{"id":95893,"date":"2026-04-03T16:56:04","date_gmt":"2026-04-03T13:56:04","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=95893"},"modified":"2026-04-03T17:00:17","modified_gmt":"2026-04-03T14:00:17","slug":"north-korean-hackers-linked-to-280-million-drift-defi-protocol-breach","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/north-korean-hackers-linked-to-280-million-drift-defi-protocol-breach\/","title":{"rendered":"North Korean Hackers Linked to $280 Million Drift DeFi Protocol Breach"},"content":{"rendered":"<p>The North Korean group <a href=\"https:\/\/flogstat.site\/cryptorium\/chto-izvestno-o-lazarus-group-podozrevaemoj-vo-vzlome-bybit\/\">Lazarus<\/a> (TraderTraitor) has been identified as the perpetrators behind the $280 million breach of the DeFi protocol Drift, according to experts from Diverg, TRM Labs, and Elliptic. This same group previously targeted <a href=\"https:\/\/forklog.com\/en\/news\/bybit-exchange-suffers-1-46-billion-loss-in-hack\">Bybit<\/a> ($1.5 billion) and <a href=\"https:\/\/forklog.com\/en\/news\/ronin-hackers-convert-assets-into-bitcoin-and-use-mixers\">Ronin<\/a> ($625 million).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1\/10<\/p>\n<p>We&#8217;ve been investigating the <a href=\"https:\/\/twitter.com\/DriftProtocol?ref_src=twsrc%5Etfw\">@DriftProtocol<\/a> exploit ($285M) since April 1.<\/p>\n<p>We can confirm along with TRM Labs and Elliptic that North Korea&#8217;s Lazarus Group (TraderTraitor). Same unit behind Bybit ($1.5B), Ronin ($625M). Was involved.<\/p>\n<p>Here&#8217;s what our independent on-chain\u2026<\/p>\n<p>\u2014 Diverg (@DivergSec) <a href=\"https:\/\/twitter.com\/DivergSec\/status\/2039978714545766814?ref_src=twsrc%5Etfw\">April 3, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The attacker did not merely compromise the multisig once, as initially <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-on-solana-loses-280m\">suggested<\/a> by the affected project&#8217;s developers.\u00a0<\/p>\n<p>On March 27, Drift updated its Security Council rules: two out of five signatures were required to confirm a transaction, and execution was instantaneous. However, just three days later, the perpetrator breached the new <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-multisignature-what-is-a-ring-signature\">multisig<\/a> again and used a <span data-descr=\"durable nonce \u2014 a mechanism that allows a transaction to be signed in advance to be executed later at the right moment\" class=\"old_tooltip\">deferred signature mechanism<\/span>.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Preparation for the Attack<\/h2>\n<p>The hacker began preparing for the attack on March 11. At that time, they withdrew 10 ETH using <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a> at 15:24 Pyongyang time. The funds passed through a chain of disposable wallets and <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain bridges<\/a>.\u00a0<\/p>\n<p>On March 12, 50 SOL was sent to the token issuance address, and by 09:58 Korean time, the perpetrator had created 750 million fake CVT coins. The same address was used in the BSC network. It received 31.125 BNB through a signed transaction from MetaWallet, after which the funds followed the same route as Ethereum.\u00a0<\/p>\n<p>Earlier reports mistakenly claimed that 30 ETH from three withdrawals via Tornado Cash funded the attack. Experts clarified that the attacker owned only one transaction of 10 ETH. The other two went to a service for address poisoning.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Funds Withdrawal<\/h2>\n<p>After the breach, Diverg reconstructed the full strategy for withdrawing funds through the public <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> of CoW Protocol. Within 30 minutes, the perpetrator placed 10 orders via the CoW Swap web interface, converting $14.6 million USDC and 99.8 WBTC into approximately 13,150 ETH. All 10 transactions are confirmed on the blockchain.<\/p>\n<p>The secondary holding wallet received funds from two sources: 390.86 ETH from Chainflip Vault and 846,000 USDC through Circle CCTP (later converted into 397 ETH via CoW Protocol). In total, 788 ETH were sent to the holding address.<\/p>\n<h2 class=\"wp-block-heading\">Behavioral Profile<\/h2>\n<p>All confirmed actions of the hacker are tied to Pyongyang&#8217;s working hours and were conducted only on weekdays.<\/p>\n<p>The group&#8217;s methods fully align with the known profile of Lazarus: preparation through Tornado Cash, social engineering (fake job offers, as in the case with Bybit SafeWallet), rapid transfer of funds across multiple blockchains into Ethereum, and retention of stolen assets.<\/p>\n<p>However, this time the perpetrators employed a new tactic: they issued fake CVT tokens and manipulated <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-blockchain-oracle\">oracle<\/a> data to artificially inflate the collateral value.<\/p>\n<p>According to Elliptic, the Drift breach marks the 18th attack by Lazarus since the beginning of 2026.\u00a0<\/p>\n<p>Earlier in March, the North Korean group was <a href=\"https:\/\/forklog.com\/en\/news\/lazarus-group-suspected-in-bitrefill-cyberattack\">suspected<\/a> of attacking the cryptocurrency online store Bitrefill.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean group Lazarus (TraderTraitor) has been identified as responsible for the $280 million breach of the DeFi protocol Drift, according to experts from Diverg, TRM Labs, and Elliptic.<\/p>\n","protected":false},"author":1,"featured_media":95894,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"North Korean group Lazarus linked to $280M Drift DeFi breach, experts confirm.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1093,1125,1202],"class_list":["post-95893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-defi","tag-lazarus","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"21","promo_type":"1","layout_type":"1","short_excerpt":"North Korean group Lazarus linked to $280M Drift DeFi breach, experts confirm.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=95893"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95893\/revisions"}],"predecessor-version":[{"id":95895,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95893\/revisions\/95895"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/95894"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=95893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=95893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=95893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}