{"id":485,"date":"2026-04-03T11:14:33","date_gmt":"2026-04-03T11:14:33","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=485"},"modified":"2026-04-03T11:14:33","modified_gmt":"2026-04-03T11:14:33","slug":"drift-loses-285-million-in-durable-nonce-social-engineering-attack-linked-to-dprk","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=485","title":{"rendered":"Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK"},"content":{"rendered":"
\n
<\/a><\/div>\n

Solana-based decentralized exchange Drift <\/b>has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1,\u00a02026.<\/p>\n

\u00abEarlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift\u2019s Security Council administrative powers,\u00bb the\u00a0company said<\/a> in a series of posts on\u00a0X.<\/p>\n

\u00abThis was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.\u00bb<\/p>\n

Drift\u00a0noted that the attack did not exploit a vulnerability in its programs or\u00a0smart contracts, and that there is no evidence of compromised seed phrases. Rather, the breach is said to have \u00abinvolved unauthorized or misrepresented transaction approvals\u00a0obtained prior\u00a0to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering,\u00bb it explained.<\/p>\n

To\u00a0that end, the threat actors obtained sufficient multi-signature (multisig) approvals\u00a0and executed a malicious admin\u00a0transfer<\/a> within minutes to gain control of protocol-level permissions, ultimately leveraging it to \u00abintroduce a malicious asset and remove all pre-set withdrawal limits, attacking existing\u00a0funds.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

According to a timeline of events shared by Drift, preparations for the hack were underway as early as March 23, 2026. The\u00a0company said it’s coordinating with multiple security firms to determine the cause of the incident, adding it’s working with bridges, exchanges, and law enforcement to trace and freeze the stolen\u00a0assets.<\/p>\n

In\u00a0separate reports published Thursday, both Elliptic and TRM Labs said there are on-chain indications that North Korean crypto thieves may be behind the cryptocurrency\u00a0heist.<\/p>\n

This\u00a0included the use\u00a0of Tornado\u00a0Cash for initial staging, as well as the cross-chain bridging patterns and the speed and scale of post-hack laundering that are consistent with hacks previously attributed to North Korean threat actors, including\u00a0the massive Bybit exploit of\u00a02025.<\/p>\n

\u00abThe critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol’s last line of defense,\u00bb TRM\u00a0Labs said<\/a>.<\/p>\n

\u00abThe attacker manufactured an entirely fictitious asset \u2014 CarbonVote Token \u2014 with a few thousand dollars in seeded liquidity and wash trading, and Drift’s oracles treated it as legitimate collateral worth hundreds of millions of\u00a0dollars.\u00bb<\/p>\n

The blockchain intelligence firm also pointed out that the CarbonVote Token was deployed at 09:30 Pyongyang\u00a0time.<\/p>\n

Elliptic, in its own analysis of the security incident, said the on-chain behavior, laundering methodologies, and network-level indicators align with known tradecraft associated with threat actors from the Democratic People’s Republic of Korea\u00a0(DPRK).<\/p>\n

The company also noted that, if confirmed, this incident \u00abwould represent the eighteenth DPRK act\u00bb it has tracked since the start of the year, with more than $300 million stolen to\u00a0date.<\/p>\n

\u00abIt is a continuation of the DPRK’s sustained campaign of large-scale cryptoasset theft, which the US government has linked to the funding of its weapons programs,\u00bb\u00a0Elliptic said<\/a>. \u00abDPRK-linked actors are believed to have stolen\u00a0over $6.5\u00a0billion\u00a0dollars in cryptoassets in recent\u00a0years.\u00bb<\/p>\n

The North Korean cryptoasset theft operation is estimated to have netted a record $2 billion in 2025, out of\u00a0which approximately $1.46\u00a0billion originated from the hack of Bybit in February\u00a02025.<\/p>\n

The primary initial access pathway through which these attacks are executed remains social engineering, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked\u00a0as DangerousPassword (aka CageyChameleon, CryptoMimic, and CryptoCore)\u00a0and Contagious\u00a0Interview. As\u00a0of late February 2026, the combined gains from the twin campaigns total $37.5\u00a0million this\u00a0year.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe DPRK’s cryptoasset theft operation is not a series of isolated incidents. It\u00a0is a sustained, well-resourced campaign that is growing in scale and sophistication,\u00bb\u00a0Elliptic said<\/a>.<\/p>\n

\u00abThe evolution of the DPRK’s social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means the threat extends well beyond exchanges. Individual developers, project contributors and anyone with access to cryptoasset infrastructure is\u00a0a\u00a0potential\u00a0target.\u00bb<\/p>\n

The\u00a0development coincides with\u00a0the supply chain compromise of the popular Axios npm package, which multiple security vendors, including Google, Microsoft, CrowdStrike, and Sophos, have attributed to a North Korean hacking group called UNC1069, which overlaps with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust\u00a0Chollima.<\/p>\n

\u00abThis state-sponsored group focuses on generating revenue for the North Korean regime,\u00bb\u00a0Sophos said<\/a>. \u00abThe artifacts include identical forensic metadata and command-and-control (C2) patterns, as well as connections to malware exclusively used by Nickel Gladstone. Based\u00a0on these artifacts, it is highly likely that Nickel Gladstone is responsible for the Axios\u00a0attacks.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1,\u00a02026. \u00abEarlier today, a malicious actor…<\/p>\n","protected":false},"author":1,"featured_media":486,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,745,1053,1055,1058,312,1054,108,1056,1057],"class_list":["post-485","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-dprk","tag-drift","tag-durable","tag-engineering","tag-linked","tag-loses","tag-million","tag-nonce","tag-social"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=485"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/485\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/486"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}