Solana-based decentralized exchange Drift has reported a significant security breach resulting in a loss of approximately $285 million. The incident, which occurred on April 1, 2026, involved unauthorized access gained through sophisticated social engineering techniques.
Details of the Security Breach
Drift disclosed that the attack was executed through a novel method using durable nonces, which allowed the perpetrators to quickly assume control over Drift’s Security Council administrative functions. This breach was not due to vulnerabilities in Drift’s software or smart contracts but rather from unauthorized transaction approvals, potentially facilitated by advanced social engineering strategies.
The attackers managed to secure enough multi-signature approvals to perform a malicious administrative transfer, thereby bypassing preset withdrawal limits and seizing control over protocol-level permissions. This enabled them to introduce a fictitious asset and manipulate existing funds.
Investigations and Attributions
Drift is actively collaborating with security firms, exchanges, and law enforcement to trace and freeze the stolen assets. Meanwhile, Elliptic and TRM Labs have released reports suggesting North Korean involvement in the heist. They observed patterns consistent with previous North Korean hacks, including the use of Tornado Cash, cross-chain bridging, and rapid laundering techniques.
TRM Labs highlighted that the attackers devised a fake asset, the CarbonVote Token, and manipulated its perceived value by seeding liquidity and engaging in wash trading. This coincided with the deployment of the token at a specific time in Pyongyang.
Wider Implications and Response
This incident marks what could be the eighteenth North Korean-linked crypto theft this year, with over $300 million already stolen. Elliptic notes that these acts are part of a broader campaign purportedly funding North Korea’s weapons programs, with historical thefts exceeding $6.5 billion.
The North Korean strategy often involves social engineering, exploiting personas to target individuals in the crypto and Web3 sectors. This is part of ongoing campaigns like DangerousPassword and Contagious Interview, which have netted millions in recent months.
In parallel, the Axios npm package supply chain was compromised, attributed to the North Korean group UNC1069. This group is associated with several other notorious hacking entities and is thought to be state-sponsored, focusing on generating revenue for North Korea.
As these attacks grow in sophistication, the threat extends beyond exchanges, posing risks to developers and anyone involved in crypto infrastructure. The use of AI to enhance these social engineering tactics makes it imperative for the industry to bolster defenses.
