TRM Labs assessed that the April 2026 Drift Protocol theft was likely carried out by North Korean hackers, after attackers drained about $285 million from the Solana-based perpetual futures exchange. On-chain staging began weeks earlier with Tornado Cash funding, deployment and manipulation of the fake CarbonVote Token, durable nonce account creation, and social engineering of Security Council multisig signers into pre-signing hidden authorizations. A zero-timelock Security Council migration to a 2-of-5 threshold removed the delay that could have exposed the malicious admin actions before execution. Once the pre-signed transactions were used, the attacker listed CVT as collateral, raised withdrawal limits, drained real assets through 31 withdrawals in roughly 12 minutes, and bridged most funds to Ethereum within hours.