Three blockchain forensics firms have now confirmed what many suspected within hours of the April 1 attack on Drift Protocol. North Korea’s Lazarus Group, operating under the TraderTraitor unit, stole the $285 million. TRM Labs, Elliptic, and DivergSec each reached the same conclusion independently.
The attribution matters beyond the name. This is the same unit behind the $1.5 billion Bybit breach and the $625 million Ronin exploit. But what DivergSec uncovered in Drift goes further: a technique that had not appeared in any prior Lazarus operation.
Fake Token. Real Damage.
According to DivergSec on X, the attacker manufactured 750 million fake CVT tokens on March 12, completing the minting by 09:58 KST, then used oracle manipulation to inflate the token’s collateral value inside Drift.
That is new. Every prior Lazarus case on record involved Tornado Cash staging, social engineering, and cross-chain bridging. The CVT fabrication step added an entirely different layer: creating artificial collateral worth nothing, then borrowing against it as if it were real.
DivergSec on X described this as a behavioral fingerprint match to prior DPRK operations, with one addition. Fake token manufacturing plus oracle manipulation was not in the Bybit or Ronin playbook.
The staging chain itself started on March 11. Ten ETH moved from Tornado Cash at 15:24 Pyongyang time, passing through four wallets before routing through LI.FI, Near Intents, and landing on Solana. All single-use wallets. All nonce 1. Zero balances after use. As DivergSec on X documented, 50 SOL landed on the minter wallet by the next morning.
Multisig Hit a Second Time
The earlier reporting on this hack covered how the attacker pre-signed durable nonce transactions to gain 2-of-5 multisig access before executing. What the new forensics show is that the attacker did this twice.
Drift migrated to a new Security Council on March 27 after a member departure. New setup, 2-of-5 threshold, zero timelock. DivergSec on X confirmed the attacker re-entered the updated structure within three days and pre-signed a fresh durable nonce on March 31. The migration changed nothing. The attacker simply adapted.
As DivergSec posted on X, the breach did not stop at the first compromise. After Drift’s security council was rebuilt, the attacker moved back in, secured fresh pre-signed access, and waited again.
The BSC side of the operation ran parallel. DivergSec on X found the same bridge wallet receiving 31.125 BNB via a signature-based smart contract withdrawal through MetaWallet 0x233c5370, then routing through LI.FI to Near Intents back to Solana. Same destination. Confirmed on BSCScan.
Every Move Tracked to Pyongyang Hours
DivergSec on X mapped every confirmed attacker action against Korean Standard Time. Staging ran at 15:24 KST. Bridging between 09:00 and 09:58 KST. The exploit itself executed at 20:06 KST. Laundering ran overnight, 01:00 to 04:00 KST. SOL distribution the following morning at 08:03 KST. Weekdays only. No weekend activity at all.
That pattern alone functioned as a second attribution layer, separate from wallet tracing.
The exit route went through CoW Protocol. DivergSec on X pulled the full strategy from CoW Protocol’s public API: 10 orders placed in 30 minutes via CoW Swap, converting $14.6M USDC and 99.8 WBTC into roughly 13,150 ETH. All confirmed via on-chain appData showing CoW Swap v1.14.0, EIP-712 signed. Exit wallet tracked on Arkham.
A secondary wallet received 390.86 ETH from Chainflip Vault, plus 846K USDC via Circle CCTP, the latter swapped to 397 ETH through CoW Protocol. DivergSec on X confirmed both transactions were identified, with 788 ETH combined routed to a holding wallet.
Early reports had attributed funding to three Tornado Cash withdrawals totaling 30 ETH. DivergSec on X corrected that. Only one of those three withdrawals came from the attacker. The other two funded an unrelated address poisoning service, an operator running 45,000-plus automated nonce calls, still active. DivergSec separated the attacker’s trail from that noise before publishing.
Drift Sends On-Chain Messages to Thieves
On April 3, Drift moved to direct contact. The protocol sent on-chain messages from address 0x0934faC45f2883dd5906d09aCfFdb5D18aAdC105 to four ETH wallets identified as holding stolen funds. According to DriftProtocol on X, the timestamps ran between 05:17 and 05:25 AM UTC. The team stated it is ready to speak and directed the holder to reach out via Blockscan chat. Further updates will follow once third-party attributions are complete.
As DriftProtocol posted on X, critical information on parties related to the exploit has been identified, and the team is now communicating directly on-chain with the wallets holding the funds.
DivergSec on X confirmed it continues monitoring the three holding wallets. Per Elliptic, the Drift attack is Lazarus Group’s 18th crypto operation in 2026. Lifetime theft now sits above $6.5 billion. Funds go directly to weapons programs, Elliptic noted.
DivergSec on X confirmed TRM Labs and Elliptic both corroborated the TraderTraitor attribution. Full technical findings have been shared with the Drift team.
