Ledger CTO Drift attack Bybit hack comparisons are shaping the response to Drift Protocol’s exploit, but the verified record is narrower: Drift says an attacker used a novel durable-nonce path to seize Security Council administrative powers and force an emergency halt on deposits and withdrawals. That makes the story less about a confirmed nation-state attribution than about whether a repeatable signer-compromise playbook is spreading across crypto governance systems.
KEY POINTS
- Drift has confirmed an administrative takeover using durable nonces, not a smart-contract bug.
- The Bybit comparison matters because official Bybit materials already point to signer and transaction-review compromise.
- A North Korea link for Drift remains unconfirmed even though Bybit was formally attributed to DPRK actors.
Why Ledger’s CTO Linked the Drift Attack to the Bybit Hack
What Drift has actually confirmed
On April 1, 2026, Drift said it was under active attack and suspended deposits and withdrawals, establishing that the first confirmed response was an operational freeze rather than a quick patch.
By April 2, 2026, the protocol said a malicious actor had used a novel attack involving durable nonces to gain unauthorized access and rapidly take over Security Council administrative powers. That detail matters because it points investigators toward signer workflow, permissions, and transaction approval paths instead of ordinary contract logic.
$136 million to $285 million is the loss range cited by TechCrunch from public blockchain data and security researchers, which is why the exploit immediately spilled into the broader DeFi risk discussion covered in earlier coverage of the Drift exploit’s DeFi fallout.
Why the comparison matters beyond one protocol
Safe’s incident statement said the Bybit attack was achieved through a compromised Safe Wallet developer machine that led to the proposal of a disguised malicious transaction. That is the closest authoritative description of the Bybit method in the evidence set, and it shows why claims about a matching tactic focus on operator workflows rather than chain-specific code.
The FBI’s IC3 said North Korea was responsible for the theft of approximately $1.5 billion in virtual assets from Bybit on or about February 21, 2025. That formal attribution is what raises the stakes when any new exploit is described as using a Bybit-like path, and it also overlaps with the transaction-review concerns highlighted in the criticism of Circle’s Drift exploit response.
What the Possible North Korean Link Means
Keep the attribution bar high
According to a single secondary report, Ledger CTO Charles Guillemet said the tactic looked similar to the 2025 Bybit hack and resembled DPRK-linked tradecraft, but that remains an unverified claim in this run because the original post was not directly fetched.
The verified evidence here contains no public attribution from Drift, law enforcement, or a named security firm tying the exploit to North Korea as of April 2, 2026. The stronger, defensible reading is that Drift has confirmed the attack path, while the attacker identity is still an open question.
That distinction matters because Drift’s official statement describes an administrative takeover via durable nonces, while Bybit’s official incident materials describe a compromised developer machine and a disguised malicious transaction. Similar operational symptoms can justify tighter signer controls, but they do not by themselves prove the same operator.
What traders and builders should watch next
Readers should watch for fresh exchange statements, named forensic reports, and whether on-chain investigators narrow the reported loss range beyond $136 million to $285 million. For traders, that uncertainty arrived in the same defensive tape discussed in the April 1 spot Bitcoin ETF outflow wave.
Ethereum, the asset researchers said the exploiter was accumulating after the breach, traded near $2,056.87 with a market cap around $248.3 billion during the reporting window, showing that the incident hit while large-cap crypto was already under pressure.
For the AI-crypto stack, Drift’s description of seized administrative powers is the real warning signal. Compute-market DAOs, agent treasuries, and model-governance wallets often depend on the same signer choreography, so this incident reinforces that operational security can fail before protocol code does.
Disclaimer: This article is for informational purposes only and is not financial advice.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
