North Korean group Lazarus linked to $280M Drift DeFi breach, experts confirm.
The North Korean group Lazarus (TraderTraitor) has been identified as the perpetrators behind the $280 million breach of the DeFi protocol Drift, according to experts from Diverg, TRM Labs, and Elliptic. This same group previously targeted Bybit ($1.5 billion) and Ronin ($625 million).
1/10
We’ve been investigating the @DriftProtocol exploit ($285M) since April 1.
We can confirm along with TRM Labs and Elliptic that North Korea’s Lazarus Group (TraderTraitor). Same unit behind Bybit ($1.5B), Ronin ($625M). Was involved.
Here’s what our independent on-chain…
— Diverg (@DivergSec) April 3, 2026
The attacker did not merely compromise the multisig once, as initially suggested by the affected project’s developers.
On March 27, Drift updated its Security Council rules: two out of five signatures were required to confirm a transaction, and execution was instantaneous. However, just three days later, the perpetrator breached the new multisig again and used a deferred signature mechanism.
Preparation for the Attack
The hacker began preparing for the attack on March 11. At that time, they withdrew 10 ETH using Tornado Cash at 15:24 Pyongyang time. The funds passed through a chain of disposable wallets and cross-chain bridges.
On March 12, 50 SOL was sent to the token issuance address, and by 09:58 Korean time, the perpetrator had created 750 million fake CVT coins. The same address was used in the BSC network. It received 31.125 BNB through a signed transaction from MetaWallet, after which the funds followed the same route as Ethereum.
Earlier reports mistakenly claimed that 30 ETH from three withdrawals via Tornado Cash funded the attack. Experts clarified that the attacker owned only one transaction of 10 ETH. The other two went to a service for address poisoning.
Funds Withdrawal
After the breach, Diverg reconstructed the full strategy for withdrawing funds through the public API of CoW Protocol. Within 30 minutes, the perpetrator placed 10 orders via the CoW Swap web interface, converting $14.6 million USDC and 99.8 WBTC into approximately 13,150 ETH. All 10 transactions are confirmed on the blockchain.
The secondary holding wallet received funds from two sources: 390.86 ETH from Chainflip Vault and 846,000 USDC through Circle CCTP (later converted into 397 ETH via CoW Protocol). In total, 788 ETH were sent to the holding address.
Behavioral Profile
All confirmed actions of the hacker are tied to Pyongyang’s working hours and were conducted only on weekdays.
The group’s methods fully align with the known profile of Lazarus: preparation through Tornado Cash, social engineering (fake job offers, as in the case with Bybit SafeWallet), rapid transfer of funds across multiple blockchains into Ethereum, and retention of stolen assets.
However, this time the perpetrators employed a new tactic: they issued fake CVT tokens and manipulated oracle data to artificially inflate the collateral value.
According to Elliptic, the Drift breach marks the 18th attack by Lazarus since the beginning of 2026.
Earlier in March, the North Korean group was suspected of attacking the cryptocurrency online store Bitrefill.
Found a mistake? Select it and press CTRL+ENTER
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!
