korea’s hit Axios NPM too, supply-chain style. Pattern? Target DeFi for speed, launder vast sums to fund missiles. Bold prediction: Solana’s next, with nonce exploits as the new black. DeFi protocols, patch your multisigs or watch funds evaporate.
Critique time. Drift’s PR spin—“coordinating with multiple security firms”—feels like damage control bingo. Where’s the outrage over 2-of-5? That’s not sophisticated; it’s sloppy design inviting nation-states to tea. Pyongyang laughs all the way to the vault.
Short para for emphasis: DeFi’s bleeding.
We’ve got $6.5B+ stolen by these hackers. Drift’s $285M? Drop in the kimchi bucket. Yet platforms keep building on sand. Historical parallel: Enron’s off-books tricks met Sarbanes-Oxley. DeFi needs its reckoning—or North Korea’s wallet grows fatter.
One sentence wonder: Fix multisigs, yesterday.
And the bots? Industrial-scale scattering. Multi-chain madness. Investigators chase ghosts while hackers sip soju. Elliptic’s right—North Korean signature all over it.
Deeper dive: That CVT token? Minted early, fed micro-txns to whitelist. Durable nonces ensured no blockchain hiccups. Pre-signed everything. It’s not hacking; it’s choreography.
Drift promises details. We’ll watch. But if your multisig’s this porous, you’re not decentralized—you’re a piñata.
Is DeFi Built for North Korean Heists?
Yes. Speedy chains like Solana invite flash attacks. Slow EVM? Safer, maybe. But DeFi’s hype ignores human error—or insider flips. Five-hour key grab? Smells fishy. Co-sign in one second? Alert fatigue, or worse.
Corporate spin called out: “Highly sophisticated.” Nah. Basic social engineering on weak multisig. Platforms blame actors, not mirrors.
FAQ incoming, because readers Google this junk.
🧬 Related Insights
- Read more: Pixel 9 Cracked Open: BigWave Driver’s Triple Bug Sandbox Escape
- Read more: TrueConf’s Poisoned Updates Infect Southeast Asian Gov Networks
Frequently Asked Questions
What caused the $285M Drift Protocol hack? Compromised admin key via lax 2-of-5 multisig, fake market creation, and disabled circuit breakers—executed in seconds on Solana.
Who hacked Drift and stole $285 million? Likely North Korean threat actors, per Elliptic—part of $6.5B+ crypto theft spree.
How much did North Korea steal from Drift? $285-286 million, drained in 10 seconds, then laundered via 860,000+ transactions.
