{"id":70604,"date":"2026-04-03T14:33:03","date_gmt":"2026-04-03T14:33:03","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/what-happened-who-lost-money-and-whats-next-featured-bitcoin-news\/"},"modified":"2026-04-03T14:33:03","modified_gmt":"2026-04-03T14:33:03","slug":"what-happened-who-lost-money-and-whats-next-featured-bitcoin-news","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/what-happened-who-lost-money-and-whats-next-featured-bitcoin-news\/","title":{"rendered":"What Happened, Who Lost Money, and What’s Next \u2013 Featured Bitcoin News"},"content":{"rendered":"

(Originally posted on : Bitcoin News )<\/b>
\n<\/p>\n

\n

DPRK Lazarus Group Suspected in Drift Protocol $286 Million Solana<\/span> Theft<\/h2>\n

Drift Protocol, the largest decentralized perpetual futures exchange on the Solana<\/span> network, confirmed the exploit after watching its total value locked (TVL) collapse from roughly $550 million to under $250 million in a single morning, now standing at $232 million<\/a>. Bitcoin.com<\/span> News was the first to report<\/a> on the issue. The DRIFT token dropped as much as 37%\u201342% in the hours that followed, bottoming near $0.04 to $0.05<\/a>.<\/p>\n

Reports note that the attack<\/a> began not with a code bug but with a Tornado Cash<\/a> withdrawal. On March 11, the attacker pulled ETH<\/span> from the Ethereum-based privacy protocol and used those funds to deploy the carbonvote token, or CVT, on March 12. Blockchain<\/span> analysts noted<\/a> the deployment timestamp corresponded to approximately 09:00 Pyongyang time, a detail that raised immediate flags.<\/p>\n

DRIFT token on April 3, 2026.<\/figcaption><\/figure>\n

Several reports detail that over the following three weeks, the attacker seeded<\/a> minimal liquidity<\/span> for CVT on the Raydium decentralized exchange<\/span> and used wash trading to maintain a price near $1.00. Drift\u2019s oracles<\/span> read that price as legitimate. The attacker had built fake collateral that looked real to every automated system watching it.<\/p>\n

\u201cEarlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift\u2019s Security Council administrative powers,\u201d the Drift team wrote.<\/p>\n

The project\u2019s X account added:<\/p>\n

\n

\u201cThis was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.\u201d<\/p>\n<\/blockquote>\n

Ostensibly, between March 23 and March 30, the Drift attacker moved to the human layer. Using a legitimate Solana<\/span> feature called durable nonces, the attacker reportedly induced members of Drift\u2019s Security Council multisig to pre-sign transactions that appeared routine. Those signatures became pre-approved access keys, held in reserve until the attacker was ready.<\/p>\n

The opening closed on March 27, when Drift migrated<\/a> its Security Council to a 2-of-5 signature threshold and removed its timelock entirely. A timelock typically forces a 24-to-72-hour delay on administrative actions, giving the community time to catch and reverse anything suspicious. Without it, the attacker had zero-delay execution authority. The pre-signed transactions were live the moment the timelock was gone.<\/p>\n

On April 1, the attacker activated those transactions, listed CVT as valid collateral, raised withdrawal limits, and deposited hundreds of millions in CVT tokens against which Drift\u2019s risk engine issued real assets. The protocol handed over millions in JLP tokens, millions in USDC<\/a>, millions in SOL<\/span>, and smaller amounts of wrapped bitcoin<\/span> and ethereum. Thirty-one withdrawal transactions cleared in roughly 12 minutes.<\/p>\n

The attacker converted the stolen tokens to USDC using Jupiter, bridged to Ethereum<\/a>, and swapped into tens of thousands of ETH<\/span>. Some funds were routed through Hyperliquid, and a portion moved directly to Binance. On April 3, Drift sent an onchain message from an Ethereum address to four hacker-controlled wallets. The publication cryptonomist.ch reports that the message read<\/a>:<\/p>\n

\n

\u201cWe are ready to speak.\u201d<\/p>\n<\/blockquote>\n

Security firms Elliptic<\/a> and TRM Labs have attributed<\/a> the attack to DPRK-linked threat actors, citing the Tornado Cash origin, the Pyongyang-time deployment signature, the social engineering focus, and the post-hack laundering speed. The Lazarus Group<\/a> used the same patience and human-targeting approach in the 2022 Ronin bridge hack. The U.S. government has tied these thefts to North Korea<\/a>\u2018s weapons program funding, and Elliptic has tracked over $300 million stolen in the first quarter of 2026 alone.<\/p>\n

The contagion spread to more than 20 protocols<\/a>. Prime Numbers Fi reported losses in the millions. Carrot Protocol paused mint and redeem functions after 50% of its TVL was affected. Pyra Protocol disabled withdrawals entirely, leaving all user funds inaccessible. Piggybank lost $106,000 and reimbursed users from its own team treasury.<\/p>\n

DeFi<\/span> Development Corp., a Nasdaq-listed company with a Solana<\/a> treasury strategy, confirmed<\/a> on April 1 that it had no Drift exposure. Its risk framework excluded the protocol entirely. That fact drew more attention than the company likely intended.<\/p>\n

The Drift incident produced one clear lesson that most of the industry already knew but had not fully applied: a timelock is not optional. The removal of that single safeguard on March 27 converted a complex, multi-week attack into a 12-minute cash-out. Protocol governance without a delay mechanism is governance with an open door.<\/p>\n

The next 48 hours following the DeFi<\/a> attack were described as critical for Drift\u2019s ability to retain user trust and map a recovery path. As of April 3, no comprehensive reimbursement plan had been announced.<\/p>\n

FAQ \ud83d\udd0e<\/h2>\n