Key Findings

• Drift Protocol, a Solana-based decentralized exchange, lost approximately $285 million on April 1, 2026 in a sophisticated social engineering attack

• Attackers exploited durable nonce mechanisms to obtain unauthorized multisig approvals and gain control of the Security Council administrative powers

• The attack involved multi-week preparation starting as early as March 23, 2026, with staged execution and pre-signed transactions

• Threat actors created a fictitious asset called CarbonVote Token to manipulate oracle pricing and drain funds

• Blockchain intelligence firms Elliptic and TRM Labs attribute the attack to North Korean threat actors, consistent with DPRK tradecraft

• No smart contract vulnerability or compromised seed phrases were involved; the breach stemmed entirely from social engineering and permission layer exploitation

Background

Drift Protocol is an exchange-grade composite DeFi platform on Solana that launched in 2021. By 2024, it had accumulated over $350 million in total value locked, served more than 175,000 traders, and generated $20 billion in cumulative trading volume. The protocol combines perpetuals trading, spot trading, and lending functions. In September 2024, Drift completed a $25 million Series B funding round, bringing total funding to $52.5 million. The platform had implemented multiple safeguards against price manipulation, including oracle validity checks, TWAP trimming, price-deviation bands, and circuit breakers designed to restrict actions when oracle prices became invalid.

The Attack Mechanism

The breach exploited the permission layer rather than the underlying smart contracts. Attackers obtained sufficient multisig approvals through sophisticated social engineering, then executed a malicious admin transfer within minutes to seize protocol-level control. With administrative access, they modified risk parameters that were supposed to protect the protocol. The attackers then introduced a fictitious asset called CarbonVote Token, seeding it with a few thousand dollars and engaging in wash trading to inflate its perceived legitimacy. Drift's oracles treated the token as legitimate collateral worth hundreds of millions of dollars, enabling the massive fund drain.

Preparation and Execution Timeline

According to Drift's investigation, preparations began as early as March 23, 2026, nearly a week before the actual attack. The operation employed durable nonce accounts to pre-sign transactions whose execution was delayed, allowing attackers to stage their approach carefully. This multi-week preparation phase enabled the threat actors to conduct reconnaissance, identify targets within the multisig structure, and craft convincing social engineering narratives. The actual exploitation occurred rapidly once the necessary approvals were obtained, with the attacker removing all pre-set withdrawal limits and introducing the malicious asset to facilitate the fund transfer.

North Korean Attribution

Both Elliptic and TRM Labs identified on-chain indicators linking the attack to North Korean threat actors. Evidence includes the use of Tornado Cash for initial staging, cross-chain bridging patterns consistent with DPRK actors, and the speed and scale of post-hack laundering matching previous North Korean operations like the 2025 Bybit exploit. TRM Labs noted that the CarbonVote Token was deployed at 09:30 Pyongyang time, a telling detail. If confirmed, Elliptic stated this would represent the eighteenth DPRK-linked attack it has tracked since the start of 2026, with over $300 million stolen to date.

Broader DPRK Crypto Campaign

The Drift attack is part of a sustained, well-resourced DPRK campaign to fund weapons programs. Elliptic estimates North Korean actors have stolen over $6.5 billion in cryptoassets in recent years, with 2025 representing a record $2 billion take. Approximately $1.46 billion of the 2025 total came from the Bybit hack alone. The primary attack vector remains social engineering, with campaigns tracked as DangerousPassword, CageyChameleon, CryptoMimic, CryptoCore, and Contagious Interview. As of late February 2026, these twin campaigns had generated $37.5 million for the threat actors. The escalating sophistication of social engineering techniques, amplified by AI refinement capabilities, poses an expanding threat to individual developers, project contributors, and anyone with access to cryptoasset infrastructure.

Ongoing Investigation and Response

Drift is coordinating with multiple security firms to determine how the attack succeeded despite existing safeguards. The company is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. All assets deposited into Drift's lending module, vaults, and trading accounts have been affected. Unaffected assets include DSOL tokens not deposited into Drift, assets staked to the Drift Validator, and insurance fund assets. Drift has suspended deposits and withdrawals while the investigation continues.

Sources

• https://thehackernews.com/2026/04/drift-loses-285-million-in-durable.html

• https://wublock.substack.com/p/drift-loses-285-million-did-hackers