Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK

Summary

Solana-based decentralized exchange Drift suffered a $285 million theft on April 1, 2026, via a multi-week social engineering campaign targeting the Security Council through durable nonce pre-signed transactions. Blockchain intelligence firms Elliptic and TRM Labs attribute the attack to North Korean threat actors, consistent with DPRK's sustained cryptoasset theft campaign that has netted over $6.5 billion in recent years. The incident coincides with the compromise of the Axios npm package, also attributed to North Korean group UNC1069/BlueNoroff.

Full text

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK Ravie LakshmananApr 03, 2026Durable Nonce Social Engineering Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the company said in a series of posts on X. "This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution." Drift noted that the attack did not exploit a vulnerability in its programs or smart contracts, and that there is no evidence of compromised seed phrases. Rather, the breach is said to have "involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering," it explained. To that end, the threat actors obtained sufficient multi-signature (multisig) approvals and executed a malicious admin transfer within minutes to gain control of protocol-level permissions, ultimately leveraging it to "introduce a malicious asset and remove all pre-set withdrawal limits, attacking existing funds." According to a timeline of events shared by Drift, preparations for the hack were underway as early as March 23, 2026. The company said it's coordinating with multiple security firms to determine the cause of the incident, adding it's working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets. A PIF Research Labs analysis reveals that the assets were drained within 10 seconds. "From first withdrawal (41.72M JLP at 16:06:09) to last primary withdrawal (2,200 wETH at 16:06:19)," it said. "The major vaults were emptied in the time it takes to send a text." In separate reports published Thursday, both Elliptic and TRM Labs said there are on-chain indications that North Korean crypto thieves may be behind the cryptocurrency heist. This included the use of Tornado Cash for initial staging, as well as the cross-chain bridging patterns and the speed and scale of post-hack laundering that are consistent with hacks previously attributed to North Korean threat actors, including the massive Bybit exploit of 2025. "The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense," TRM Labs said. "The attacker manufactured an entirely fictitious asset — CarbonVote Token — with a few thousand dollars in seeded liquidity and wash trading, and Drift's oracles treated it as legitimate collateral worth hundreds of millions of dollars." The blockchain intelligence firm also pointed out that the CarbonVote Token was deployed at 09:30 Pyongyang time. Elliptic, in its own analysis of the security incident, said the on-chain behavior, laundering methodologies, and network-level indicators align with known tradecraft associated with threat actors from the Democratic People's Republic of Korea (DPRK). The company also noted that, if confirmed, this incident "would represent the eighteenth DPRK act" it has tracked since the start of the year, with more than $300 million stolen to date. "It is a continuation of the DPRK's sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs," Elliptic said. "DPRK-linked actors are believed to have stolen over $6.5 billion dollars in cryptoassets in recent years." The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, out of which approximately $1.46 billion originated from the hack of Bybit in February 2025. Social engineering remains the primary initial access pathway through which these attacks are executed, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview. As of late February 2026, the combined gains from the twin campaigns total $37.5 million this year. "The DPRK's cryptoasset theft operation is not a series of isolated incidents. It is a sustained, well-resourced campaign that is growing in scale and sophistication," Elliptic said. "The evolution of the DPRK's social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges. Individual developers, project contributors and anyone with access to cryptoasset infrastructure is a potential target." The development coincides with the supply chain compromise of the popular Axios npm package, which multiple security vendors, including Google, Microsoft, CrowdStrike, and Sophos, have attributed to a North Korean hacking group called UNC1069, which overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima. "This state-sponsored group focuses on generating revenue for the North Korean regime," Sophos said. "The artifacts include identical forensic metadata and command-and-control (C2) patterns, as well as connections to malware exclusively used by Nickel Gladstone. Based on these artifacts, it is highly likely that Nickel Gladstone is responsible for the Axios attacks." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Blockchain, cryptocurrency, cybersecurity, data breach, North Korea, Smart Contract, social engineering, Threat Intelligence, Web3 Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — CarbonVote Token
• malware — Tornado Cash

Entities