{"id":45090,"date":"2026-04-03T14:23:23","date_gmt":"2026-04-03T06:23:23","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/03\/drift-loses-280-million-north-korean-hackers-seize-security-council-powers\/"},"modified":"2026-04-03T14:23:23","modified_gmt":"2026-04-03T06:23:23","slug":"drift-loses-280-million-north-korean-hackers-seize-security-council-powers","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/03\/drift-loses-280-million-north-korean-hackers-seize-security-council-powers\/","title":{"rendered":"Drift loses $280 million North Korean hackers seize Security Council powers"},"content":{"rendered":"\n

\"Drift<\/p>\n

Update: Revised story and title based on new information linking the attack with North Korean hackers.<\/em><\/p>\n

The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation.<\/p>\n

Blockchain intelligence firms Elliptic<\/a> and TRM Labs<\/a> linked the attacks to North Korean threat actors, based on multiple on-chain indicators consistent with DPRK tradecraft.<\/p>\n

These include Tornado Cash usage, CarbonVote deployment timing (09:30 Pyongyang time), cross-chain bridging patterns, and rapid large-scale laundering, consistent with the Bybit hack<\/a>.<\/p>\n

The attacker leveraged durable nonce accounts and pre-signed transactions to delay execution and strike with accuracy at a chosen time, the platform explained.<\/p>\n

Drift underlines that the hacker did not exploit any flaws in its programs or smart contracts, and no seed phrases have been compromised.<\/p>\n

Drift Protocol is a DeFi trading platform built on the Solana blockchain that serves as a non-custodial exchange, giving users full control of their funds as they interact with on-chain markets.<\/p>\n

As of late 2024, the platform claimed<\/a> to have 200,000 traders, supporting total trading volumes of more than $55 billion and a daily peak of $13 million.<\/p>\n

According to Drift’s report<\/a>, the heist was prepared between March 23 and 30, with the attacker setting up durable nonce accounts and obtaining 2\/5 multisig approvals from Security Council members to meet the required threshold.<\/p>\n

This enabled them to pre-sign malicious transactions that weren’t executed immediately.<\/p>\n

On April 1st, the attacker performed a legitimate transaction and immediately executed the pre-signed malicious transactions, transferring admin control to themselves within minutes.<\/p>\n

Having gained admin control, they introduced a malicious asset, removed withdrawal limits, and eventually drained funds.<\/p>\n

\n
\"Drift
Source: PeckShield<\/em><\/figcaption><\/figure>\n<\/div>\n

Drift Protocol estimates the losses at about $280 million, while blockchain tracking account PeckShieldAlert<\/a> has calculated them at $285 million.<\/p>\n

When unusual activity on the protocol was detected, Drift issued a public warning to users, stating that started an investigation and urging them not to deposit any funds until further notice.<\/p>\n

\"Drift<\/a><\/p>\n

As a result of the attack, borrow\/lend deposits, vault deposits, and trading funds have been affected, and all protocol functions are now essentially frozen. Drift said DSOL is unaffected, and insurance fund assets are secured.<\/p>\n

The platform is now working with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and freeze the stolen funds.<\/p>\n

Drift promised to publish a detailed post-mortem report in the coming days.<\/p>\n