North Korean AI Hackers Stole $270M from Drift in a 6-Month Operation
April 6, 2026 · 7 min read
TL;DR
Drift Protocol disclosed today that suspected North Korean state hackers spent six months posing as a quant trading firm—with AI-generated personas, a $1M+ deposit, and in-person meetings—before draining $270M from the Solana-based DeFi platform. It is the clearest documented case yet of AI enabling long-horizon, state-sponsored crypto theft.
The crypto industry got a detailed look today at how AI has transformed state-sponsored hacking. Drift Protocol, one of the largest Solana-based decentralized exchanges, disclosed the full anatomy of a $270M heist carried out by suspected North Korean operatives over more than six months. The attack is a landmark case: it is the first major crypto theft where AI-powered social engineering played a documented, central role from start to finish.
What Happened: A 6-Month Long Con
The attackers did not break in overnight. According to Drift's post-mortem, the operation followed a methodical playbook:
- Month 1–2: Identity construction. Attackers created a fully documented quant trading firm with a website, LinkedIn profiles, trading history, and reference contacts—all fabricated using AI-generated content and deepfake assets.
- Month 2–3: Credibility deposit. They transferred $1M+ into Drift to establish a legitimate trading presence and began executing real trades to build a verifiable track record.
- Month 3–5: Relationship building. The attackers held video calls and reportedly at least one in-person meeting with Drift staff, using real-time AI voice synthesis and deepfake video to maintain their cover identities.
- Month 5–6: Access escalation. With earned trust, they gained elevated access to internal systems—positioning themselves to execute the final exploit.
- Day zero: Drain. In a coordinated exploit, the attackers drained $270M from protocol liquidity pools before Drift's security team could respond.
How AI Made This Attack Possible
Prior to widely available AI tools, a deception of this scale required an entire team of specialists—writers, graphic designers, social engineers, voice actors, and video producers. In 2026, a small group with commodity AI tools can replicate all of these capabilities at near-zero marginal cost.
| Attack Element | AI Tool Used | Effect |
|---|---|---|
| Fake trading firm identities | LLM-generated bios, photos (image gen) | Professional-grade personas at zero cost |
| Business communications | LLM-written emails, contracts, reports | Native-level English, no grammar errors |
| Video calls | Real-time voice synthesis + video deepfake | Live impersonation of fake Western personas |
| Exploit code | AI-assisted smart contract vulnerability analysis | Faster exploit development cycle |
| Money laundering routes | AI-optimized transaction graph obfuscation | Harder tracing by on-chain analysts |
North Korea's AI Crypto Playbook
The Drift hack is not an isolated incident. North Korea's Lazarus Group and affiliated threat actors have systematically targeted crypto protocols for years, but the 2025–2026 period marks a step change in sophistication. According to blockchain analytics firm Chainalysis, North Korean state hackers stole over $1 billion in crypto in 2025 alone—funds that flow directly into the country's weapons and missile development programs.
The Ledger CTO Charles Guillemet warned last week that AI is driving down the economic cost of cyberattacks to near zero. The Drift case confirms his thesis: operations that would have required months of human labor and specialist skills are now executable by small teams with AI tool access. The asymmetry between attacker cost and defender cost has never been worse.
The Broader Crypto Security Crisis
The Drift attack is the highest-profile incident in a particularly brutal stretch for crypto security in April 2026:
- Resolv Protocol: $25M drained days before the Drift disclosure via a flash loan exploit
- Total AI-era crypto losses: $1.4 billion over the past 12 months (Ledger estimate)
- Reported incidents rise: The frequency of DeFi exploits has increased roughly 40% year-over-year, correlating with the availability of AI-assisted vulnerability scanning tools
Stay Ahead of AI Security Threats
Use Happycapy to research any crypto project, audit smart contracts with AI assistance, or track breaking security news in real time.
Try Happycapy Free →What Crypto Users and Protocols Should Do Now
The Drift hack rewrites the threat model for DeFi protocols. Old defenses—KYC for institutional partners, code audits, bug bounties—are insufficient against adversaries who can fabricate credible identities and maintain them over months. Here is what security experts recommend:
For DeFi Protocols
- Verify real-world identity through multiple independent channels. Video call verification alone is no longer sufficient—require in-person notarized documents for any counterparty receiving elevated system access.
- Implement time-locked access escalation. No new counterparty should receive high-privilege system access within the first 90 days regardless of trust signals.
- Deploy AI-powered anomaly detection. Monitor for unusual on-chain patterns that precede known exploit signatures—withdrawal velocity spikes, unusual contract interactions, liquidity concentration changes.
- Use formal verification for smart contracts. AI-assisted formal verification tools can catch classes of vulnerability that traditional audits miss.
For Individual Crypto Users
- Do not hold more in any DeFi protocol than you can afford to lose entirely
- Store long-term holdings in hardware wallets with offline key management
- Monitor protocols you use for unusual governance proposals or treasury movements
- Treat protocol-level security bulletins as primary, not social media rumors
What This Means for AI and Security
The Drift attack is the most concrete example yet of AI enabling a new class of threat: the patient, AI-augmented long con. It is no longer adequate to assume that sophisticated social engineering is rare because it requires rare human talent. AI has commoditized the talent component.
Security professionals now face adversaries who can maintain consistent, believable false identities for months, generate technically sophisticated communications, and adapt in real time to security team questions—all with minimal human involvement. The defensive response must shift from identity verification to behavioral monitoring and structural access controls that do not depend on trusting any identity claim at all.
AI Tools for Security Research
Use Happycapy to analyze smart contract code, research DeFi protocol security histories, and generate threat model documentation for your team.
Start with Happycapy →Frequently Asked Questions
How did North Korean hackers steal $270M from Drift?
Suspected North Korean attackers spent over six months posing as a legitimate quantitative trading firm. They built credibility with a $1M+ deposit, held in-person meetings, and used AI-generated personas and communications to infiltrate Drift's systems before ultimately draining $270M from the Solana-based protocol.
What role did AI play in the North Korean crypto attack?
AI enabled the attackers to generate convincing fake identities, craft professional-sounding communications, and maintain consistent personas over months. AI-generated code also lowered the technical barrier for writing sophisticated malware and exploit scripts used in the final attack phase.
Is the Drift Protocol still safe to use after the hack?
Drift Protocol published a detailed post-mortem and has been working to strengthen security. However, any DeFi protocol remains exposed to sophisticated state-sponsored attacks. Users should only hold funds in DeFi that they can afford to lose and use hardware wallets for long-term storage.
What is the total damage from AI-assisted crypto attacks in 2026?
According to Ledger CTO Charles Guillemet, AI-assisted hacks and exploits caused $1.4 billion in crypto losses over the past year. The Drift attack accounts for $270M of this total. North Korea is estimated to have stolen over $1 billion in crypto in 2025 alone to fund its weapons programs.
Sources
- • LLM-stats.com: "Drift details how suspected North Korean attackers stole $270M," April 6, 2026
- • CoinDesk: "AI is making crypto's security problem even worse, Ledger CTO warns," April 5, 2026
- • Chainalysis: North Korea crypto theft estimates, 2025 annual report
- • Drift Protocol official post-mortem, April 2026