Drift Lost $285 Million in Strong Social Engineering Attacks Linked to DPRK
Exchange based in Solana The Drift confirmed that attackers siphoned approximately $285 million from the platform during a security incident that occurred on April 1, 2026.
“Earlier today, a malicious actor gained unauthorized access to the Drift Protocol through a novel attack involving long-lived expressions, which led to the immediate seizure of the administrative powers of Drift’s Security Council,” the company said in a series of X documents.
“This was a very complex operation that appears to have involved weeks of preparation and planned execution, including the use of long-term accounts to pre-sign off delayed transactions.”
Drift noted that the attack did not exploit vulnerabilities in its systems or smart contracts, and that there was no evidence of vulnerable seed sentences. Instead, the violation is said to “involve the unauthorized authorization or distortion of work obtained prior to execution, which may be facilitated by using long-term methods and sophisticated social engineering,” it explains.
In order to do that, malicious actors have obtained sufficient signing permissions (multisig) and transferred malicious managers within minutes to gain control of protocol level permissions, ultimately using it to “launch malicious assets and remove all pre-set withdrawal limits, attacking existing funds.”
According to the timeline of events shared by Drift, preparations for the robbery are still ongoing on March 23, 2026. The company said it is working with several security companies to find the cause of the incident, adding that it is working with bridges, exchanges and law enforcement to find and stop the stolen property.
In a separate report published on Thursday, Elliptic and TRM Labs said there are indications that North Korean crypto thieves may be behind the cryptocurrency heist.
These include the use of Tornado Cash in the first stage, as well as cross-bridging patterns and the speed and scale of post-hack hacks associated with hacks allegedly carried out by North Korean terror actors, including the massive Bybit exploit of 2025.
“The key vulnerability was not a smart contract flaw but a combination of social engineering multisig signers to sign hidden authorizations and an untimely Security Council migration that destroyed the protocol’s last line of defense,” said TRM Labs.
“The attacker produced a completely fake asset – CarbonVote Token – with several thousand dollars in seed money and clock trading, and Drift’s predictions took it as a legitimate security worth hundreds of millions of dollars.”
The blockchain intelligence firm also revealed that the CarbonVote Token was used at 09:30 Pyongyang time.
Elliptic, in its analysis of the security incident, said that the on-chain behavior, fraud methods, and network-level indicators are consistent with known trade related to terrorist actors from the Democratic People’s Republic of Korea (DPRK).
The company also noted that, if confirmed, this incident “will represent the eighteenth act of the DPRK” that has followed since the beginning of the year, more than $ 300 million stolen so far.
“It is a continuation of the DPRK’s ongoing campaign of massive cryptoasset theft, which the US government has linked to the funding of its weapons programs,” Elliptic said. “Actors linked to the DPRK are believed to have stolen more than $6.5 billion worth of cryptoassets in recent years.”
North Korea’s cryptoasset theft activity is estimated to make a record $2 billion by 2025, of which approximately $1.46 billion came from the February 2025 Bybit hack.
The primary means of access to these attacks is still social engineering, using phishing and tactics to target the cryptocurrency and Web3 sectors with targeted campaigns such as DangerousPassword (also known as CageyChameleon, CryptoMimic, and CryptoCore) and Contagious Interview. As of late February 2026, combined earnings from the twin campaigns totaled $37.5 million this year.
“The DPRK’s cryptoasset theft operation is not a series of isolated incidents. It is a sustained, well-resourced campaign that is growing in scale and sophistication,” Elliptic said.
“The evolution of DPRK social engineering techniques, combined with the increasing availability of AI to refine and perfect these methods, means that the threat extends beyond exchanges. Individual developers, project participants and anyone with access to cryptoasset infrastructure may be targeted.”
This development coincides with the degradation of the supply chain of the popular Axios npm package, which many security vendors, including Google, Microsoft, CrowdStrike, and Sophos, say was created by a North Korean hacker group called UNC1069, which goes beyond BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet, and Star Star.
“This state-sponsored group is focused on importing the North Korean regime,” Sophos said. “The artifacts include the same forensic metadata and command and control (C2) patterns, as well as links to malware specifically used by Nickel Gladstone. Based on these artifacts, it is highly likely that Nickel Gladstone was responsible for the Axios attack.”
