Drift's $280M Hack: A DPRK Setup

Circle’s Institutional Wrapped BTC | Crypto Flows Collapse in Q1 2026

AuthorAuthor

Marco Manoppo & Karon Pangestu
April 06, 2026

📢Sponsor | 💡Telegram | 📰Past Editions

Good Morning,

The largest DeFi hack of 2026 didn't start with a line of malicious code. It started at a crypto conference in fall 2025, where North Korean-linked actors posing as a quant trading firm spent six months building trust with Drift contributors before draining $280M in minutes.

Check out our latest podcast episode!

In Today's Email:

  • What Matters: Drift's $280M Hack: A DPRK Setup 🇰🇵 

  • Product of the Week: Circle’s Institutional Wrapped BTC 👀 

  • Charts: Crypto Flows Collapse in Q1’26,

You read and share. We listen and improve. Send us feedback at [email protected].

Narratives: Demand Drought

For daily market updates and airdrop alphas, check out our telegram!

WHAT MATTERS

Drift's $280M Hack: A DPRK Setup

Drift Hack Fund Flow / Source: Elliptic

State of play: Drift Protocol's $280M exploit wasn't a rushed attack, it was a six-month con job that started at a crypto conference and ended with North Korean actors draining the protocol in minutes.

  • Attackers posed as a quant trading firm, attended multiple crypto conferences, and deposited $1M+ into an Ecosystem Vault to establish credibility.

  • Two compromise vectors were identified: a malicious repo exploiting a VS Code/Cursor vulnerability, and a fake wallet app via Apple TestFlight.

  • The exploit used "durable nonces," a legitimate Solana primitive, to pre-sign transactions and seize admin control without exploiting a smart contract bug.

  • Drift and SEAL 911 assess with "medium-high" confidence the attack ties to UNC4736, the same DPRK-linked group behind the $50M Radiant Capital hack.

  • The exploit is 2026's largest DeFi hack and Solana's second-largest ever, behind the $325M Wormhole attack in 2022.

Why it matters: DPRK has upgraded from phishing emails to full-scale human intelligence operations, deploying real people at real conferences to compromise real protocols.

Our take: A $1M+ deposit as cover and months of face-to-face relationship building suggests North Korean actors are now willing to burn significant capital and time to stage a single hit.

For builders and investors: Protocols need to treat contributor device hygiene, third-party app installs, and code repository access as critical attack surfaces, not afterthoughts.

PRODUCT OF THE WEEK

Circle’s Institutional Wrapped BTC

Circle is entering the wrapped bitcoin market with cirBTC, pitching it as the neutral, institutional-grade alternative to existing wrapped BTC tokens.

  • cirBTC will be backed 1:1 by BTC and launch first on Ethereum mainnet and Arc, Circle's own EVM-compatible Layer 1 blockchain.

  • The token will integrate with Circle Mint, the same issuance platform used for USDC and EURC, targeting OTC desks, market makers, and lending protocols.

  • Circle is positioning cirBTC as the institutional-grade alternative to wBTC, which lost credibility after Justin Sun-connected entities joined its oversight.

Other cool products:

  • Nado, a spot, perps & MM all in one CLOB DEX.

  • Concrete, a full-stack yield infrastructure for DeFi.

  • Covered Vaults, the first primitive for vault-native risk transfer.

  • Elixir, a modular blockchain protocol designed to bring liquidity.

  • mROX, a new onchain investment product built by Midas & Rockaway.

Take a peek at our referral reward at the bottom of this issue. Share this newsletter and receive our list of 500 crypto VC individuals 👇

CHARTS OF THE WEEK

Crypto Flows Collapse in Q1 2026

Source: The Block

State of play: JPMorgan estimates digital asset flows hit just $11B in Q1 2026, roughly one-third of the same period last year, with retail and institutional investors largely sitting out.

  • Total flows tracked an annualized pace of ~$44B, well below 2025's record $130B, with most Q1 inflows driven by corporate treasury buys and crypto VC.

  • CME futures positioning weakened and spot bitcoin and Ethereum ETFs saw net outflows for the quarter, mostly in January, signaling fading institutional demand.

  • Strategy remained the dominant corporate buyer, funding purchases through equity issuance, while smaller companies sold holdings to fund buybacks.

  • Bitcoin miners turned net sellers in Q1, offloading BTC or using it as collateral to manage liquidity and capex, with some pivoting toward AI infrastructure.

  • Crypto VC stayed resilient, tracking above the annualized pace of the prior two years, though deal count fell as funding concentrated in fewer, larger rounds.

Our take: An $11B quarter propped up by Strategy and VC isn't a healthy market. Retail and institutional flows were flat or negative while headlines celebrated crypto's institutional moment.

ZachXBT Calls Out Circle's Slow Freezes

Source: ZachXBT

State of play: Blockchain sleuth ZachXBT is calling out Circle for dragging its feet on freezing USDC linked to illicit activity, citing 15 cases totaling over $420M including the $280M Drift exploit.

  • In the Drift case, the attacker bridged ~$232M USDC from SOL to ETH over six hours via Circle's own CCTP bridge across 100+ txs with no funds frozen.

  • In the Cetus Protocol exploit, Circle blacklisted the theft address a full month after the fact, by which point the USDC had already been converted to ETH.

  • Circle responded that it freezes assets only "when legally required," citing rule of law and user privacy protections as constraints on faster action.

Our take: Circle's "legally required" defense doesn't hold up when attackers are laundering funds through Circle's own bridge in real time. Waiting for a court order mid-hack isn't compliance, it's negligence.

QUICK BITES

  • IMF warns tokenized finance could amplify market crises.

  • Charles Schwab opens waitlist for direct BTC and ETH trading.

  • JPMorgan estimates digital asset flows hit just $11B in Q1 2026.

  • Crypto attorney says Drift incident may qualify as 'civil negligence.'

  • Tether may delay fundraising if demand falls short at $500B valuation.

  • Circle unveils quantum-resistant roadmap for its layer-1 blockchain Arc.

  • Polymarket pulls controversial Iran rescue markets after intense backlash.

  • Drift links $280M exploit to social engineering op run by North Korean actors.

NOTEWORTHY READS & MEME

  • Drift’s update on the $280M Hack.

  • Nour’s read on The Golden Age of DeFi is Coming.

  • Yaroslav Writtle’s read on Allocation Vaults & Tokenization.l

If you enjoy reading this issue, please consider subscribing. It takes 1 minute of your time, but it would mean the world to us 🙇

Disclaimer: All the information presented in this publication and its affiliates is strictly for educational purposes only. It should not be construed or taken as financial, legal, investment, or any other form of advice.