low

Drift loses $280 million North Korean hackers seize Security Council powers

April 6, 2026·BleepingComputer·Threat Intel
definorth-koreagovernance-attackcryptocurrencyapt

North Korean APT Seizes DeFi Governance to Drain $280M From Drift Protocol

TL;DR: North Korean threat actors executed a sophisticated attack on Drift Protocol's governance system, seizing control of the Security Council's administrative powers to drain at least $280 million. This represents a significant evolution in DPRK crypto attacks, moving beyond simple exploits to governance takeovers.

What Happened

On April 2nd, the Drift Protocol—a decentralized finance (DeFi) platform built on Solana—suffered a catastrophic loss of at least $280 million after attackers gained control of its Security Council governance mechanism. According to BleepingComputer's reporting, this was not an opportunistic hack but a "planned, sophisticated operation" with indicators pointing to North Korean state-sponsored actors.

The attack specifically targeted Drift's Security Council, a multi-signature governance body responsible for protocol upgrades and emergency responses. By compromising this administrative layer, the attackers gained legitimate-appearing control over the protocol's funds and operations.

Technical Analysis

DeFi governance attacks represent a particularly dangerous threat vector because they exploit the legitimate administrative functions rather than code vulnerabilities. The Security Council in most DeFi protocols operates through multi-signature wallets requiring multiple authorized parties to approve transactions.

While full technical details remain under investigation, the attack likely involved either:


The sophistication suggests months of reconnaissance and planning—hallmarks of Advanced Persistent Threat (APT) operations typical of nation-state actors.

Impact & Who's Affected

The $280 million loss ranks among the largest DeFi hacks in history, affecting:


The attack's attribution to North Korean actors is particularly significant, as the DPRK has increasingly targeted cryptocurrency platforms to circumvent international sanctions and fund regime operations.

What You Should Do

For DeFi users:


For DeFi protocols:

For security teams:

The Bigger Picture

This attack marks a troubling evolution in North Korean cyber operations against cryptocurrency infrastructure. Moving beyond exploiting smart contract vulnerabilities, state actors are now targeting the human and procedural elements of DeFi governance.

The success of this operation will likely inspire copycat attacks against other governance systems. With over $100 billion locked in DeFi protocols globally, governance mechanisms represent attractive, often under-secured attack surfaces.

This incident underscores the fundamental tension in DeFi: the desire for decentralized control conflicts with the security benefits of centralized oversight. As the ecosystem matures, finding the right balance between accessibility and security in governance design will be critical for preventing future large-scale losses.

The crypto industry must treat governance security with the same rigor as smart contract security—or face continued exploitation by increasingly sophisticated adversaries.

← All Threat IntelSource: BleepingComputer