**Drift Protocol** confirmed that attackers drained approximately $285 million from the platform during a security incident on April 1, 2026. ### Attack Details According to **Drift**, a malicious actor gained unauthorized access through a novel attack involving durable nonces, leading to a rapid takeover of the Security Council's administrative powers. The company described it as a highly sophisticated operation involving multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions with delayed execution. **Drift** emphasized that the attack did not exploit a vulnerability in its programs or smart contracts, and there is no evidence of compromised seed phrases. Instead, the breach involved unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through durable nonce mechanisms and sophisticated social engineering. The attackers obtained sufficient multi-signature (multisig) approvals and executed a malicious admin transfer to gain control of protocol-level permissions. This control was then leveraged to introduce a malicious asset and remove all pre-set withdrawal limits, enabling the attackers to drain existing funds. ### Timeline and Investigation **Drift**'s timeline indicates that preparations for the hack began as early as March 23, 2026. The company is coordinating with multiple security firms to determine the cause of the incident and working with bridges, exchanges, and law enforcement to trace and freeze the stolen assets. A **PIF Research Labs** analysis revealed that the assets were drained within 10 seconds, emptying major vaults in a remarkably short time. ### North Korean Connection Separate reports from **Elliptic** and **TRM Labs** suggest on-chain indications that North Korean crypto thieves may be behind the heist. These indications include the use of **Tornado Cash** for initial staging, as well as cross-chain bridging patterns and the speed and scale of post-hack laundering consistent with previous hacks attributed to North Korean threat actors, including the **Bybit** exploit of 2025. **TRM Labs** highlighted that the critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration. The attacker manufactured a fictitious asset – CarbonVote Token – which **Drift**'s oracles treated as legitimate collateral. **Elliptic**'s analysis aligns with known tradecraft associated with threat actors from the Democratic People's Republic of Korea (DPRK), noting this incident would represent the eighteenth DPRK act tracked since the start of the year, with over $300 million stolen to date. They emphasize this is a continuation of the DPRK's sustained campaign of large-scale cryptoasset theft, linked to funding its weapons programs, with over $6.5 billion in cryptoassets stolen in recent years. ### Social Engineering and Ongoing Threats Social engineering remains the primary initial access pathway, leveraging persuasive personas and decoys to target the cryptocurrency and Web3 sectors through campaigns tracked as **DangerousPassword** and **Contagious Interview**. The combined gains from these campaigns total $37.5 million this year. **Elliptic** warns that the evolution of DPRK's social engineering techniques, combined with the increasing availability of AI, means the threat extends beyond exchanges, targeting individual developers, project contributors, and anyone with access to cryptoasset infrastructure. This incident also coincides with the supply chain compromise of the popular Axios npm package, attributed to a North Korean hacking group called UNC1069, overlapping with BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Stardust Chollima. Security vendors including **Google**, **Microsoft**, **CrowdStrike**, and **Sophos** have linked this group to generating revenue for the North Korean regime.