The decentralized derivatives exchange Drift Protocol, built on the Solana blockchain, has confirmed a major security incident: on 1 April 2026, an attacker siphoned approximately $285 million from the platform. The case is already being viewed as a landmark DeFi attack because it did not rely on a smart contract bug, but instead exploited governance architecture, multisig procedures, and the durable nonce mechanism in Solana.
How the Drift Protocol hack on Solana was executed
According to the Drift team, the attacker gained unauthorized administrative control over the protocol by abusing Solana’s durable nonce functionality. A durable nonce allows a transaction to be signed in advance and executed later without the signature expiring, which is useful for long‑lived or delayed transactions—but, as this incident shows, can be dangerous if governance controls are weak.
The adversary managed to get a series of sensitive governance transactions pre‑approved and signed by the protocol’s multisignature (multisig) signers, while allegedly misrepresenting their true purpose. Once conditions were favorable, the attacker quickly executed these pre‑signed transactions, seizing control of the Security Council and transferring Drift’s admin rights within minutes.
Drift emphasizes that the attack did not exploit any Solana smart contract or program vulnerability, and there is no evidence of compromised seed phrases. The critical weakness lay in “unauthorized or misrepresented transaction approvals” obtained before execution—pointing to sophisticated social engineering and procedural failures in the multisig governance process.
Durable nonce, multisig governance and the fake CarbonVote Token
Removing withdrawal limits and hijacking protocol controls
After collecting enough signatures in the multisig, the attacker triggered a malicious transfer of admin privileges. With protocol-level control, they were able to remove withdrawal limits and introduce a new asset into the system, bypassing the original configuration and internal risk checks.
Investigators at TRM Labs report that the adversary deployed a fully fake token named CarbonVote Token, supplying it with only a few thousand dollars of liquidity and generating artificial trading activity through wash trading. Despite its trivial intrinsic value, Drift’s oracles began treating CarbonVote as a highly liquid asset with a market capitalization of hundreds of millions of dollars. This inflated valuation allowed the attacker to post the token as overpriced collateral and withdraw real user funds against it.
TRM Labs notes that the CarbonVote token contract was deployed at approximately 09:30 local time in Pyongyang, which they consider one of several indicators of potential DPRK (North Korea) involvement, though on-chain timing alone is not conclusive proof.
Timeline and coordinated incident response
Based on Drift’s internal timeline, preparation for the exploit began no later than 23 March 2026. The protocol reports ongoing collaboration with multiple blockchain analytics firms, cybersecurity providers, bridge operators, centralized exchanges and law enforcement agencies to trace, freeze and recover stolen assets where possible.
Suspected North Korean link: findings from TRM Labs and Elliptic
Blockchain analytics companies TRM Labs and Elliptic state in separate reports that the on‑chain behavior and subsequent laundering patterns mirror established tradecraft of North Korean state‑linked crypto groups.
Key indicators include early use of the sanctioned mixer Tornado Cash, characteristic cross‑chain bridge patterns, and the high speed and scale of cash‑outs. Similar patterns have been observed in attacks previously attributed to DPRK‑aligned operators, including the record Bybit compromise in 2025, where around $1.46 billion was stolen out of a record yearly total of roughly $2 billion in crypto thefts.
Elliptic estimates that if DPRK involvement in the Drift hack is confirmed, this incident would represent the 18th DPRK‑linked operation in 2026 alone, pushing total losses from such campaigns above $300 million for the year. Cumulatively, DPRK‑associated actors are believed to have stolen more than $6.5 billion in cryptoassets over recent years, a figure consistent with public reporting from firms such as Chainalysis and with assessments from U.S. authorities that these operations help fund North Korea’s weapons programs.
Social engineering: DangerousPassword and Contagious Interview campaigns
The suspected entry vector for many DPRK‑style attacks remains social engineering: elaborate fake identities, bogus job offers and long‑running rapport‑building with employees of crypto exchanges and Web3 projects. Two notable campaigns in this space are DangerousPassword (also tracked as CageyChameleon, CryptoMimic, CryptoCore) and Contagious Interview.
As of late February 2026, the combined illicit revenue from just these two social engineering campaigns is estimated at around $37.5 million. Elliptic stresses that DPRK’s crypto theft activity should be viewed not as “isolated hacks but a well‑funded, scalable, and state‑directed revenue operation.”
Supply‑chain risk: Axios npm compromise and UNC1069
In parallel with the Drift incident, researchers highlight the supply‑chain compromise of the popular JavaScript HTTP client Axios on npm. Vendors including Google, Microsoft, CrowdStrike and Sophos attribute this operation to the North Korean group UNC1069, which overlaps with clusters tracked as BlueNoroff, CryptoCore, Nickel Gladstone, Sapphire Sleet and Stardust Chollima.
Sophos reports that artifacts from the Axios attack exhibit identical forensic metadata and similar command‑and‑control (C2) infrastructure chains to malware families previously used exclusively by Nickel Gladstone. This strengthens the assessment that these actions are part of coordinated, state‑sponsored campaigns focused on revenue generation for the DPRK regime.
The Drift Protocol hack underscores that for DeFi platforms, secure governance is as critical as secure code. Robust defenses must include hardened multisig policies (separate devices and network segments for signers), explicit verification and change‑management for any admin‑level transactions, non‑zero timelocks on governance actions, independent monitoring for oracle anomalies and price manipulation, and continuous training against social engineering for all keyholders. As state‑sponsored groups increasingly weaponize advanced techniques and AI‑driven tooling, every developer, contributor and administrator with access to protocol infrastructure should assume they are a priority target and build both personal and organizational security strategies accordingly.
