Drift Exchange Suffers $285 Million Loss in Sophisticated Social Engineering Attack
On April 1, 2026, the Solana-based decentralized exchange Drift experienced a significant security breach, resulting in the loss of approximately $285 million. The attack was executed through a novel method involving durable nonces, allowing the perpetrators to swiftly assume administrative control over Drift’s Security Council.
In a series of posts on X, Drift detailed the incident, stating, Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers. The company emphasized the sophistication of the operation, noting that it appeared to involve weeks of preparation and a staged execution. The attackers utilized durable nonce accounts to pre-sign transactions, delaying their execution to facilitate the breach.
Importantly, Drift clarified that the attack did not exploit vulnerabilities within its programs or smart contracts, nor was there evidence of compromised seed phrases. Instead, the breach involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and advanced social engineering tactics.
The attackers managed to secure sufficient multi-signature (multisig) approvals and executed a malicious administrative transfer within minutes. This maneuver granted them control over protocol-level permissions, which they exploited to introduce a fraudulent asset and remove all pre-set withdrawal limits, thereby accessing existing funds.
Drift’s timeline indicates that preparations for the hack began as early as March 23, 2026. The company is collaborating with multiple security firms to investigate the incident’s cause and is working with bridges, exchanges, and law enforcement agencies to trace and freeze the stolen assets.
Analyses by Elliptic and TRM Labs suggest that North Korean crypto thieves may be responsible for the heist. Indicators include the use of Tornado Cash for initial staging, cross-chain bridging patterns, and the rapid and large-scale laundering of funds, all consistent with previous hacks attributed to North Korean threat actors, such as the massive Bybit exploit of 2025.
TRM Labs highlighted that the critical vulnerability was not a smart contract flaw but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense. The attackers created a fictitious asset, CarbonVote Token, with minimal seeded liquidity and wash trading. Drift’s oracles mistakenly recognized it as legitimate collateral worth hundreds of millions of dollars.
Elliptic’s analysis aligns with these findings, noting that the on-chain behavior, laundering methodologies, and network-level indicators correspond with known tactics used by threat actors from the Democratic People’s Republic of Korea (DPRK). If confirmed, this incident would represent the eighteenth DPRK-linked act tracked by Elliptic since the start of the year, with over $300 million stolen to date.
This event underscores the ongoing and sophisticated nature of cyber threats targeting the cryptocurrency sector. It highlights the critical importance of robust security measures, continuous monitoring, and comprehensive incident response strategies to safeguard digital assets against increasingly complex attacks.
