April 4, 2026 · Eric Beans, CEO · H33.ai, Inc. · Investigation by DivergSec

How North Korea Stole $285M from Drift Protocol — And How to Make Sure It Never Happens to You

We have been investigating the Drift Protocol exploit since April 1. Working alongside findings from TRM Labs and Elliptic, we can confirm North Korea's Lazarus Group (TraderTraitor) — the same unit behind Bybit ($1.5B) and Ronin ($625M) — executed this attack. Here is what our independent on-chain forensics uncovered, what the industry missed, and what every protocol should implement today.

The Attack: A Masterclass in Operational Patience

Drift Protocol operated a Security Council multisig with a 2-of-5 threshold. Two signatures out of five to move any amount of funds. No timelock. No delay between signature and execution. This is the same configuration that Lazarus Group has exploited in three previous billion-dollar attacks.

On March 27, Drift migrated to a new Security Council after a member departure. Fresh keys. Fresh signers. The community assumed this was a security improvement. Within three days, the attacker had re-compromised the new multisig. On March 31, they pre-signed a fresh durable nonce — the Solana equivalent of staging a signed blank check.

The exploit executed on April 1 at 20:06 KST (Pyongyang time). By that point, the attacker had been inside the new multisig for at least 72 hours.

The critical failure: Drift rotated their multisig keys but kept the same 2-of-5 threshold with zero timelock. They treated key rotation as a security event. It was not. The attacker compromised the new keys through the same vector — likely social engineering of individual signers — within days. Key rotation without architectural change is theater.

The Staging Chain: Tornado Cash to Solana in Four Hops

Our forensics team traced the complete funding chain, every hop verified on-chain:

March 11, 15:24 KST

10 ETH withdrawn from Tornado Cash — single withdrawal, afternoon Pyongyang time. Sent to 0x74390ab7, a single-use wallet (nonce 1, zero balance after forwarding).

March 11-12

Four-hop bridge chain: 0x74390ab7 → 0xB702B033 → 0x9beDB87B → LI.FI cross-chain bridge → Near Protocol Intents → Solana. All single-use wallets. All nonce 1. All zero balance after use.

March 11-12 (parallel)

BSC staging: 31.125 BNB received via signature-based smart contract withdrawal (MetaWallet 0x233c5370), bridged through the same LI.FI → Near Intents → Solana path. Multi-chain staging converging on one destination.

March 27

Drift migrates to new Security Council. 2-of-5 threshold. Zero timelock.

March 31

Attacker pre-signs durable nonce on the new multisig. The exploit is now staged and waiting.

April 1, 20:06 KST

Exploit executes. $285M drained.

What Early Reports Got Wrong

Initial reports claimed 30 ETH from three Tornado Cash withdrawals funded the attack. This is incorrect. Only one withdrawal (10 ETH) was the attacker. The other two funded an unrelated address poisoning service — an automated operator with 45,000+ nonce still running today. We separated attacker activity from background noise by tracing each withdrawal's full downstream path.

This distinction matters because it affects every attribution model downstream. If you feed three withdrawals into your graph analysis when only one is the attacker, your clustering contaminates the investigation. Precision in the staging chain is not academic — it determines whether you find the attacker or chase a bot operator.

The Exit Strategy: 30 Minutes, 10 Orders, $285M to ETH

Post-exploit, we extracted the complete exit strategy from CoW Protocol's public API. The attacker placed 10 orders via the CoW Swap web interface in 30 minutes:

$14.6M USDC + 99.8 WBTC → approximately 13,150 ETH

All orders confirmed via on-chain appData metadata as CoW Swap v1.14.0 with EIP-712 signatures. All 10 settlement transaction hashes captured. A secondary accumulator wallet received dual funding: 390.86 ETH from Chainflip Vault and 846K USDC via Circle CCTP, swapped to 397 ETH via CoW Protocol. Combined 788 ETH routed to a holding wallet.

The behavioral pattern is unmistakable. Every confirmed attacker action maps to Pyongyang business hours:

Action	Time (KST)	Pattern
Tornado Cash staging	15:24	Afternoon shift
Cross-chain bridging	09:00 - 09:58	Morning shift start
Exploit execution	20:06	Evening
Laundering (CoW Swap)	01:00 - 04:00	Overnight batch
SOL distribution	08:03	Next morning

Weekdays only. No weekend activity. This is a state-sponsored operation running on a government work schedule.

