How do nation-state hackers breach DeFi? An in-depth investigation into the Drift hacking incident

The attack focus of crypto security incidents is rapidly shifting from the code layer to the human trust layer.

On April 1, 2026, Drift Protocol, a leading decentralized derivatives protocol in the Solana ecosystem, was hit by an attack, resulting in losses of about $285 million. The platform’s total value locked (TVL) plunged from about $550 million before the incident to about $230 million afterward. Drift’s subsequent initial investigation confirmed that this operation was planned by the hacker organization UNC4736, which is associated with the North Korean government, and described it as a “6-month-long structured intelligence operation.”

The changes revealed by this conclusion go far beyond a single security incident: when state-level hackers shift the attack focus from discovering code vulnerabilities to long-term human trust infiltration measured in months, the entire DeFi industry’s security paradigm is being rewritten systematically. The attackers no longer need complex smart contract vulnerabilities or private-key theft—they only need a dose of patience in building a relationship, an identity meticulously disguised, and enough time.

What is the operating mechanism behind the attack?

UNC4736’s plan demonstrates organizational discipline and resource investment that go far beyond those of ordinary hacker groups. Starting in the fall of 2025, people posing as staff from quantitative trading firms proactively approached Drift contributors at multiple international crypto conferences. These individuals were technically fluent, had professionally credible backgrounds that could be verified, and were familiar with Drift’s operational methods. Notably, the people who made the in-person contact were not North Korean; they were identified as third-party intermediaries deployed by North Korea-linked threat actors.

After trust was established, the group moved into an ecosystem vault within the Drift ecosystem between December 2025 and January 2026, and actually deposited more than $1 million of its own funds to build credibility. During this process, they held detailed and professional discussions about product-related issues with multiple contributors.

The technical intrusion was carried out through two paths: one contributor was compromised when cloning a malicious code repository. The repository exploited vulnerabilities that had been continuously flagged by the security community in VSCode and the Cursor editor—simply opening a file, folder, or repository in the editor enables silent execution of arbitrary code, with no user prompts or clicks. In addition, another contributor was lured into downloading a fake wallet application via Apple’s TestFlight platform. After gaining internal privileges, the attackers used Solana’s native feature Durable Nonce to pre-sign transactions, and after multi-signature approvals passed, executed the emptying operation instantly.

What costs does this attack paradigm impose?

The cost exposed by the Drift incident is multidimensional, going well beyond the $285 million accounting loss.

The most direct cost shows up in both financial losses and market impact. This attack was the largest DeFi security incident as of 2026 to date, and the second-largest security incident in Solana ecosystem history. After the incident, the DRIFT token price briefly crashed by more than 90% from its historical high.

Even more alarming is the ripple effect of the attack. Protocols affected by the Drift vulnerability incident grew from the original 11 to more than 20. Newly added ones include PiggyBank, Perena, Vectis, Prime Numbers Fi, and other protocols; some protocols have already paused minting, redemption, or deposit/withdrawal functions. After the decentralized lending protocol Project 0 suspended operations, it launched a deleveraging process, with lenders’ assets average written down by 2.61%.

The deepest—and hardest-to quantify—cost is the shaking of the DeFi industry’s security trust foundation. In the aftermath, Drift emphasized that all multi-sig members used cold wallets, but this still failed to stop the attack. This suggests that when attackers focus on the human layer, even strict hardware controls may be bypassed. If attackers act in the guise of a real organization for six months, invest funds, and participate in the ecosystem, the existing security systems are almost impossible to detect them.

What does this mean for the DeFi industry landscape?

The Drift incident is forcing the entire industry to re-examine a fundamental question: do the security assumptions of decentralized finance still hold?

One important industry reflection focuses on structural weaknesses in third-party intermediary trust systems. The attack paths of UNC4736 reveal that the current DeFi ecosystem lacks mechanisms for systematic security reviews and ongoing monitoring of new partners. The behaviors that are considered normal business activities in the industry—meeting at conferences, communicating via instant messaging, moving into an ecosystem vault—are precisely the best cover for state-level hacker infiltration.

Another controversy that cannot be ignored comes from cracks in regulatory compliance during the funds recovery stage. On-chain investigators pointed out that the attackers bridged approximately $232 million USDC from Solana to the Ethereum network through cross-chain transfer protocols. Although stablecoin issuers had an about six-hour window to freeze that portion of funds, they did not take action. This dispute touches a deeper institutional issue: once the security defenses of DeFi protocols themselves fail, relying on centralized stablecoin issuers’ compliance responses to fill the gap—can such a hybrid model be sustainable? And where are the action boundaries for compliant entities when facing large-scale fund flows?

