Experts from Diverg, TRM Labs, and Elliptic have identified the North Korean group Lazarus (TraderTraitor) as responsible for the $280 million hack of the DeFi protocol Drift. This same group previously attacked Bybit ($1.5 billion) and Ronin ($625 million).

1/10

We've been investigating the @DriftProtocol exploit ($285M) since April 1.

We can confirm along with TRM Labs and Elliptic that North Korea's Lazarus Group (TraderTraitor) was involved. This is the same unit behind Bybit ($1.5B) and Ronin ($625M).

Here's what our independent on-chain…

— Diverg (@DivergSec) April 3, 2026

The attacker did not merely compromise the multi-signature once, as the developers initially believed. On March 27, Drift updated its security council rules, requiring two signatures out of five for transaction confirmation, with execution occurring instantly. However, just three days later, the hacker breached the new multi-signature again and exploited a delayed signature mechanism.

Preparation for the Attack

The hacker began preparations on March 11, withdrawing 10 ETH using Tornado Cash at 15:24 Pyongyang time. The funds were funneled through a series of disposable wallets and cross-chain bridges.

On March 12, 50 SOL were sent to a token issuance address, and by 09:58 Korean time, the hacker created 750 million fake CVT tokens. The same address was used on the BSC network, receiving 31.125 BNB through a signed transaction from MetaWallet, after which the funds followed the same route as the Ethereum.

Initial reports mistakenly claimed that 30 ETH was used to fund the attack through three withdrawals via Tornado Cash. Experts clarified that the attacker only conducted one transaction of 10 ETH, while the other two were sent to a service for address obfuscation.

Withdrawal of Funds

After the hack, Diverg reconstructed the complete strategy for withdrawing funds via the public API of CoW Protocol. Within 30 minutes, the hacker placed 10 orders through the CoW Swap web interface, converting $14.6 million USDC and 99.8 WBTC into approximately 13,150 ETH. All 10 transactions were confirmed on the blockchain.

A secondary wallet received funds from two sources: 390.86 ETH from Chainflip Vault and 846,000 USDC via Circle CCTP (later converted into 397 ETH through CoW Protocol). In total, 788 ETH were sent to a holding address.

Behavioral Profile

All confirmed actions of the hacker were aligned with Pyongyang's working hours and occurred only on weekdays.

The group's methods closely match the known profile of Lazarus: preparation via Tornado Cash, social engineering (fake job offers, as seen with Bybit SafeWallet), rapid fund transfers across multiple blockchains to Ethereum, and retention of stolen assets.

However, this time the attackers employed a new tactic: they issued fake CVT tokens and manipulated oracle data to artificially inflate the collateral value.

According to Elliptic, the Drift hack marks the 18th attack by Lazarus since the beginning of 2026.

Recall that in March, the North Korean group was suspected of attacking the cryptocurrency online store Bitrefill.