OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Trust Inversion series· Apr 29, 2026· 6 min read

Drift Hack Began With Months of In-Person DPRK Social Engineering

On Wednesday, April 29, TRM Labs and Chainalysis published detailed analyses of the April 1 Drift Protocol breach: North Korean state-backed operators began the campaign in fall 2025 with in-person meetings between proxies and Drift employees, building professional credibility for months before exploiting it. Access came through Solana durable nonces, a feature that lets transactions be signed in advance and broadcast later, converting routine pre-signed approvals from Security Council members into delayed exploits. Once admin control was transferred, attackers whitelisted a fake CVT token as collateral, deposited the fake collateral, and drained real assets from vaults in approximately 12 minutes. The same intelligence research now puts North Korea-linked actors at 76% of all 2026 crypto theft and approximately $6 billion cumulative since 2017. The attribution share has risen from under 10% in 2020-2021 to 64% in 2025 to 76% in early 2026.

Key takeaways

  1. On April 29, 2026, TRM Labs published detailed operational analysis of the April 1 Drift Protocol breach. The campaign began in fall 2025 with in-person meetings between North Korean proxies and Drift Protocol employees at industry events, six months before the actual exploit. Operators posed as a legitimate trading firm, attended events, established business relationships, and built the kind of professional credibility that bypasses normal counterparty due diligence. This is unusually sophisticated for crypto theft and resembles foreign intelligence service tradecraft more than criminal hacking
  2. The technical mechanism that converted social engineering into capital extraction was Solana durable nonces. Durable nonces let a transaction be signed in advance and broadcast later. Drift Security Council members signed what looked like routine pre-signed approvals for their vetted institutional partner. Those signatures sat dormant. The attackers later broadcast them at the moment of execution, transferring admin control without the signers ever realizing they had authorized the transfer in real time
  3. Once admin control was achieved, the attackers whitelisted a fake token called CVT as accepted collateral, deposited the fake collateral into vaults, and used it to withdraw real assets. The full drain executed in approximately 12 minutes. The asymmetry is structural: months of social engineering and approximately 12 minutes of technical execution. The technical layer was almost incidental
  4. TRM Labs and Chainalysis converge on the attribution: North Korea-linked actors are responsible for approximately 76% of all crypto scam and hack losses in 2026 year-to-date, or roughly $577 million. Cumulative theft attributed to DPRK operations now exceeds $6 billion since 2017. The share trajectory tells its own story: under 10% in 2020-2021, 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, 76% in 2026. This is a maturing state capability, not a one-month spike
  5. The pattern is consistent across multiple 2026 incidents and represents a layered trust inversion. Mandiant's UNC1069 report (February 9) and the Zerion theft on April 15 (covered April 24) used Telegram and Zoom to weaponize remote professional trust. The Drift breach used in-person attendance and business development to weaponize physical-world professional trust. The Kelp DAO exploit on April 18 used bridge messaging and verifier trust at the protocol layer. The throughline: every category of trust the industry relies on is now an attack surface for a sufficiently patient state actor

What Happened

On Wednesday, April 29, 2026, TRM Labs published a detailed operational post-mortem on the April 1 Drift Protocol exploit. The headline finding: the campaign began in fall 2025, approximately six months before the actual breach, with in-person meetings between North Korean proxies and Drift Protocol employees at industry events. Operators posed as a legitimate trading firm, attended events, met team members in person, established business relationships through normal-looking professional channels, and built the kind of credibility that bypasses counterparty due diligence because it looks indistinguishable from a real institutional partner. The same research, corroborated by Chainalysis, puts North Korea-linked actors at approximately 76% of all crypto scam and hack losses in 2026 year-to-date, or roughly $577 million.

The Drift breach is the case study for what the 76% looks like in operational practice. After months of relationship-building, the attackers obtained pre-signed transactions from Drift's Security Council members. The technical mechanism is specific: Solana durable nonces, a feature that allows transactions to be signed in advance and broadcast later. The signers were not duped in real time. They signed legitimate-looking pre-approvals that sat dormant in attacker control until the moment of execution. Those signatures were then broadcast to transfer admin control. Once admin control was established, the attackers whitelisted a fake token (CVT) as accepted collateral, deposited the fake collateral into Drift's vaults, and used it to withdraw real assets. The full drain executed in approximately 12 minutes. Funds moved through cross-chain bridges and mixers within 48 hours.

