Solana based decentralized exchange Drift has confirmed a major security incident that resulted in the loss of approximately $285 million, following a highly coordinated attack that took place on April 1, 2026. The company disclosed that a malicious actor gained unauthorized access to Drift Protocol by exploiting a complex mechanism involving durable nonces, which ultimately enabled a rapid takeover of administrative control linked to its Security Council. The breach has raised concerns across the digital asset ecosystem due to the scale of the loss and the sophistication of the techniques involved.
According to statements shared by Drift, the operation was not the result of a flaw in its smart contracts or core programs, and there is no indication that seed phrases were compromised. Instead, the attack relied on social engineering tactics combined with pre signed transactions using durable nonce accounts that delayed execution. This approach allowed attackers to obtain or misrepresent transaction approvals ahead of time and execute them later without immediate detection. By securing enough approvals within a multi signature framework, the threat actors were able to perform a malicious administrative transfer within minutes, gaining control over protocol level permissions and removing withdrawal limits that protected user funds.
Further analysis revealed that preparations for the attack began as early as March 23, 2026, indicating a carefully staged campaign that unfolded over several weeks. Once access was obtained, the attackers introduced a fraudulent asset identified as CarbonVote Token, which was supported by minimal liquidity and artificial trading activity. Despite its fabricated nature, the token was treated by system oracles as legitimate collateral with a significantly inflated valuation, allowing attackers to exploit the platform’s financial mechanisms at scale. Blockchain intelligence firms noted that the token deployment occurred at 09:30 Pyongyang time, adding to suspicions around the origin of the operation.
Independent investigations conducted by Elliptic and TRM Labs suggest that the attack bears similarities to known patterns associated with threat actors linked to Democratic People’s Republic of Korea. Indicators include the use of Tornado Cash for initial staging, cross chain fund movements, and rapid laundering techniques observed in previous incidents such as the Bybit exploit of 2025. Reports indicate that the primary weakness was not technical code but the manipulation of multisig participants into pre approving hidden authorizations, combined with the absence of a time delay mechanism that could have prevented immediate execution of administrative changes.
Elliptic further stated that if attribution is confirmed, this would represent the eighteenth such incident tracked this year, with more than $300 million stolen so far in 2026 alone. The organization has also reported that DPRK linked actors have stolen over $6.5 billion in crypto assets in recent years, with 2025 alone accounting for a record $2 billion in thefts, including approximately $1.46 billion from the Bybit breach. These operations are often linked to campaigns such as DangerousPassword and Contagious Interview, which rely heavily on social engineering tactics to target individuals within cryptocurrency and Web3 environments.
Drift has stated that it is currently working with security firms, exchanges, and relevant authorities to trace and freeze the stolen assets. The incident comes alongside another development involving a supply chain compromise of the widely used Axios npm package, which multiple cybersecurity vendors including Google, Microsoft, CrowdStrike, and Sophos have attributed to a North Korean linked group identified as UNC1069. This group is believed to overlap with other known clusters such as BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima, all of which are associated with financially motivated cyber operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