How might things evolve in the future?

Based on current investigation progress and industry responses, several future trends have already become apparent.

Security budgets will be systematically re-assessed. In 2025, global crypto security losses exceeded $3.4 billion. In the Web3 space, 89 confirmed security incidents were recorded in 2025, with total losses of $2.54 billion. Against the backdrop of state-level attacks becoming increasingly routine, defensive strategies that rely solely on code audits and security testing are no longer sufficient. More protocols are expected to invest additional resources in operational security training, social engineering defense drills, and background review processes.

Cross-protocol risk propagation will become a new dimension of security concern. The Drift incident’s chain reaction affecting more than 20 protocols indicates that DeFi’s composability is a double-edged sword from a security standpoint. Two types of response strategies may emerge in the future: one is dependency isolation and security tiering at the protocol level; the other is the establishment of unified incident response and information-sharing mechanisms at the industry level.

The boundaries between regulation and compliance will be further contested. Action standards for stablecoin issuers in similar events will become a focal point of regulatory discussions, potentially giving rise to emergency response frameworks for cross-border flows of crypto assets.

What potential risks are still within the warning range?

Although Drift has frozen all protocol functions and removed affected wallets from multi-signature arrangements, multiple risk dimensions still merit continuous attention.

The irreversibility of funds recovery. After carrying out the theft, the attackers quickly cleared instant messaging records and malware, and the on-chain funds had already been transferred to the Ethereum network via a cross-chain bridge. North Korean hacker organizations have historically had mature money laundering networks and cross-chain mixing capabilities; most of the stolen funds may already be in channels that are difficult to recover.

Asymmetric competition in industry security capabilities. State-level hacker organizations have organizational resources, sustained funding support, and specialized task divisions, while the vast majority of DeFi protocols operate with small teams and have limited security resources allocation. This asymmetry is being exploited systematically by attackers. The identities used by these attackers have been built with full professional track records, publicly available identity credentials, and professional social networks, enabling them to withstand normal scrutiny in business collaborations.

Trust fatigue that suppresses industry innovation. If introducing every new partner requires rigorous security reviews and ongoing monitoring, DeFi’s core advantages—openness and composability—will face the risk of being eroded. How to find a balance between security defenses and operational efficiency is a difficult question the industry must answer.

Summary

The hacked incident involving Drift reveals a reality that has long been ignored: security threats in the DeFi industry have completed a generational leap. From smart contract vulnerabilities, to private-key theft, and now to a 6-month-long state-level social engineering infiltration, the attackers’ pace of tactical evolution far exceeds the pace at which defenses can iterate. When attackers no longer need to break code, but only need to break one person’s trust, the effectiveness of traditional security tools—multi-signatures, cold wallets, hardware isolation—must be re-evaluated.

What the industry needs is not only better code audits and stricter access control, but also an entirely new security mindset: treating “human trust” as an attack surface of equal importance to “smart contract code.” From background checks to an operational security culture, from continuous monitoring of ecosystem partners to cross-protocol coordination of incident response mechanisms—every link needs to be redefined. In this new normal where state-level forces enter the crypto security arena, no protocol can stand apart— the industry’s entire security defense chain can only match the strength of its weakest link.

FAQ

Q: Is UNC4736 the same organization as Lazarus?

UNC4736 is a codename used by security companies to track threats associated with the North Korean government, and it overlaps with—but is not completely identical to—the better-known Lazarus Group. UNC4736 is believed to perform more continuous baseline income-generation tasks in the cryptocurrency space, focusing on persistent infiltration of small- to mid-sized targets.

Q: Why did Drift’s multi-sig still fail to stop the attack?

The attackers did not directly steal multi-sig private keys. Instead, after obtaining multi-sig approval permissions through social engineering, they used Solana’s Durable Nonce feature to pre-sign transactions and then executed the operation instantly once sufficient permissions were obtained. This shows that the security premise of multi-sig is that signers are not manipulated by social engineering tactics.

Q: Does this attack involve smart contract vulnerabilities?

No. Drift’s official confirmation states that the core of this attack was social engineering infiltration and the misuse of the Durable Nonce feature, not traditional smart contract code vulnerabilities.

Q: What measures did Drift take after the incident?

Drift froze all protocol functions, moved affected wallets out of multi-signature arrangements, and invited security firms to participate in deep forensic investigations. The protocol team stated that it is working with law enforcement to try to track the stolen funds.