The North Korea Share Trajectory

The 76% figure for 2026 is the headline, but the trajectory is the story. TRM Labs and Chainalysis converge on the year-over-year progression of North Korea's share of total crypto theft: under 10% in 2020-2021, 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, and 76% in early 2026. That is not a sudden spike. It is the curve of a maturing state capability. Operational sophistication, infrastructure, payroll, training, and target selection have all improved in measurable lockstep over six years. Cumulative theft attributed to DPRK operations now exceeds $6 billion since 2017, with stolen cryptocurrency identified by US Treasury and UN Panel of Experts reports as a direct funding source for ballistic missile and nuclear programs.

The defensive implication of the trajectory is that the threat is concentrated, not diffuse. The 2026 figures reflect approximately two large operations driving 95% of total losses for the year so far. This is the pattern of a state intelligence service running a small number of high-payoff operations against carefully selected high-value targets, not a criminal hacking operation running broad opportunistic campaigns. The defensive posture has to match: high-trust, high-privilege surfaces are the targets, the adversary will spend six months building access to one of them, and conventional counterparty due diligence is structurally insufficient against an adversary willing to invest at that scale.

The In-Person Layer Is Now an Attack Surface

The Drift breach is significant because it operationalizes a layer of trust the industry has not yet absorbed as an attack surface. Telegram trust got weaponized: UNC1069 ran multi-week campaigns through compromised accounts of real crypto executives, demonstrated in Mandiant's February 9 report and confirmed in the Zerion theft on April 15. Zoom trust got weaponized: deepfake video of recognizable CEOs delivered the ClickFix payload that compromised employee sessions. Now in-person professional trust is in the same category. Attending an industry event, meeting in a hotel lobby, exchanging business cards, doing a few legitimate trades over six months, building a relationship through normal business development: all of these have been operational steps in a state-funded crypto theft.

The implication for any organization running shared signing authority is direct. 'We vetted this counterparty in person' is no longer a sufficient verification standard. The Drift Security Council members were not careless or incompetent. They followed normal counterparty due-diligence procedures and authorized pre-signed transactions for what they had every reasonable business reason to believe was a legitimate institutional trading firm. The attack succeeded because the adversary's resourcing exceeded the defender's verification budget by an order of magnitude. A protocol team can spend a few hours vetting a new counterparty. A nation-state can spend six months building the counterparty relationship from scratch with full operational security. The asymmetry is structural and the defender does not win this trade through more diligence.

Trust-Chain Compromise as the Frame

The right framing for the Drift breach is trust-chain compromise, not 'hack' or 'exploit.' A hack implies a code defect that gets patched. An exploit implies a vulnerability that gets disclosed and fixed. Drift had neither. Drift had a properly functioning governance system staffed by competent humans following legitimate procedures, and the entire system was compromised because the trust chain that authorized the system's actions was infiltrated for six months before any technical action took place. The fix is not a software update. The fix is changing how trust gets established and verified across the chain.

The Kelp DAO breach on April 18 is the parallel case at the protocol layer: cross-chain verification failure rather than trust-chain compromise. Attackers compromised internal RPC nodes, used DDoS pressure to force failover to the compromised nodes, and got false cross-chain messages accepted as legitimate. The bridge had a documented multi-verifier design that operationally collapsed to single-verifier operation under adversarial pressure. The fix there is also not a code patch. It is verifier topology, redundancy, and active resistance to failover-driven trust collapse. Together the two April breaches define the two categories of failure that now dominate DeFi losses: trust at the human and governance layer, trust at the protocol topology layer. North Korea is exploiting both.

What This Means for You

If you self-custody Bitcoin individually and do not run a multi-sig with other parties, the in-person social engineering vector does not directly affect you. It affects you indirectly through the institutional venues you may rely on. If you hold Bitcoin through Coinbase, Strategy, BlackRock IBIT, or any custodian whose operations involve human signers approving transactions, those signers are now targets of the same patient social engineering operations that took down Drift's Security Council. Your custody depends on the operational security of those humans, and their operational security depends on whether they have updated their threat model to include in-person multi-month adversary credibility-building campaigns and durable-nonce abuse patterns.

