Drift Protocol's $280M Hack Attributed to North Korea's Lazarus Group

Blockchain security firms Diverg, TRM Labs, and Elliptic have jointly confirmed that North Korea's Lazarus Group — also tracked as TraderTraitor — orchestrated the $280 million exploit of DeFi protocol Drift Protocol. The same unit previously carried out attacks on Bybit ($1.5 billion) and Ronin ($625 million).

"1/10 We've been investigating the @DriftProtocol exploit ($285M) since April 1. We can confirm along with TRM Labs and Elliptic that North Korea's Lazarus Group (TraderTraitor). Same unit behind Bybit ($1.5B), Ronin ($625M). Was involved. Here's what our independent on-chain…" — Diverg (@DivergSec), original post

Why This Matters

According to Elliptic, the Drift exploit represents Lazarus's 18th attack since the beginning of 2026. The group's operational scope continues to expand — from centralized exchanges to DeFi protocols. In this case, the attacker compromised Drift's multisig not once but twice, including a freshly updated version that had been deployed just three days before the second breach.

Attack Preparation Timeline

The investigation revealed that preparations began well before the actual exploit. On March 11, the attacker withdrew 10 ETH via Tornado Cash at 15:24 Pyongyang time. The funds were routed through a chain of disposable wallets and cross-chain bridges.

By March 12, 50 SOL had been deposited to a token minting address, and by 09:58 Korean time the attacker had generated 750 million fake CVT tokens. The same address was used on the BSC network — 31.125 BNB was deposited through a signed transaction from MetaWallet, with funds following the same routing pattern as on Ethereum.

Researchers corrected earlier erroneous reports about attack funding. Initial claims suggested the hacker used 30 ETH from three Tornado Cash withdrawals. In reality, only one 10 ETH transaction belonged to the attacker — the other two were linked to an address poisoning service.

On March 27, the Drift team updated its Security Council rules: transaction confirmation required two of five signatures, with immediate execution. Just three days later, the attacker re-compromised the new multisig using a deferred signing mechanism.

Fund Extraction Strategy

Diverg reconstructed the complete fund extraction strategy using CoW Protocol's public API. Within 30 minutes, the attacker placed 10 orders through the CoW Swap web interface, converting $14.6 million USDC and 99.8 WBTC into approximately 13,150 ETH. All 10 transactions were confirmed on-chain.

A secondary accumulation wallet received funds from two sources:

• 390.86 ETH from Chainflip Vault;
• 846,000 USDC via Circle CCTP, subsequently converted into 397 ETH through CoW Protocol.

A total of 788 ETH was then moved to a holding address.

Lazarus Behavioral Fingerprint

All confirmed attacker actions aligned with Pyongyang working hours and occurred exclusively on weekdays. The methodology matches Lazarus's known operational profile:

• Preparatory phase utilizing Tornado Cash;
• Social engineering (fake job offers — mirroring the Bybit SafeWallet incident);
• Rapid cross-chain fund movement converging on Ethereum;
• Long-term holding of stolen assets.

However, Lazarus deployed a novel tactic in this case: minting fake CVT tokens and manipulating oracle data to artificially inflate collateral value.

Earlier in March 2026, Lazarus was also suspected of attacking crypto e-commerce platform Bitrefill.