Drift got rinsed.
A cool $285 million gone in a blink — courtesy of North Korean pros who didn’t touch a single smart contract bug. No, they went old-school with a twist: durable nonces and some top-shelf social engineering. It’s like phishing your grandma, but for multisig keys on a billion-dollar protocol.
The attack hit April 1, 2026 — no fooling. Drift’s own post spells it out:
“Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.”
Sophisticated? You bet. Multi-week prep, pre-signed transactions lurking like sleeper agents. They conned signers into approving dodgy stuff ahead of time, then bam — admin takeover in minutes. Fake asset introduced (hello, CarbonVote Token), withdrawal limits nuked, funds vanished.
Wait, What’s a Durable Nonce Anyway?
Think of nonces as transaction tickets in Solana land. Durable ones? They stick around, letting you pre-sign and execute later. Hackers weaponized this to dupe multisig holders — probably via slick LinkedIn personas or fake job offers. TRM Labs nails it:
“The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense.”
Drift swears no seed phrases leaked, no code flaws. Fine. But their Security Council? A multisig wet dream that turned into a piñata.
Prep started March 23. By hack day, attackers had the keys — literally. They minted a bogus token with pocket change liquidity, wash-traded it to fake volume, and Drift’s oracles slurped it up as legit collateral. Hundreds of millions unlocked. Poof.
Elliptic and TRM smell DPRK all over it. Tornado Cash mixer first stop. Cross-chain bridges next. Laundering speed matching Bybit’s 2025 mega-heist ($1.46 billion, anyone?). CarbonVote deployed at 9:30 Pyongyang time — subtle, guys.
This ain’t isolated. DPRK’s raked $6.5 billion in crypto thefts lately, funding missiles and whatever. 2025 alone? Record $2 billion. Now 18 attacks this year, over $300 million. Elliptic’s verdict:
“It is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs.”
Social engineering’s their jam — DangerousPassword, Contagious Interview campaigns netting $37.5 million YTD. AI’s juicing it now, crafting perfect decoys. Devs, signers, anyone with a wallet? Target practice.
Here’s my hot take — and it’s fresh: This echoes the 2014 Mt. Gox saga, where social eng (not code) let hackers waltz in. But Drift? They had ‘battle-tested’ multisig. Lesson? Multisig’s only as strong as the weakest LinkedIn profile. Bold prediction: By 2027, DeFi protocols ditch human signers for AI guardians or face extinction. DPRK’s already AI-pimping their phishing; why aren’t you?
Drift’s scrambling — security firms, bridges, cops on the case. Funds traced, some frozen maybe. But $285 million? That’s a payday funding a small war.
Why DPRK Keeps Winning at Crypto Heists?
State resources. No overhead. AI tools for free. They’ve evolved from blunt ransomware to this nonce ninja stuff. Remember UNC1069 hitting Axios npm? Same crew — BlueNoroff overlaps. Supply chain, social eng, rinse, repeat.
DeFi’s hype machine calls multisig ‘immutable security.’ Bull. It’s humans clicking ‘approve’ on pre-signed poisons. Drift’s council migration? Zero timelock. Last defense? Vaporized.
And the PR spin? Drift says ‘no vuln in programs.’ Cute. But oracles greenlighting wash-traded trash? That’s a process fail screaming for audit.
Look, Solana’s fast, cheap — great for trading cat memes. But ‘secure’? When nation-states treat your council like chumps? Laughable.
Is Drift Toast After This Hack?
Short term? Users fleeing. Trust torched. Long term? If they rebuild with signerless multisig or threshold crypto — maybe. But DPRK’s playbook evolves weekly. You’re playing catch-up against pros who don’t sleep (or do, in bunkers).
Industry wake-up: Social eng ain’t ‘non-technical.’ It’s the kill shot. Train signers like CIA operatives. Vet every tx like it’s nukes.
Or don’t. Hand more billions to Pyongyang.
Drift’s timeline shows weeks of staging. Yet no alarms? Security Council’s a council of… what, exactly?
This hack exposes DeFi’s underbelly. Tech’s shiny; humans? Squishy. DPRK knows it. Fix it, or fund their parades.
🧬 Related Insights
- Read more: Linx Security’s $50M Gamble on AI Identity Wrangling
- Read more: DeepLoad: AI’s Junk Code Arsenal Redefines Malware Stealth
Frequently Asked Questions
What is a durable nonce attack on Solana?
Durable nonces let transactions pre-sign and delay execution — perfect for tricking multisig signers into approving hidden malice that hits later.
Is DPRK behind the Drift $285M hack?
Strong on-chain signs point yes: Pyongyang-timed deploy, Tornado Cash, Bybit-like laundering. Elliptic calls it their 18th this year.
How can DeFi prevent social engineering hacks?
Ditch naive multisig for AI-monitored, signerless schemes. Vet every approver like a spy. And audit oracles — they swallowed fake tokens whole.
