North Korean Hackers Drain $285 Million From Drift in 10 Seconds

Summary

A North Korean threat actor executed a sophisticated $285 million attack on the Drift decentralized finance platform, pre-staging infrastructure eight days in advance and using durable nonce transactions to drain five vaults in seconds. The attackers compromised a multisig admin key, created a fake collateral market with worthless CVT tokens, disabled safety systems, and immediately began laundering funds across 57,331 wallet addresses using automated bots. This attack is attributed to Pyongyang-aligned hackers who have stolen over $6.5 billion in cryptocurrency in recent years.

Full text

A North Korean threat actor is likely to be blamed for a $285 million heist from decentralized finance (DeFi) platform Drift, executed as part of a carefully planned attack. The incident, Drift said, was a “highly sophisticated operation” involving “the use of durable nonce accounts to pre-sign transactions that delayed execution” and the compromise of multisig signers’ approvals. “Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets,” Drift said, promising more details in a future postmortem. According to blockchain security company Elliptic, the attack was likely mounted by a North Korean threat actor and resulted in the theft of $286 million from Drift. Over the past several years, Pyongyang-aligned hackers are estimated to have stolen over $6.5 billion in cryptocurrency. The attack was executed with extreme precision: the hackers set up supporting infrastructure roughly eight days before, prepared multiple nonce-based transactions, gained admin control, drained funds from five vaults within seconds, and immediately started laundering them through multiple wallets. A PIF Research Labs analysis of the heist shows that the attackers created a brand-new wallet eight days before the exploit and performed a series of microtransactions to ensure it could receive seven types of tokens.Advertisement. Scroll to continue reading. The attackers used a durable nonce to create a transaction on the Solana blockchain that would never expire, and then pre-signed every transaction used during the attack to ensure everything was executed rapidly. Five hours before the attack, the hackers gained control of a Drift admin key, which allowed them to modify settings on the protocol. It was protected by a multisig, but Drift allows for changes to be approved with only 2 out of 5 keyholders. “Five hours before the exploit, the carryover signer proposed transferring the admin key. One of the new signers co-signed within one second,” and because the change had a zero-second timelock, it was executed instantly, PIF Research Labs explains. Fake market, fake tokens, real theft The hackers used the compromised admin key 25 seconds before the heist to create a fake collateral market for CVT, a worthless token they had minted 20 days earlier, and to disable Drift’s safety system that prevents massive, rapid asset drains. The market was configured to drain as many funds as possible by setting CVT parameters to increase the value of the fake tokens, eliminate penalties for depositing massive supply, and eliminate incentives to liquidate the fake position. Additionally, CVT’s tier was set to the highest available on Drift, to ensure borrowing power for the fake tokens, and an ‘oracle’ for it was used to increase the value of the worthless tokens to hundreds of millions. To disable the DeFi platform’s anti-drain system, the hackers modified its circuit breakers, which are designed to block withdrawals if too many assets are drained from a vault too fast, raising the value to 500 trillion. “The fake market creation and the circuit breaker modifications were bundled into a single on-chain transaction at 16:05:39 UTC. Twenty-five seconds later, the withdrawals began. The entire weaponisation took less time than it takes to order coffee,” PIF Research Labs notes. Two seconds after depositing 500 million CVT, which the fake oracle valued at over $100 million, the heist started. Within 10 seconds, funds were drained from JLP, USDC, cbBTC, USDS, dSOL, and wETH. The JLP vault was completely drained. Next, the hackers began laundering the money. The funds were moved from the attackers’ wallet to 27 getaway wallets and then scattered across 57,331 wallet addresses using automated bots. Roughly $225 million in assets were swapped to Ethereum and stored in three wallets. The bots continued their work for over 34 hours, making 590 transactions per minute, operating across multiple blockchains and centralized exchanges simultaneously, adding complexity to the money-trail investigation. PIF Research Labs says more than 860,000 transactions were made within 34 hours. Related: Axios NPM Package Breached in North Korean Supply Chain Attack Related: US Charges Uranium Crypto Exchange Hacker Related: Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Linx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix AttacksUS Charges Uranium Crypto Exchange HackerAxios NPM Package Breached in North Korean Supply Chain AttackTeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingExploitation of Critical Fortinet FortiClient EMS Flaw Begins Latest News Critical Vulnerability in Claude Code Emerges Days After Source LeakApple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesVariance Raises $21.5M for Compliance Investigation Platform Powered by AI Agents Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — North Korean threat actor

Entities