Happy April Fool's Day... Your $280 Million Is Gone. Really.
On April 1st, the Solana-based DeFi platform Drift Protocol had $280 million drained from its accounts in what blockchain security firm Elliptic says bears all the hallmarks of a North Korean state-backed operation. The attack was no prank - and for Drift's users, it was about as far from funny as it gets.
What made this one technically notable was the attack vector. Rather than a straightforward exploit or the social engineering tricks North Korean hackers are known for, the alleged attackers abused a Solana feature called a durable nonce - a mechanism designed to prevent transaction timeouts. According to reporting by Fortune, the attacker used this mechanism to dupe Drift's Security Council into pre-approving transactions that wouldn't execute until weeks later - effectively planting a time bomb inside the protocol's own administrative layer.
Drift confirmed the incident in a post on X, describing how "a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." The platform immediately suspended deposits and withdrawals for all users.
North Korea's Crypto Crime Streak Continues
Elliptic's attribution is consistent with a now well-established pattern. North Korea was responsible for roughly $2 billion in stolen crypto throughout 2025 - around 60% of all digital assets stolen globally that year, per blockchain analytics firm Chainalysis. The country's most brazen job was the alleged $1.5 billion hack of crypto exchange Bybit in early 2025, still the largest single crypto theft on record.
North Korean hackers typically rely on social engineering - building fake identities, infiltrating teams, and manipulating insiders into handing over credentials. The Drift attack represents something different: a patient, technically sophisticated exploit that weaponized the platform's own security infrastructure against it. The attacker didn't break down the door. They convinced someone inside to leave it unlocked.
Who Is Drift?
Drift Protocol was founded in 2021 by Cindy Leow and David Lu. It offers perpetual futures and other trading products on Solana, and had accumulated over $400 million in total deposits before the attack. That figure is now considerably different. The platform has not yet provided a detailed public timeline for resuming normal operations.
The Drift hack is a reminder that DeFi's security model - which relies on multisig councils, on-chain governance, and community-held administrative keys - is only as strong as the humans and processes behind it. A durable nonce isn't a bug; it's a feature. But features can be weaponized, and North Korea's alleged hackers appear to have studied Solana's mechanics carefully enough to do exactly that.
For the broader Solana ecosystem, the timing couldn't be worse. The network has spent the better part of two years positioning itself as the institutional-grade DeFi layer of choice. A $280 million heist - allegedly handed to a regime under international sanctions - is not a great look, regardless of which chain the exploit ran on.
---------------
Author: Cedric Holloway
New York Newsroom
No comments
Post a Comment