North Korea–linked hackers drain $285M from Drift in sophisticated attack

securityaffairs.com · lschueller · 2 days ago · view on HN · news
quality 9/10 · excellent
0 net
Tags
browser exploit facebook malware node supply-chain web3
North Korea–linked hackers drain $285M from Drift in sophisticated attack Home APT Breaking News Hacking Security North Korea–linked hackers drain $285M from Drift in sophisticated attack North Korea–linked hackers drain $285M from Drift in sophisticated attack Pierluigi Paganini April 03, 2026 Drift lost $285M in a sophisticated attack, likely by North Korea, who used nonce-based tricks to gain control and quickly drain funds Drift suffered a $285 million cryptocurrency heist in a highly sophisticated attack likely linked to North Korea. Threat actors used durable nonce accounts to pre-sign and delay transactions, while also compromising multisig approvals to gain admin control. “This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.” wrote the Solana-based decentralized exchange on X. Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers. This was a highly sophisticated operation that appears to have involved… — Drift (@DriftProtocol) April 2, 2026 They prepared for the operation days in advance, setting up wallets and testing transactions before draining funds from multiple vaults within seconds and laundering them across wallets. Drift notified law enforcement and is now working with security firms and exchanges to trace and freeze the stolen assets. Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. We would welcome any information or help pertaining to the investigation at… — Drift (@DriftProtocol) April 2, 2026 Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. The timeline shows a carefully staged attack. On March 23, durable nonce accounts were set up, with at least 2 of 5 multisig signers unknowingly approving transactions, enabling delayed execution. On March 27, Drift migrated its Security Council. By March 30, new nonce activity suggests the attacker regained access to 2 of 5 signers in the updated multisig, maintaining control ahead of the exploit. On April 1, the attack entered its execution phase. It began with a legitimate test withdrawal by Drift. About a minute later, the attacker used pre-signed durable nonce transactions to take control, creating, approving, and executing a malicious admin transfer, enabling the takeover. Blockchain cybersecurity firm Elliptic found strong signs linking the $286M Drift Protocol exploit to North Korea (DPRK), based on attack behavior and laundering methods. If confirmed, it would be the 18th DPRK-linked crypto theft this year, with over $300M stolen. “Elliptic has identified multiple indicators suggesting that the exploit of Drift Protocol is linked to the Democratic People’s Republic of Korea (DPRK).” reads the report published by Elliptic. Such attacks are tied to funding weapons programs, with over $6.5B stolen in recent years. The incident reflects growing DPRK activity, including recent supply chain attacks like the Axios npm compromise. According to Elliptic, the Drift attack unfolded rapidly, with attackers draining most funds within an hour after allegedly compromising admin private keys. They targeted key vaults, stealing assets including $155M in JLP tokens and other cryptocurrencies. Drift’s TVL dropped from $550M to under $250M, making it 2026’s largest DeFi hack so far. The attacker prepared in advance, creating a wallet days earlier and testing access. Stolen funds were quickly swapped to USDC, then moved to Ethereum and converted to ETH. Drift halted operations and is working to contain the incident. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini ( SecurityAffairs – hacking, Drift) facebook linkedin twitter Hacking hacking news information security news IT Information Security North Korea Pierluigi Paganini Security Affairs Security News Solana you might also like Pierluigi Paganini April 04, 2026 Qilin ransomware group claims the hack of German political party Die Linke Read more Pierluigi Paganini April 04, 2026 U.S. CISA adds a flaw in TrueConf Client to its Known Exploited Vulnerabilities catalog Read more leave a comment newsletter Subscribe to my email list and stay up-to-date! recent articles Qilin ransomware group claims the hack of German political party Die Linke Cyber Crime / April 04, 2026 U.S. CISA adds a flaw in TrueConf Client to its Known Exploited Vulnerabilities catalog Security / April 04, 2026 European Commission breach exposed data of 30 EU entities, CERT-EU says Security / April 04, 2026 North Korea–linked hackers drain $285M from Drift in sophisticated attack Hacking / April 03, 2026 CrystalX RAT: new MaaS malware combines spyware, stealer, and remote access Breaking News / April 03, 2026 We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie Settings Accept All Manage consent Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT
← Back to stories