Twelve Minutes on April Fool's Day
The alarm at Drift Protocol's operations center did not trigger immediately. The attackers were patient — methodical in a way that reflected months of preparation. By the time engineers realized what was happening, $285 million in user assets had been drained from the Solana-based perpetuals exchange. It was April 1, 2026.
The theft was widely assessed as state-backed, with public reporting pointing to a likely DPRK nexus, though no definitive public attribution had been confirmed by the time of publication. The attack was highly coordinated and months in preparation. The final mechanism appears to have exploited a durable-nonce vulnerability in Drift's upgrade authorization chain; the Security Council, the protocol's last line of defense, was compromised before any external alarm could trigger. Within hours, most of the stolen funds had been bridged to Ethereum.
It was the second-largest exploit in Solana's history and the largest DeFi hack of 2026. It was also, in a major state-backed crypto theft with a likely DPRK nexus, an operation that would encounter something North Korea has not historically faced in Southeast Asia: a genuine institutional defense.
Where the Money Goes
North Korea's post-theft playbook is well-documented. Stolen funds are bridged across chains to break the transaction trail, layered through mixers and decentralized exchanges, then converted to fiat through Southeast Asian shadow banking networks. The Huione Group — a Cambodia-based financial conglomerate designated by FinCEN in May 2025 — received at least $37.6 million from DPRK-attributed heists. Vietnam and Laos host informal broker networks that convert crypto to fiat through chains of transactions that leave almost no paper trail, a method investigators call mirror payments. In March 2026, OFAC sanctioned six individuals and two entities tied to North Korean IT worker fraud networks operating across Vietnam, Laos, and Spain — part of the same broader DPRK revenue-generation ecosystem, even if separate from any single heist.
Cambodia, Myanmar, and the Mekong corridor remain open. Singapore and Kuala Lumpur have each introduced meaningful friction — the compliance architecture described below represents a genuine change in the risk calculus — but neither corridor can yet be described as closed.
A structural caveat applies. State actors of DPRK's sophistication rarely enter regulated corridors at all — the Drift funds moved through Hyperliquid and on-chain mixers before any fiat conversion, and Circle did not freeze relevant USDC addresses in time. COSMIC and the Travel Rule address the off-ramp; they do not reach unregulated on-chain infrastructure. The deeper unknown is how many shadow banking networks operate behind a Malaysian or Singaporean front — quietly bridging on-chain proceeds to the Mekong corridor without ever touching a licensed exchange.
Malaysia's Compliance Perimeter
The Securities Commission Malaysia and Bank Negara Malaysia have, over the past three years, built a digital asset regulatory framework more substantive than the region's reputation suggests.
The foundation is strict. In June 2024, the Securities Commission revised its AML/CFT guidelines to apply Travel Rule-equivalent wire-transfer requirements to all digital asset service providers in the capital-market regime — with no de minimis threshold. Every transfer, regardless of size, requires full originator and beneficiary information. Most jurisdictions permit small transactions to pass without identification requirements. Malaysia does not. That distinction matters because DPRK-linked operations routinely use high volumes of small transactions to obscure fund flows.
The Securities Commission added Counter-Proliferation Financing obligations to its revised AML/CFT/CPF guidelines in June 2024 — an explicit recognition that the threat is not domestic organized crime but foreign state actors. Capital-market reporting institutions, including digital asset exchanges, are now required to screen against state-actor typologies specifically, not just retail criminal patterns. (Digital assets in Malaysia are regulated as capital-market instruments by the SC, not as payment instruments by Bank Negara.)
The SC has demonstrated a willingness to enforce. In December 2024, it reprimanded Bybit Technology Limited and personally sanctioned its CEO for operating an unregistered digital asset exchange in Malaysia, directing a complete shutdown within 14 business days. The signal was clear: the world's largest unregistered exchanges are not exempt from Malaysian jurisdiction because their servers sit elsewhere.
FATF conducted its first on-site mutual evaluation of Malaysia since 2015 in February 2025. The plenary adopted the report in October 2025, with publication following in December 2025. The evaluation found the country had "significantly strengthened its defences against illicit finance," rating it compliant on 24 of FATF's 40 Recommendations and largely compliant on 16 more. One gap was noted plainly: Malaysia still struggles to translate financial crime investigations into prosecutions and convictions. The framework exists; the courtroom machinery has not yet caught up.
Singapore's Intelligence Layer
Where Malaysia has focused on the compliance perimeter, Singapore has invested in the intelligence architecture above it.
On April 1, 2024, MAS launched COSMIC — Collaborative Sharing of Money Laundering/Terrorism Financing Information and Cases — linking six of Singapore's largest commercial banks: DBS, OCBC, UOB, Standard Chartered, Citibank, and HSBC, collectively representing more than 90 percent of Singapore's SME commercial banking market. COSMIC allows these institutions to share, in near-real-time, information on customers exhibiting financial crime red flags that would fall below any single bank's alert threshold. The underlying logic is direct: financial criminals exploit information silos by distributing activity across institutions. COSMIC collapses those silos. Proliferation financing is one of three designated risk categories the platform covers from launch.
In June 2025, MAS tightened its licensing regime for digital token service providers, announcing that licences would be issued in "extremely limited circumstances" and explicitly citing unresolved AML and counter-terrorism financing concerns. Violations carry fines of S$200,000 and criminal jail terms. MAS has signaled it plans to extend some COSMIC sharing obligations from voluntary to mandatory and progressively expand coverage to additional institutions.
In 2019, RUSI warned that Southeast Asia was acutely vulnerable to North Korean cryptocurrency exploitation and identified gaps in regional regulatory frameworks as the primary risk factor. Seven years later, the two most sophisticated financial centers in the region have independently built the compliance architecture that report said was missing. That is not a posture. It is infrastructure.
Where This Goes
The Drift hack will accelerate regulatory timelines across the region. $285 million stolen by a state actor in twelve minutes makes it politically impossible for any serious financial center to treat DeFi oversight as a second-tier concern.
For Malaysia, the immediate pressure falls on the prosecution gap. A compliance perimeter that cannot produce convictions is a deterrent without consequences. The SC and BNM have built the intake machinery; the Attorney General's Chambers and the courts must demonstrate they can act on the referrals it generates. FATF's three-year roadmap provides the external accountability mechanism — Malaysia's next review will be a direct measure of whether the framework translated into outcomes.
For Singapore, the next milestone is COSMIC's mandatory extension. Voluntary sharing among six banks is a proof of concept. Mandatory sharing across the full licensed financial sector — VASPs included — would close the remaining information gaps that sophisticated actors still exploit.
The broader question is whether Malaysia and Singapore's example pulls the rest of the region forward, or remains an island of compliance in a corridor that North Korea continues to use freely. Cambodia's Huione Group was designated in 2025 and continues to operate. Myanmar and Laos remain structurally open. The stolen funds from Drift will find the path of least resistance — and in Southeast Asia, that path still exists. What has changed is that Singapore and Kuala Lumpur now impose real friction: compliance obligations, active enforcement, and cross-institutional intelligence sharing that did not exist at this scale a decade ago. That is not the same as closure, but for a region that spent years being warned it was the weakest link, it is a meaningful shift in the right direction.
Layer 7 Ventures is a research-driven firm focused on AI and cryptocurrency in Southeast Asia. Views expressed are those of the firm and do not constitute investment advice.
