The Drift Protocol exploit remains one of the most damaging crypto security stories of the year, with investigators and security firms describing a roughly $285 million attack tied to suspected North Korean actors. Chainalysis and Elliptic both said the incident was the result of a highly coordinated operation, and Elliptic said the on-chain behavior is consistent with DPRK-linked tactics.

Drift is a major Solana-based perpetuals venue, so the damage was never going to stay confined to one protocol. The hack reportedly wiped out more than half of Drift's total value locked and triggered a suspension of deposits and withdrawals while teams worked to contain the fallout.

For traders, the important part is not only the size of the theft, but what it says about confidence in DeFi plumbing. Large exploits tend to hit sentiment across the chain they live on, especially when the protocol sits near the center of liquidity, leverage, and active trading. Solana has plenty of supporters, but a $285 million hack is not the sort of headline anyone wants attached to a network trying to sell speed and scale.

The other reason this story still matters is that the laundering trail and recovery efforts can take weeks or months to resolve. That keeps the event alive in market memory longer than the original attack window, which is bad news for anyone hoping the ecosystem simply shrugs and moves on. Security risk is rarely a one-day event, no matter how much everyone wishes it were.

---------------

Author: Rowan Marrow
Seattle Newsroom

Happy April Fool's Day... Your $280 Million Is Gone. Really. 

On April 1st, the Solana-based DeFi platform Drift Protocol had $280 million drained from its accounts in what blockchain security firm Elliptic says bears all the hallmarks of a North Korean state-backed operation. The attack was no prank - and for Drift's users, it was about as far from funny as it gets.

What made this one technically notable was the attack vector. Rather than a straightforward exploit or the social engineering tricks North Korean hackers are known for, the alleged attackers abused a Solana feature called a durable nonce - a mechanism designed to prevent transaction timeouts. According to reporting by Fortune, the attacker used this mechanism to dupe Drift's Security Council into pre-approving transactions that wouldn't execute until weeks later - effectively planting a time bomb inside the protocol's own administrative layer.

Drift confirmed the incident in a post on X, describing how "a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers." The platform immediately suspended deposits and withdrawals for all users.

North Korea's Crypto Crime Streak Continues

Elliptic's attribution is consistent with a now well-established pattern. North Korea was responsible for roughly $2 billion in stolen crypto throughout 2025 - around 60% of all digital assets stolen globally that year, per blockchain analytics firm Chainalysis. The country's most brazen job was the alleged $1.5 billion hack of crypto exchange Bybit in early 2025, still the largest single crypto theft on record.

North Korean hackers typically rely on social engineering - building fake identities, infiltrating teams, and manipulating insiders into handing over credentials. The Drift attack represents something different: a patient, technically sophisticated exploit that weaponized the platform's own security infrastructure against it. The attacker didn't break down the door. They convinced someone inside to leave it unlocked.

Who Is Drift?

Drift Protocol was founded in 2021 by Cindy Leow and David Lu. It offers perpetual futures and other trading products on Solana, and had accumulated over $400 million in total deposits before the attack. That figure is now considerably different. The platform has not yet provided a detailed public timeline for resuming normal operations.

The Drift hack is a reminder that DeFi's security model - which relies on multisig councils, on-chain governance, and community-held administrative keys - is only as strong as the humans and processes behind it. A durable nonce isn't a bug; it's a feature. But features can be weaponized, and North Korea's alleged hackers appear to have studied Solana's mechanics carefully enough to do exactly that.

For the broader Solana ecosystem, the timing couldn't be worse. The network has spent the better part of two years positioning itself as the institutional-grade DeFi layer of choice. A $280 million heist - allegedly handed to a regime under international sanctions - is not a great look, regardless of which chain the exploit ran on.

---------------

Author: Cedric Holloway
New York Newsroom