Solana‑based decentralized exchange Drift has confirmed that attackers siphoned approximately $285 million from the platform during a major security incident on April 1, 2026.
In a series of public statements, Drift explained that a malicious actor gained unauthorized access through an advanced attack that abused durable nonce accounts, allowing the attacker to effectively seize administrative control of the protocol’s Security Council.
“Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,” the company stated.
“This was a highly sophisticated operation that appears to have involved weeks of preparation and a staged execution, including the use of durable nonce accounts to pre‑sign transactions that delayed execution.”
Drift emphasized that the breach did not stem from a vulnerability in its smart contracts or protocol code, nor was there evidence that private keys or seed phrases were compromised. Instead, the incident involved deceptive transaction approvals obtained prior to execution, likely enabled through a combination of durable nonce mechanisms and elaborate social‑engineering tactics.
According to the company, the attackers secured enough multisignature approvals to execute a malicious administrative transfer, granting themselves protocol‑level permissions. With that access, they were able to introduce a fabricated asset and eliminate existing withdrawal limits, enabling the rapid drainage of funds.
A timeline shared by Drift indicates that preparatory activity may have begun as early as March 23, 2026. The company said it is collaborating with multiple security firms and working alongside bridges, exchanges, and law enforcement agencies to trace and potentially freeze the stolen assets.
Analysis from PIF Research Labs shows that the asset drain occurred with extreme speed. The firm reported that the vaults were emptied in roughly 10 seconds, from the first major withdrawal to the final transfer.
Independent investigations by Elliptic and TRM Labs have identified on‑chain evidence suggesting the attack may be linked to North Korean state‑aligned threat actors. Indicators include the use of Tornado Cash for transaction staging, familiar cross‑chain laundering techniques, and the velocity and scale of post‑exploitation activity patterns consistent with previous DPRK‑attributed crypto thefts, including the 2025 Bybit exploit.
TRM Labs concluded that the core weakness was not a software flaw but a convergence of human and procedural failures.
“The critical vulnerability was not a smart‑contract bug, but the social‑engineering of multisig signers into pre‑signing hidden authorizations, combined with a zero‑timelock Security Council migration that removed the protocol’s final safeguard,” the firm said.
Investigators also found that the attackers introduced a fraudulent asset, dubbed CarbonVote Token, seeded with minimal liquidity and boosted through wash trading. Drift’s oracle systems then treated the token as legitimate collateral valued in the hundreds of millions of dollars. Blockchain intelligence suggests the token was deployed at 09:30 Pyongyang local time, a detail cited as further circumstantial evidence pointing to DPRK involvement.
Elliptic noted that if attribution is confirmed, the Drift incident would mark the eighteenth North Korean crypto theft recorded so far this year, with more than $300 million stolen in 2026 alone.
“This incident reflects the DPRK’s sustained and expanding campaign of large‑scale cryptoasset theft,” Elliptic said. “These operations have been directly linked by the U.S. government to funding North Korea’s weapons programs.”
Analysts estimate that North Korea‑linked actors stole $2 billion in cryptoassets in 2025, including approximately $1.46 billion from the Bybit hack in February of that year.
Social engineering continues to serve as the primary initial access vector for these operations. Threat actors typically deploy polished personas and lures targeting developers, founders, and administrators in the Web3 ecosystem through campaigns tracked as DangerousPassword (also known as CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview. Combined, these campaigns have generated $37.5 million in illicit gains so far in 2026.
Elliptic cautioned that North Korea’s crypto theft activity represents a coordinated and evolving strategy rather than isolated events.
“The DPRK’s cryptocurrency operations are becoming more sophisticated and more scalable,” the firm warned. “With social engineering techniques advancing and AI increasingly being used to refine these attacks, the risk extends beyond exchanges to individual developers, contributors, and anyone with privileged access to crypto infrastructure.”
The disclosure comes amid a broader wave of North Korea‑linked activity, including the recent supply‑chain compromise of the Axios npm package. Multiple vendors among them Google, Microsoft, CrowdStrike, and Sophos have attributed that incident to UNC1069, a hacking group overlapping with known DPRK clusters such as BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
Sophos stated that forensic artifacts, command‑and‑control patterns, and malware reuse strongly suggest that Nickel Gladstone was responsible for the Axios compromise, reinforcing concerns about the group’s continued focus on revenue generation for the North Korean regime.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
