$285M Solana Hack: The Attack That Changed Crypto Forever

TL;DR

North Korean state actors stole $285M from Drift Protocol via a six-month social engineering operation, bypassing smart contracts entirely by compromising the humans running them.

Key Points

• 1.The attack was a six-month human intelligence operation, not a code exploit. North Korean state-affiliated group UNC4736 infiltrated Drift Protocol by posing as a quant trading firm at international crypto conferences, using third-party intermediaries to pass due diligence while real operators stayed hidden.
• 2.Attackers established legitimacy by depositing over $1M of real capital into an ecosystem vault. They built trust over months through Telegram collaboration and conference appearances before sharing a malicious GitHub repository that silently compromised developer devices via a VS Code cursor AI vulnerability.
• 3.Durable nonces — a legitimate Solana feature — were weaponized to execute the theft. Between March 23–30, attackers tricked Security Council members into pre-signing routine-looking transactions that actually transferred full administrative control, then Drift accidentally removed the time lock on March 27, eliminating the last safeguard.
• 4.The $285M was extracted in roughly 12 minutes using a fabricated Carbon Vote token as fake collateral. Attackers minted 750M tokens, inflated the price to $1 via wash trading, listed it as valid collateral, then drained $155M in Jupiter LP tokens plus SOL and wrapped Bitcoin from nearly 20 pools.
• 5.Stolen funds were converted to ~129,000 ETH and dispersed across thousands of wallets, with recovery assessed as effectively zero. Elliptic confirmed 38,800 ETH already laundered; Circle faced criticism for missing a window to freeze stablecoin transfers, and this exploit dwarfs UNC4736's prior $50M Radiant Capital hack.