Security
02 April 2026
BleepingComputer
Drift loses $280 million North Korean hackers seize Security Council powers
Update: Revised story and title based on new information linking the attack to North Korean hackers. The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. Blockchain intelligence firms Elliptic and TRM Labs linked the attacks to North Korean threat actors, based on multiple on-chain indicators consistent with DPRK tradecraft. These include Tornado Cash usage, CarbonVote deployment timing (09:30 Pyongyang time), cross-chain bridging patterns, and rapid large-scale laundering, consistent with the Bybit hack.
The attacker leveraged durable nonce accounts and pre-signed transactions to delay execution and strike with accuracy at a chosen time, the platform explained. Drift underlines that the hacker did not exploit any flaws in its programs or smart contracts, and no seed phrases have been compromised.
Drift Protocol is a DeFi trading platform built on the Solana blockchain that serves as a non-custodial exchange, giving users full control of their funds as they interact with on-chain markets. As of late 2024, the platform claimed to have 200,000 traders, supporting total trading volumes of more than $55 billion and a daily peak of $13 million.
According to Drift's report, the heist was prepared between March 23 and 30, with the attacker setting up durable nonce accounts and obtaining 2/5 multisig approvals from Security Council members to meet the required threshold. This enabled them to pre-sign malicious transactions that weren’t executed immediately. On April 1st, the attacker performed a legitimate transaction and immediately executed the pre-signed malicious transactions, transferring admin control to themselves within minutes.
Having gained admin control, they introduced a malicious asset, removed withdrawal limits, and eventually drained funds. Drift Protocol estimates the losses at about $280 million, while blockchain tracking account PeckShieldAlert has calculated them at $285 million. When unusual activity on the protocol was detected, Drift issued a public warning to users, stating that it started an investigation and urging them not to deposit any funds until further notice.
As a result of the attack, borrow/lend deposits, vault deposits, and trading funds have been affected, and all protocol functions are now essentially frozen. Drift said DSOL is unaffected, and insurance fund assets are secured. The platform is now working with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and freeze the stolen funds. Drift promised to publish a detailed post-mortem report in the coming days.
Related Articles
03 April 2026
The Guardian
‘Food security timebomb’: a visual guide to the Gulf fertiliser blockade
The world has become well versed in the importance of the Strait of Hormuz to the world’s energy flows, but attention is increasingly turning to its vital role...
Read More
03 April 2026
The Motley Fool
How Married Couples Can Get More Out of Social Security in 2026
For single retirees, Social Security often serves as a crucial source of income. The same can easily hold true for married retirees. Only married couples have a...
Read More
02 April 2026
USA Today
Working while on Social Security? What the new 2026 rules mean
The rules for working and collecting benefits changed in 2026. For many older Americans, retirement doesn't look like hanging out on the golf course or gardenin...
Read More
02 April 2026
The Independent
Spousal benefits can boost your Social Security payment by thousands — here’s how
Being a retired spouse can have its benefits - Social Security benefits, that is. The Social Security Administration offers several ways for retirees to boost t...
Read More