Solana-based DEX Drift confirms $285M loss through sophisticated social engineering attack involving durable nonces and multisig manipulation, with North Korean threat actors suspected.
Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. The attack represents one of the largest cryptocurrency heists of the year and highlights the evolving sophistication of North Korean cyber operations targeting the Web3 sector.
The Attack Vector
According to Drift's official statements on X, the malicious actor gained unauthorized access through a novel attack involving durable nonces, resulting in a rapid takeover of the platform's Security Council administrative powers. The company described it as "a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution."
Drift emphasized that the attack did not exploit a vulnerability in its programs or smart contracts, and there is no evidence of compromised seed phrases. Instead, the breach involved "unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering."
How the Attack Unfolded
Threat actors obtained sufficient multi-signature (multisig) approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions. They then leveraged this access to "introduce a malicious asset and remove all pre-set withdrawal limits, attacking existing funds."
A timeline of events shared by Drift revealed that preparations for the hack were underway as early as March 23, 2026. The attackers' strategy involved manufacturing an entirely fictitious asset—CarbonVote Token—with a few thousand dollars in seeded liquidity and wash trading. Drift's oracles treated this fabricated token as legitimate collateral worth hundreds of millions of dollars.
North Korean Attribution
Multiple blockchain intelligence firms have identified on-chain indicators suggesting North Korean crypto thieves may be behind the heist. Both Elliptic and TRM Labs reported that the attack exhibited patterns consistent with previous operations attributed to North Korean threat actors.
Key indicators include:
- Use of Tornado Cash for initial staging
- Cross-chain bridging patterns
- Speed and scale of post-hack laundering
- The CarbonVote Token deployment at 09:30 Pyongyang time
TRM Labs noted that the critical vulnerability was "not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense."
Broader Context of DPRK Operations
If confirmed, this incident would represent the eighteenth DPRK-linked cryptocurrency theft tracked by Elliptic since the start of 2026, with more than $300 million stolen to date. The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, with approximately $1.46 billion originating from the Bybit hack in February 2025.
The U.S. government has linked these operations to funding North Korea's weapons programs. Elliptic stated that "DPRK-linked actors are believed to have stolen over $6.5 billion dollars in cryptoassets in recent years."
Social Engineering as Primary Attack Vector
The primary initial access pathway for these attacks remains social engineering, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors. Campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview have been particularly effective.
As of late February 2026, the combined gains from these twin campaigns total $37.5 million for the year. Elliptic warned that "the evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges. Individual developers, project contributors and anyone with access to cryptoasset infrastructure is a potential target."
Related North Korean Activity
The Drift attack coincides with the supply chain compromise of the popular Axios npm package, which multiple security vendors including Google, Microsoft, CrowdStrike, and Sophos have attributed to a North Korean hacking group called UNC1069. This group overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
Sophos stated that "this state-sponsored group focuses on generating revenue for the North Korean regime," citing identical forensic metadata, command-and-control patterns, and connections to malware exclusively used by Nickel Gladstone.
Response and Recovery Efforts
Drift has confirmed it's coordinating with multiple security firms to determine the cause of the incident and is working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets. The scale and sophistication of this attack underscore the growing challenges facing decentralized finance platforms as they become increasingly targeted by state-sponsored threat actors.
The incident serves as a stark reminder that even sophisticated DeFi protocols remain vulnerable to social engineering attacks, particularly when combined with technical mechanisms like durable nonces that can obscure malicious intent until execution.
Comments
Please log in or register to join the discussion