DeutschThe Solana DEX Drift fell victim to a massive hack on April 1. After days of investigation, experts seem certain: the North Korean hacker group Lazarus is said to be behind the attack. The incident resembles the concept of IT fraud. For the first time, North Korea relies on real-world contacts. Lazarus managed to steal a total of 285 million US dollars this time.
North Korean hacker group Lazarus steals 285 million USD from Drift
The North Korean hacker group Lazarus has struck again, inflicting enormous damage on the crypto industry once more. Lazarus stole a total of 285 million US dollars from Drift Protocol, a DEX in the Solana ecosystem, on April 1 – as TRM Labs reports.
Drift published a final report on the incident yesterday. The DEX operators want to warn the industry with it.
“This information is being released to help the ecosystem mitigate risk. Please review the situation within your teams, control who has access to what data, and consider every device that comes into contact with your multisig signature as a potential attack vector,” it states.
You are currently seeing a placeholder content of X. To access the actual content, click on the button below. Please note that data will be passed on to third-party providers.
According to current findings, Drift was infiltrated by individuals acting on behalf of Lazarus. These individuals were either members of the notorious hacker group or acted as intermediaries on their behalf.
While Drift assumed normal collaboration, the hackers, disguised as contributors, injected malicious code into its systems and prepared the theft of liquidity over several months. The attack took place on April 1. Lazarus once again gained the upper hand.
“TRM’s investigations suggest that the incident was likely perpetrated by North Korean hackers,” TRM Labs writes.
So-called IT fraud has long been one of Lazarus’s most popular methods for acquiring funds. Just in March, the US sanctioned several individuals and organizations that, according to investigation results, acted on behalf of Lazarus.
They deceived US companies and then stole sensitive information. Through extortion, they generated a total of 800 million US dollars in the calendar year 2024 alone. According to investigations, the funds are to flow into the development of weapons of mass destruction.
Crypto experts see Drift hack as a precedent
The procedure for so-called IT fraud is fundamentally the same: individuals acting on behalf of Lazarus apply for open positions. The applicants always seek employment in the IT sector.
However, they do not disclose their connections to the Democratic People’s Republic of Korea. Instead, they feign a different origin. For example, they often pose as Japanese or South Koreans.
The concept usually only takes effect once they are employed. IT professionals require access to sensitive information. When the new employer grants this, Lazarus strikes. This is how internal information is spied on or malware is installed on the systems of their victims.
However, the attack on Drift occurred in a slightly different way, which is precisely why it is causing such a stir. Crypto expert Taylor Monahan warns the crypto industry about the concept. According to her assessment, Lazarus may have already infiltrated numerous other companies using this scheme without them knowing.
“I urge everyone in the crypto scene to read this post in its entirety. I had expected it to be another case of social engineering (…). I was greatly mistaken. And the sophistication of the operation and the fictitious identities makes me suspect that they have already targeted several other teams,” Monahan wrote on Twitter.
Drift and Monahan are particularly impressed by the extent of the preparations. The hacker group put an unusual amount of effort into giving their hackers realistic resumes. They also successfully staged a private environment to conceal the attackers’ true backgrounds.
In stark contrast to typical IT fraud, the attackers contacted their victims personally. At a crypto conference in autumn 2025, they reportedly approached Drift contributors and requested collaboration. Initially, they remained unsuspected for months. It was only in March 2026 that the attackers presented Drift with malicious program code.
This allowed them to infect two Drift employees with viruses. Lazarus also deceived Drift, leading to malicious transactions being signed. These transactions were only executed a week later – on April 1.
285 million US dollars in USDC and JLP went into the hands of the attackers, who transferred most of the loot via a token bridge to Ethereum. Drift has ceased operations since then. The damages may be irreparable. Many investors are concerned about their investments.
