Solana-based decentralized exchange Drift has admitted that attackers exfiltrated approximately $285 million from its platform during a security incident that occurred on April 1, 2026.
“Earlier today, a malicious actor gained unauthorized access to the Drift protocol through a new attack involving a persistent nonce, resulting in a rapid takeover of Drift’s Security Council administrative authority,” the company said in a series of posts on X.
“This appears to have been a highly sophisticated operation, involving weeks of preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”
Drift noted that the attack did not exploit any vulnerabilities in the program or smart contracts, and there was no evidence that the seed phrase was compromised. Rather, the breach “involved unauthorized or false transaction authorizations obtained prior to execution, likely facilitated by durable nonce mechanisms and sophisticated social engineering.”
To that end, the attackers obtained sufficient multi-signature (multisig) authorizations and within minutes executed a malicious admin transfer to control protocol-level permissions, which they ultimately used to “introduce malicious assets, remove any pre-configured withdrawal limits, and attack existing funds.”
According to a timeline of events shared by Drift, preparations for the hack were underway as early as March 23, 2026. The company said it was coordinating with multiple security companies to determine the cause of the incident, adding that it was working with bridges, exchanges, and law enforcement to track and freeze the stolen assets.
In separate reports released on Thursday, both Elliptic Research Institute and TRM Research Institute said there are on-chain indications that North Korean crypto thieves may be behind the crypto heist.
This includes the early use of Tornado Cash, the cross-chain bridging pattern, and the speed and scale of post-hack laundering that is consistent with hacks previously attributed to North Korean threat actors, such as the large-scale Bybit exploit in 2025.
TRM Labs said, “The critical vulnerability was not a bug in the smart contract, but rather a combination of socially engineered hidden authorization pre-signing by multisig signers and a Security Council transition of a zero-time lock that eliminates the protocol’s last line of defense.”
“The attackers used thousands of dollars of seed liquidity and wash transactions to create CarbonVote tokens, a completely fictitious asset, which the Oracle of Drift treated as legitimate collateral worth hundreds of millions of dollars.”
The blockchain intelligence company also noted that the CarbonVote token was deployed at 9:30 Pyongyang time.
In its own analysis of the security incident, Elliptic said on-chain behavior, laundering techniques, and network-level indicators are consistent with known sophistication techniques associated with threat actors from the Democratic People’s Republic of Korea (DPRK).
The company also noted that if this incident is confirmed, it would be “the 18th act by North Korea” that it has been tracking since the beginning of this year, and that more than $300 million has been stolen to date.
“This is a continuation of an ongoing operation of large-scale crypto theft by North Korea, which the U.S. government has linked to funding its weapons program,” Elliptic said. “Those linked to North Korea are believed to have stolen more than $6.5 billion in crypto assets in recent years.”
North Korea’s crypto theft operation is estimated to have generated a record $2 billion in profits in 2025, of which approximately $1.46 billion came from the Bybit hack in February 2025.
The primary initial access vector through which these attacks are carried out remains social engineering, leveraging convincing personas and decoys to target the crypto and Web3 sectors through campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, CryptoCore) and Contagious Interview. As of late February 2026, this year’s combined profits from the two campaigns total $37.5 million.
“North Korea’s crypto theft operation is not a series of isolated incidents. It is an ongoing, well-funded operation that is increasing in scale and sophistication,” Elliptic said.
“The evolution of North Korea’s social engineering techniques and the increasing availability of AI to refine and perfect these techniques means the threat extends far beyond exchanges. Individual developers, project contributors, and anyone with access to crypto asset infrastructure are potential targets.”
This development coincides with a supply chain breach of the popular Axios npm package. Multiple security vendors, including Google, Microsoft, CrowdStrike, and Sophos, attribute the attack to a North Korean hacker group called UNC1069. This group overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
“This state-sponsored organization is focused on generating revenue for the North Korean regime,” Sophos said. “These artifacts contain identical forensic metadata and command-and-control (C2) patterns, as well as connections to malware used exclusively by Nickel-Gladstone. Based on these artifacts, Nickel-Gladstone is very likely responsible for the Axios attack.”
Source link
