North Korea–linked hackers drain $285M from Drift in sophisticated attack

Drift lost $285M in a sophisticated attack, likely by North Korea, who used nonce-based tricks to gain control and quickly drain funds

Drift suffered a $285 million cryptocurrency heist in a highly sophisticated attack likely linked to North Korea. Threat actors used durable nonce accounts to pre-sign and delay transactions, while also compromising multisig approvals to gain admin control.

“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.” wrote the Solana-based decentralized exchange on X.

They prepared for the operation days in advance, setting up wallets and testing transactions before draining funds from multiple vaults within seconds and laundering them across wallets. Drift notified law enforcement and is now working with security firms and exchanges to trace and freeze the stolen assets.

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026.

The timeline shows a carefully staged attack. On March 23, durable nonce accounts were set up, with at least 2 of 5 multisig signers unknowingly approving transactions, enabling delayed execution. On March 27, Drift migrated its Security Council. By March 30, new nonce activity suggests the attacker regained access to 2 of 5 signers in the updated multisig, maintaining control ahead of the exploit.

On April 1, the attack entered its execution phase. It began with a legitimate test withdrawal by Drift. About a minute later, the attacker used pre-signed durable nonce transactions to take control, creating, approving, and executing a malicious admin transfer, enabling the takeover.

Blockchain cybersecurity firm Elliptic found strong signs linking the $286M Drift Protocol exploit to North Korea (DPRK), based on attack behavior and laundering methods. If confirmed, it would be the 18th DPRK-linked crypto theft this year, with over $300M stolen.

“Elliptic has identified multiple indicators suggesting that the exploit of Drift Protocol is linked to the Democratic People’s Republic of Korea (DPRK).” reads the report published by Elliptic.

Such attacks are tied to funding weapons programs, with over $6.5B stolen in recent years. The incident reflects growing DPRK activity, including recent supply chain attacks like the Axios npm compromise.

According to Elliptic, the Drift attack unfolded rapidly, with attackers draining most funds within an hour after allegedly compromising admin private keys. They targeted key vaults, stealing assets including $155M in JLP tokens and other cryptocurrencies. Drift’s TVL dropped from $550M to under $250M, making it 2026’s largest DeFi hack so far.

The attacker prepared in advance, creating a wallet days earlier and testing access. Stolen funds were quickly swapped to USDC, then moved to Ethereum and converted to ETH. Drift halted operations and is working to contain the incident.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Drift)