If you operate a multi-sig with family or business partners, the threat model is now active for you. Three concrete adjustments. First, pre-arrange out-of-band verification codes with each co-signer that get used on any signing event involving a new counterparty or an unusual transaction. The verification codes must be agreed upon before any signing relationship begins, in person or through a channel established prior to any potential adversary's access. Second, mandate cooling-off periods on first transactions with any new counterparty, including counterparties that have been vetted in person. Three to five business days between counterparty introduction and first signing event is short enough not to break legitimate business and long enough to expose social engineering campaigns that are time-pressured. Third, geographic separation of signers is more important now than it was 12 months ago, specifically because in-person credibility building is harder against signers who do not attend the same events and meetings.

There is a fourth specific recommendation for any team operating on Solana or any chain that supports pre-signed transaction primitives. Treat any signature on a transaction that does not execute immediately as live attack surface for as long as it remains valid. Solana's durable nonces, Bitcoin's PSBTs (Partially Signed Bitcoin Transactions), Ethereum's EIP-712 typed signatures, and any equivalent on other chains can all be weaponized through the Drift pattern: the signer authorizes something legitimate-looking, the signature sits dormant in adversary control, the adversary broadcasts it at the moment of execution. The procedural defense is to log every pre-signed transaction with an expected execution window, monitor for execution outside that window, and maintain the ability to invalidate dormant signatures by spending the relevant inputs first.

The deeper point: any system that depends on humans approving high-value transactions is now defending against adversaries who will spend six months in your physical and professional environment to compromise those humans, then use technical primitives like durable nonces to convert that compromise into a fast extraction. Hardware wallets help. Air-gapped signing helps. But the procedural defenses against trust-chain compromise are now more important than the cryptographic defenses against code exploits, because the cryptographic defenses are not what is failing.

What to Watch

Watch the next major DeFi exploit closely for whether it follows the same pattern: months of social engineering, durable-nonce or pre-signed-transaction abuse, fast technical execution at the end. Watch the US Treasury and OFAC for sanctions enforcement actions tied to the 76% Lazarus attribution figure, because the policy response to a sustained nation-state crypto theft operation has been slower than the operational tempo of the operation itself. Watch the Drift Protocol post-mortem when it publishes its full timeline, because the months-long lead-up will likely include identifiable behavioral signatures that protocol teams can use to detect similar campaigns in progress. Watch the next Mandiant or Google Threat Intelligence Group report for whether they document the same in-person credibility-building pattern in additional incidents. And watch industry security organizations (SEAL, Immunefi, Trail of Bits) for whether they begin publishing operational guidance specifically targeted at the trust-chain compromise threat, because the first organization to publish a usable framework will set the template for how the industry adapts.

Six months of in-person credibility. Twelve minutes of execution. The signers were not careless. The asymmetry was structural.

Sources

  1. [1]TRM Labs — Detailed operational analysis of Drift Protocol exploit including fall 2025 in-person campaign timeline, durable-nonce mechanism, and CVT fake collateral whitelisting, April 29, 2026
  2. [2]Chainalysis — 2026 cryptocurrency theft attribution report, North Korea state actor share rising from 64% in 2025 to 76% in 2026 year-to-date
  3. [3]CoinDesk — 'The long con: How North Korean spies spent months in-person to drain $285 million from Drift', April 29, 2026
  4. [4]Live Bitcoin News — 'April 2026 Crypto Hacks Hit $620M as Bridge Failures and Admin Exploits Dominate Attacks', April 26, 2026
  5. [5]24/7 Wall St. — 'The Crypto Industry Just Had Its Worst Month of Hacks in Over a Year', April 24, 2026 (cited for Mitchell Amador quote and Lazarus operational profile)
  6. [6]US Department of Treasury and UN Panel of Experts — DPRK cryptocurrency theft funding ballistic missile and nuclear programs, multiple reports 2024-2026
  7. [7]Mandiant / Google Threat Intelligence Group — 'UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering', February 9, 2026 (cited for adjacent trust-inversion playbook through Telegram and Zoom)
Trust Inversion series · Part 4 of 11
← Previous part
UNC1069 Is Deepfaking CEOs on Zoom to Drain Crypto Wallets
Next part →
Sui Validators Reversed a $223M DEX Exploit by Vote

More in Trust Inversion

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price