Solana-based decentralized alternate Drift has confirmed that attackers drained about $285 million from the platform throughout a security incident that befell on April 1, 2026.
“Earlier immediately, a malicious actor gained unauthorized entry to Drift Protocol by way of a novel assault involving sturdy nonces, leading to a speedy takeover of Drift’s Safety Council administrative powers,” the firm stated in a sequence of posts on X.
“This was a extremely refined operation that seems to have concerned multi-week preparation and staged execution, together with the usage of sturdy nonce accounts to pre-sign transactions that delayed execution.”
Drift famous that the assault didn’t exploit a vulnerability in its packages or sensible contracts, and that there is no such thing as a proof of compromised seed phrases. Reasonably, the breach is alleged to have “concerned unauthorized or misrepresented transaction approvals obtained prior to execution, possible facilitated by way of sturdy nonce mechanisms and complex social engineering,” it defined.
To that finish, the menace actors obtained enough multi-signature (multisig) approvals and executed a malicious admin switch inside minutes to realize management of protocol-level permissions, finally leveraging it to “introduce a malicious asset and take away all pre-set withdrawal limits, attacking current funds.”
In accordance with a timeline of occasions shared by Drift, preparations for the hack had been underway as early as March 23, 2026. The firm stated it is coordinating with a number of security corporations to find out the reason for the incident, including it is working with bridges, exchanges, and regulation enforcement to hint and freeze the stolen belongings.
In separate stories printed Thursday, each Elliptic and TRM Labs stated there are on-chain indications that North Korean crypto thieves could also be behind the cryptocurrency heist.
This included the use of Twister Money for preliminary staging, in addition to the cross-chain bridging patterns and the pace and scale of post-hack laundering which can be in step with hacks beforehand attributed to North Korean menace actors, together with the huge Bybit exploit of 2025.
“The important vulnerability was not a wise contract bug however a mix of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Safety Council migration that eradicated the protocol’s final line of protection,” TRM Labs stated.
“The attacker manufactured a wholly fictitious asset — CarbonVote Token — with a number of thousand {dollars} in seeded liquidity and wash buying and selling, and Drift’s oracles handled it as reputable collateral value a whole bunch of tens of millions of {dollars}.”
The blockchain intelligence agency additionally identified that the CarbonVote Token was deployed at 09:30 Pyongyang time.
Elliptic, in its personal evaluation of the security incident, stated the on-chain habits, laundering methodologies, and network-level indicators align with recognized tradecraft related to menace actors from the Democratic Individuals’s Republic of Korea (DPRK).
The corporate additionally famous that, if confirmed, this incident “would characterize the eighteenth DPRK act” it has tracked for the reason that begin of the yr, with greater than $300 million stolen to date.
“It’s a continuation of the DPRK’s sustained marketing campaign of large-scale cryptoasset theft, which the US authorities has linked to the funding of its weapons packages,” Elliptic stated. “DPRK-linked actors are believed to have stolen over $6.5 billion {dollars} in cryptoassets in current years.”
The North Korean cryptoasset theft operation is estimated to have netted a file $2 billion in 2025, out of which roughly $1.46 billion originated from the hack of Bybit in February 2025.
The first preliminary entry pathway by way of which these assaults are executed stays social engineering, leveraging persuasive personas and decoys to focus on the cryptocurrency and Web3 sectors by way of campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview. As of late February 2026, the mixed positive aspects from the dual campaigns whole $37.5 million this yr.
“The DPRK’s cryptoasset theft operation will not be a sequence of remoted incidents. It is a sustained, well-resourced marketing campaign that’s rising in scale and class,” Elliptic stated.
“The evolution of the DPRK’s social engineering strategies, mixed with the rising availability of AI to refine and excellent these strategies, means the menace extends nicely past exchanges. Particular person builders, venture contributors and anybody with entry to cryptoasset infrastructure is a potential goal.”
The improvement coincides with the availability chain compromise of the favored Axios npm package deal, which a number of security distributors, together with Google, Microsoft, CrowdStrike, and Sophos, have attributed to a North Korean hacking group referred to as UNC1069, which overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
“This state-sponsored group focuses on producing income for the North Korean regime,” Sophos stated. “The artifacts embrace similar forensic metadata and command-and-control (C2) patterns, in addition to connections to malware completely utilized by Nickel Gladstone. Based mostly on these artifacts, it’s extremely possible that Nickel Gladstone is accountable for the Axios assaults.”
