North Korean Cybercriminals Grab $285M from Crypto Exchange

A group of hackers linked to North Korea has carried out one of the largest crypto thefts of the year, seizing roughly $285 million from a decentralized trading platform after quietly embedding themselves in its operations over several months.

The target was Drift Protocol, an exchange operating on the Solana network. The breach unfolded on April 1, according to Elliptic and TRM Labs. Both organizations concluded that the perpetrators were connected to the Democratic People’s Republic of Korea, with estimates of the stolen funds at around $285 million.

Investigators say the attackers took 12 minutes to drain assets from user accounts. A significant portion of the cryptocurrency was transferred from Solana to Ethereum. Drift Protocol confirmed the incident on April 2, cautioning users that the situation was real and ongoing, not a prank tied to April Fools’ Day.

The incident now ranks as the largest decentralized finance breach recorded in 2026. It is also among the most significant losses tied to the Solana ecosystem, second only to the 2022 Wormhole bridge exploit of $326 million.

Drift Protocol linked the operation to a group identified as UNC4736, also referred to as Citrine Sleet or AppleJeus. The same actors have been associated with previous attacks, including a breach involving Radiant Capital in late 2024.

According to the company, the attackers spent at least half a year preparing. Part of that effort included meeting contributors in person at a crypto conference, presenting themselves as representatives of a quantitative trading firm interested in integrating with the platform. While those individuals were not North Koreans, the exchange noted that such groups often rely on intermediaries to build trust through direct contact.

They had technical knowledge, established work histories, and familiarity with the platform. Over time, they deposited more than $1 million and developed a legitimate operational footprint within Drift Protocol’s platform. Meetings continued in the months leading up to the breach.

When the attack began, traces of communication vanished. Messaging accounts were deleted and malicious tools were wiped, suggesting a carefully timed exit.

Early findings indicate that internal systems may have been compromised through social engineering. One employee is believed to have downloaded harmful code disguised as a legitimate project repository, while another may have installed a fraudulent wallet application.

Blockchain analysis traced preparatory activity back to March 11 when a small amount of crypto was withdrawn from Tornado Cash, a mixing service frequently linked to North Korean operations. That funding was later used to deploy a fake token called CarbonVote Token.

Over several weeks, the attackers created the appearance of genuine trading activity around the asset, minting hundreds of millions of units and simulating market demand. Drift’s pricing systems interpreted the fabricated signals as legitimate.

At the same time, contributors were persuaded to approve routine transactions that concealed elevated permissions. The attackers also used a Solana feature known as durable nonce accounts, allowing transactions to be signed in advance and executed later.

When triggered on April 1, the pre-approved actions enabled the listing of the fake token as acceptable collateral, inflated withdrawal limits, and the rapid extraction of real funds. In total, 31 transactions were processed in minutes, each moving substantial sums.

Elliptic reported that three digital wallets were targeted, with one transfer alone valued at $155 million. Meanwhile, the price of the manipulated token dropped more than 40% as the scheme unraveled.

When licensed crypto companies like Circle Internet Group Inc. (NYSE: CRCL) read about how complex cybercrimes are becoming, they are likely to increasingly put additional emphasis on doing everything they can to reduce the chances of falling victim to these brazen attackers.

About CryptoCurrencyWire

CryptoCurrencyWire (“CCW”) is a specialized communications platform with a focus on blockchain and the cryptocurrency sector. It is one of 75+ brands within the Dynamic Brand Portfolio @ IBN that delivers: (1) access to a vast network of wire solutions via InvestorWire to efficiently and effectively reach a myriad of target markets, demographics and diverse industries; (2) article and editorial syndication to 5,000+ outlets; (3) enhanced press release enhancement to ensure maximum impact; (4) social media distribution via IBN to millions of social media followers; and (5) a full array of tailored corporate communications solutions. With broad reach and a seasoned team of contributing journalists and writers, CCW is uniquely positioned to best serve private and public companies that want to reach a wide audience of investors, influencers, consumers, journalists and the general public. By cutting through the overload of information in today’s market, CCW brings its clients unparalleled recognition and brand awareness. CCW is where breaking news, insightful content and actionable information converge.

To receive SMS alerts from CryptoCurrencyWire, text “CRYPTO” to 888-902-4192 (U.S. Mobile Phones Only)

For more information, please visit https://www.CryptoCurrencyWire.com

Please see full terms of use and disclaimers on the CryptoCurrencyWire website applicable to all content provided by CCW, wherever published or re-published: https://www.CryptoCurrencyWire.com/Disclaimer

CryptoCurrencyWire
New York, NY
www.CryptoCurrencyWire.com
212.994.9818 Office
Editor@CryptoCurrencyWire.com

CryptoCurrencyWire is powered by IBN