The Lazarus Fingerprint

The DPRK behavioral fingerprint matches exactly across Bybit ($1.5B), Ronin ($625M), and now Drift ($285M):

Tornado Cash staging for initial funding. Social engineering via fake job offers to compromise individual signers (confirmed in Bybit's SafeWallet attack). Rapid multi-chain bridging to ETH as the final accumulation asset. Accumulate-and-hold pattern in a small number of wallets. Pyongyang working hours across all operational activity.

New technique in this attack: fake token manufacturing. The attacker created a counterfeit CVT token to confuse on-chain monitoring during the exit phase. This is the first time we have seen Lazarus Group deploy token spoofing as an active countermeasure against real-time forensics.

This is Lazarus Group's 18th known crypto operation in 2026 according to Elliptic. Lifetime stolen: over $6.5 billion. Funds go directly to the DPRK weapons program.

Why This Keeps Happening: The Multisig Problem

Every major crypto exploit in the past three years has the same root cause: a small number of classical cryptographic keys, controlled by humans, with insufficient operational security around key management.

Drift used Ed25519 signatures in a 2-of-5 multisig. Ed25519 is a fine algorithm — for now. But the operational security around it was catastrophic. Two signatures to move $285M. No timelock. No secondary verification channel. No behavioral anomaly detection. No cryptographic attestation on signer identity. When you compromise two humans, you own the protocol.

Key rotation does not fix this. Drift proved it. They rotated to a new Security Council and the attacker re-compromised it in three days. The keys changed. The architecture did not.

What Would Have Stopped This

This is not a retrospective fantasy. Every component described below is production software running today.

1. Post-quantum threshold signatures. Replace Ed25519 with Dilithium ML-DSA-65 in a threshold configuration where no single device holds the full signing key. Shamir secret sharing with a 5-of-9 threshold across geographically and organizationally independent signers. Even if Lazarus compromises two signers, they need three more. With Dilithium, the signatures are also immune to future quantum attacks on the elliptic curve.

2. Mandatory timelocks with STARK attestation. Every high-value transaction requires a 24-hour delay between signature collection and execution. During the delay, a STARK zero-knowledge proof attests that the transaction was authorized through the proper governance process. Any signer can cancel during the window. The attacker's pre-signed durable nonce would have been caught during the delay period.

3. Biometric signer verification via FHE. Before any signature is accepted, the signer's identity is verified through FHE-encrypted biometric matching — not a password, not a hardware token, not something that can be phished or socially engineered. The biometric template is encrypted with fully homomorphic encryption and matched in the encrypted domain. Even if the attacker has the signing key, they cannot produce the biometric. The server that verifies the biometric never sees the plaintext biometric data.

4. Three-key nested signatures from different mathematical families. Dilithium (lattice-based) + Falcon (NTRU lattice) + SPHINCS+ (hash-based). Three algorithms from three distinct mathematical hardness assumptions. If a breakthrough breaks one family, the other two still protect the funds. No single cryptographic advance can compromise the multisig.

None of this is theoretical. H33 processes 2,209,429 authentications per second using this exact stack — BFV fully homomorphic encryption, STARK zero-knowledge proofs, Dilithium ML-DSA-65, three-key nested signatures, and threshold decryption. The entire pipeline completes in 35.25 microseconds per authentication.

The $6.5 Billion Question

Lazarus Group has stolen over $6.5 billion in cryptocurrency. Every single attack exploited the same pattern: a small number of classical keys, controlled by humans, without sufficient operational controls.

The crypto industry has known this for years. Ronin proved it. Bybit proved it again. Drift proved it a third time. The same unit, the same technique, the same result. Nothing changes because the industry keeps deploying the same 2-of-5 Ed25519 multisig with the same zero timelock and the same assumption that key rotation equals security.

It does not. Key rotation without architectural change is replacing the lock on the same broken door. Post-quantum threshold signatures, mandatory timelocks, biometric signer verification, and multi-family cryptographic diversity are not incremental improvements. They are the minimum viable security for any protocol holding more than the cost of attacking it.

We continue monitoring the three holding wallets identified in this investigation. Full technical findings have been shared with the Drift team.

Investigation by DivergSec. On-chain verification via Arkham Intelligence, Etherscan, BSCScan, and CoW Protocol API. Attribution corroborated by TRM Labs and Elliptic.

See what post-quantum signing looks like

Dilithium + Falcon + SPHINCS+ nested signatures. Three mathematical families. 35.25 microseconds.

Explore 3-Key Signatures →