In a significant security breach, North Korean hackers are suspected of stealing $285 million from the decentralized finance platform Drift. This cyberattack is believed to have been meticulously planned and executed within a matter of seconds.
Details of the Sophisticated Attack
Drift has described the heist as a ‘highly sophisticated operation’ involving the strategic use of durable nonce accounts to pre-sign transactions and delay their execution, alongside compromising approvals from multisig signers. The platform is actively collaborating with security firms, exchanges, and law enforcement to trace and potentially recover the stolen assets.
According to blockchain security firm Elliptic, the attack was executed by North Korean threat actors, resulting in the theft of $286 million. This incident adds to an estimated $6.5 billion in cryptocurrency stolen by hackers aligned with Pyongyang over the past few years.
Preparation and Execution
The hackers prepared their infrastructure approximately eight days before the attack, setting up nonce-based transactions and gaining administrative control over Drift. They drained funds from five vaults within seconds and began laundering the assets through multiple wallets immediately after.
PIF Research Labs’ analysis indicates that the attackers created a new wallet eight days prior to the breach, conducting microtransactions to ensure it could handle various tokens. They utilized a durable nonce on the Solana blockchain, pre-signing all transactions to facilitate rapid execution.
Exploiting System Vulnerabilities
Five hours before the theft, the hackers acquired a Drift admin key, enabling them to alter protocol settings. Despite being protected by a multisig, Drift allowed changes with only two out of five keyholder approvals. This security lapse was exploited swiftly.
Just before the heist, the attackers used the compromised key to establish a fake market for a worthless token, CVT, and disabled Drift’s safety protocols. This setup allowed them to manipulate token values, bypass withdrawal limits, and drain assets rapidly.
Aftermath and Investigation
The hackers laundered the stolen funds by distributing them across 27 getaway wallets and over 57,000 wallet addresses, using automated bots to conduct 590 transactions per minute for 34 hours. Approximately $225 million of the assets were converted to Ethereum and stored in three wallets, complicating the investigation.
As the investigation continues, this attack underscores the vulnerabilities in DeFi platforms and the persistent threat posed by state-sponsored cybercrime. Drift and its partners are working tirelessly to track and recover the stolen assets, providing a cautionary tale for the cryptocurrency community.
