Drift Loses $285 Million in Sophisticated Social Engineering Attack Linked to North Korea
In a significant security breach, the Solana-based decentralized exchange Drift has confirmed the loss of approximately $285 million following a sophisticated attack on April 1, 2026. This incident highlights the evolving tactics employed by cybercriminals, particularly in the realm of decentralized finance (DeFi).
The Attack Unfolds
Drift disclosed that the breach involved a malicious actor gaining unauthorized access to its protocol through a novel attack mechanism utilizing durable nonces. This method allowed the attacker to rapidly seize control of the Drift Security Council’s administrative powers. According to the company, the operation appeared to be highly sophisticated, involving weeks of preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.
Drift emphasized that the attack did not exploit any vulnerabilities in its smart contracts or programs, nor was there any evidence of compromised seed phrases. Instead, the breach involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and advanced social engineering techniques.
The attackers managed to secure sufficient multi-signature (multisig) approvals and executed a malicious admin transfer within minutes. This maneuver allowed them to gain control over protocol-level permissions, enabling the introduction of a malicious asset and the removal of all pre-set withdrawal limits, ultimately targeting existing funds.
Timeline of Events
According to Drift’s timeline, preparations for the hack began as early as March 23, 2026. The company is currently collaborating with multiple security firms to investigate the incident’s cause and is working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets.
Reports from blockchain intelligence firms Elliptic and TRM Labs indicate that North Korean cybercriminals may be behind this cryptocurrency heist. The analysis pointed to the use of Tornado Cash for initial staging, as well as cross-chain bridging patterns and the speed and scale of post-hack laundering consistent with previous attacks attributed to North Korean threat actors, including the massive Bybit exploit of 2025.
Analyzing the Vulnerability
TRM Labs stated that the critical vulnerability was not a bug within the smart contract but rather a combination of social engineering tactics that coerced multisig signers into pre-signing hidden authorizations. This was compounded by a zero-timelock Security Council migration that effectively eliminated the protocol’s last line of defense.
The attacker created a fictitious asset called the CarbonVote Token, which was seeded with only a few thousand dollars in liquidity. However, Drift’s oracles mistakenly treated it as legitimate collateral worth hundreds of millions. Notably, the CarbonVote Token was deployed at 09:30 Pyongyang time, further suggesting a connection to North Korean operatives.
Elliptic’s analysis corroborated these findings, noting that the on-chain behavior and laundering methodologies align with known tactics employed by actors from the Democratic People’s Republic of Korea (DPRK). If confirmed, this incident would mark the eighteenth DPRK-linked act tracked since the beginning of the year, with over $300 million stolen to date.
Broader Implications
This incident underscores the ongoing campaign of large-scale cryptoasset theft linked to the DPRK, which has been associated with funding the country’s weapons programs. Elliptic reported that DPRK-linked actors are believed to have stolen over $6.5 billion in cryptoassets in recent years. The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, with approximately $1.46 billion originating from the Bybit hack in February 2025.
The primary method of access for these attacks continues to be social engineering, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors. Campaigns tracked as DangerousPassword and Contagious Interview have reportedly yielded substantial gains, totaling $37.5 million this year alone.
Evolving Threat Landscape
The DPRK’s cryptoasset theft operation is characterized as a sustained, well-resourced campaign that is growing in scale and sophistication. The evolution of social engineering techniques, combined with the increasing availability of artificial intelligence to refine these methods, means that the threat extends beyond exchanges. Individual developers, project contributors, and anyone with access to cryptoasset infrastructure is now a potential target.
This development coincides with the supply chain compromise of the popular Axios npm package, which has been attributed to a North Korean hacking group known as UNC1069. This group overlaps with other known entities such as BlueNoroff and CryptoCore, focusing on generating revenue for the North Korean regime.
Sophos noted that the artifacts from these attacks exhibit identical forensic metadata and command-and-control patterns, indicating a high likelihood that Nickel Gladstone is responsible for the Axios attacks.
The Drift incident serves as a stark reminder of the vulnerabilities inherent in the rapidly evolving landscape of decentralized finance and the need for enhanced security measures to protect against increasingly sophisticated cyber threats.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
