By Dasl Yoon

SEOUL -- The largest cryptocurrency heist this year didn't begin with malicious code, but with handshakes.

At a major cryptocurrency conference last fall, members purporting to work at a new quantitative trading firm approached representatives of Drift Protocol, a major player in the world of so-called decentralized finance with roughly half a billion dollars in assets. The two parties then spent months discussing a commercial partnership, both in person and over Telegram.

The relationship ended with the heist of roughly $285 million, according to TRM Labs, a blockchain analytics company that tracks crypto movements and analyzed the hacking episode.

According to Drift, TRM and Elliptic, which also tracks cryptocurrency movements, the likely culprit for the April 1 theft is the crypto world's biggest nemesis: North Korea. Kim Jong Un's cyber army has plundered billions of dollars from the crypto industry in recent years. No other hacking outfit comes close to the amounts stolen by North Korean scams and thieves.

"This is not an April Fools joke," Drift posted on social media on the day of the heist. Trading activity on the platform remains halted.

Drift, which didn't respond to requests for comment, said on social media that it had exchanges with real humans -- with "verifiable professional backgrounds" -- linked with the April 1 attack. It didn't share further details about the cryptocurrency event where they first met or the nationalities of the people they met at conferences.

This example fits a pattern of past thefts by North Korea. The country accounted for 60% of the world's cryptocurrency thefts in 2025, stealing a record $2 billion, according to blockchain analytics firm Chainalysis. That included February 2025's unprecedented $1.5 billion raid of Bybit, one of the world's biggest cryptocurrency exchanges.

What makes Drift's losses so unusual is the depth of North Korea's alleged ruse. Past heists relied more on novel malware and identity fraud, but the April 1 campaign leaned heavily on actual human interaction.

Drift and the false representatives of the trading firm met multiple times face-to-face and held working sessions together. The alleged trading firm even deposited over $1 million of capital on Drift's platform. This would represent a new tactic by the Kim regime, said Nick Carlsen, a former FBI analyst who has investigated North Korea's cyber crimes for years.

"This is not something North Koreans were seen doing before," said Carlsen, who now works at TRM. "It's a new world."

The Kim regime has increasingly turned to illicit crypto earnings to prop up North Korea's economy and help fund its nuclear weapons program.

Pyongyang's cyber operatives are typically identified from a young age, trained at top schools and sent overseas so that they can take advantage of better internet connectivity. For years, North Korean hackers have landed IT work or infiltrated companies by creating spoof social-media accounts, or recruited outsiders to lend their identities for payment.

As a decentralized finance platform, Drift is part of a vast network of cryptocurrency banking that offers near-zero trading fees and high-speed transactions. Drift's platform is based on the Solana blockchain, which allows people to trade cryptocurrencies without any centralized authority overseeing the process. Users need only put up some form of collateral to receive cryptocurrency. Trades occur in milliseconds.

Solana, in a statement following the heist, said it was funding new security initiatives for threat monitoring.

In the case of the suspected North Korea heist, those selling points turned into vulnerabilities. The intermediaries, who blockchain analysts believe to have been deployed by North Korea, now appear to have spent months building fake profiles, including employment histories, in order to evade suspicion. They also appeared to have had deep knowledge about the crypto world. This allowed them to build trust with Drift, the company said.

Weeks before the attack, the North Korean hackers created an illusion of legitimacy by creating a fake token called CarbonVote. They proceeded to buy and sell the token themselves to build a price history that would eventually fool Drift's automated protocols into accepting the fake token as real collateral.

The hackers also hid a code that allowed them to withdraw money unbeknownst to Drift.

The hackers then raised withdrawal limits to very high levels on April 1 and conducted 31 withdrawal transactions within minutes worth hundreds of millions of dollars, according to TRM.

Within hours, most of the stolen funds were moved from the Solana blockchain to another blockchain platform. Doing so made the digital trail difficult to follow and the stolen funds untraceable. "It's unusual that the North Koreans went to this extent," Carlsen said.

As the heist happened, the fake traders had exited the Telegram chatroom with Drift.

Write to Dasl Yoon at dasl.yoon@wsj.com

(END) Dow Jones Newswires

Most of the stolen funds were moved from the Solana blockchain to another blockchain platform, making it difficult to retrieve the money. "North Korea Suspected of Being Behind April Fools' Day Crypto Heist," at 10:30 a.m. ET, incorrectly said said the movement of the stolen funds made the digital trail difficult to follow and the funds untraceable.

(END) Dow Jones Newswires

April 15, 2026 13:27 ET (17:27 GMT)

Copyright (c) 2026 Dow Jones & Company, Inc.