Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026.
“Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,” the company said in a series of posts on X.
“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”
Drift noted that the attack did not exploit a vulnerability in its programs or smart contracts, and that there is no evidence of compromised seed phrases. Rather, the breach is said to have “involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering,” it explained.
To that end, the threat actors obtained sufficient multi-signature (multisig) approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions, ultimately leveraging it to “introduce a malicious asset and remove all pre-set withdrawal limits, attacking existing funds.”
According to a timeline of events shared by Drift, preparations for the hack were underway as early as March 23, 2026. The company said it’s coordinating with multiple security firms to determine the cause of the incident, adding it’s working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets.
A PIF Research Labs analysis reveals that the assets were drained within 10 seconds. “From first withdrawal (41.72M JLP at 16:06:09) to last primary withdrawal (2,200 wETH at 16:06:19),” it said. “The major vaults were emptied in the time it takes to send a text.”
In separate reports published Thursday, both Elliptic and TRM Labs said there are on-chain indications that North Korean crypto thieves may be behind the cryptocurrency heist.
This included the use of Tornado Cash for initial staging, as well as the cross-chain bridging patterns and the speed and scale of post-hack laundering that are consistent with hacks previously attributed to North Korean threat actors, including the massive Bybit exploit of 2025.
“The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense,” TRM Labs said.
“The attacker manufactured an entirely fictitious asset — CarbonVote Token — with a few thousand dollars in seeded liquidity and wash trading, and Drift’s oracles treated it as legitimate collateral worth hundreds of millions of dollars.”
The blockchain intelligence firm also pointed out that the CarbonVote Token was deployed at 09:30 Pyongyang time.
Elliptic, in its own analysis of the security incident, said the on-chain behavior, laundering methodologies, and network-level indicators align with known tradecraft associated with threat actors from the Democratic People’s Republic of Korea (DPRK).
The company also noted that, if confirmed, this incident “would represent the eighteenth DPRK act” it has tracked since the start of the year, with more than $300 million stolen to date.
“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs,” Elliptic said. “DPRK-linked actors are believed to have stolen over $6.5 billion dollars in cryptoassets in recent years.”
The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, out of which approximately $1.46 billion originated from the hack of Bybit in February 2025.
Social engineering remains the primary initial access pathway through which these attacks are executed, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview. As of late February 2026, the combined gains from the twin campaigns total $37.5 million this year.
“The DPRK’s cryptoasset theft operation is not a series of isolated incidents. It is a sustained, well-resourced campaign that is growing in scale and sophistication,” Elliptic said.
“The evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges. Individual developers, project contributors and anyone with access to cryptoasset infrastructure is a potential target.”
The development coincides with the supply chain compromise of the popular Axios npm package, which multiple security vendors, including Google, Microsoft, CrowdStrike, and Sophos, have attributed to a North Korean hacking group called UNC1069, which overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima.
“This state-sponsored group focuses on generating revenue for the North Korean regime,” Sophos said. “The artifacts include identical forensic metadata and command-and-control (C2) patterns, as well as connections to malware exclusively used by Nickel Gladstone. Based on these artifacts, it is highly likely that Nickel Gladstone is responsible for the Axios attacks.”
