Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 05, 2026 · 6 min read

North Korea Stole $280 Million From a Crypto Platform Without Exploiting a Single Bug

Drift Protocol, a Solana based decentralized exchange with 200,000 traders, lost $280 million after attackers seized administrative control using pre signed transactions and durable nonces. The smart contracts were never compromised.

Cracked smartphone screen showing a cryptocurrency trading dashboard with declining charts

What Happened

On April 1, 2026, attackers executed a precisely timed heist against Drift Protocol, a decentralized exchange built on the Solana blockchain. In a matter of minutes, they transferred administrative control of the platform to themselves, introduced a malicious asset, and drained between $280 and $285 million in cryptocurrency.

The attack did not exploit a vulnerability in Drift's smart contracts or code. Instead, the attackers targeted the human governance layer, specifically the platform's Security Council, a multisignature wallet requiring 2 of 5 approvals to execute administrative transactions.

How the Attack Worked

The heist relied on two Solana features: durable nonce accounts and pre signed transactions. Here is the sequence:

  • March 23 to 30: Attackers obtained 2 of 5 multisig approvals from Security Council members through social engineering or credential compromise
  • Pre signing phase: Using durable nonces, they created transactions that would remain valid indefinitely, unlike normal Solana transactions that expire after a few minutes
  • April 1 execution: All pre signed transactions were submitted within minutes, transferring admin control, introducing a malicious token, and draining user funds

Durable nonces are a legitimate Solana feature designed for offline transaction signing. In this case, they became the weapon, allowing attackers to prepare an entire heist in advance and execute it faster than any human response was possible.

North Korean Attribution

Blockchain intelligence firms Elliptic and TRM Labs attributed the attack to North Korean threat actors based on multiple on chain indicators. The evidence includes Tornado Cash usage for laundering, CarbonVote deployment timed to 09:30 Pyongyang local time, cross chain bridging patterns consistent with previous DPRK operations, and rapid large scale laundering matching the playbook used in the $1.5 billion Bybit hack earlier in 2025.

North Korea has emerged as the most prolific state sponsored cryptocurrency thief, with stolen crypto funding the country's weapons programs. The Lazarus Group and affiliated units have stolen an estimated $6 billion in cryptocurrency since 2017, according to the United Nations.

Why Governance Attacks Are the New Frontier

The Drift hack represents a shift in how cryptocurrency platforms are being attacked. As smart contract auditing has matured and code level vulnerabilities become harder to exploit, attackers are moving up the stack to target governance mechanisms.

A 2 of 5 multisig means an attacker only needs to compromise two people to control the entire platform. Whether those approvals were obtained through phishing, social engineering, or insider compromise remains under investigation. But the fundamental problem is architectural: when a small group of humans holds the keys to hundreds of millions of dollars, those humans become the attack surface.

This follows a pattern. The $625 million Ronin Network hack in 2022 also targeted validator keys rather than code. The $100 million Harmony Horizon Bridge hack exploited a 2 of 5 multisig. The technique works because it bypasses every technical audit and smart contract review.

What Was Affected

Approximately 200,000 traders used Drift Protocol. The stolen funds came from user deposits in borrow and lend pools, vault deposits, and active trading positions. Drift has frozen all protocol functions while the investigation continues.

The platform's DSOL token and insurance fund assets were not affected, according to Drift's initial disclosure. The team is working with security firms, exchanges, and law enforcement to trace and freeze the stolen funds, though recovery from North Korean operations has historically been difficult. Only a fraction of the Bybit stolen funds were ever recovered.

Lessons for Anyone Holding Crypto

The Drift hack reinforces several security principles that apply beyond DeFi:

  • Multisig thresholds matter. A 2 of 5 requirement means compromising 40% of signers gives total control. Higher thresholds like 4 of 7 or 5 of 9 make governance attacks exponentially harder
  • Time locks save assets. If administrative transactions required a 24 or 48 hour delay before execution, the community could have detected and blocked the attack
  • Self custody remains the safest option. Funds held in your own hardware wallet cannot be drained by a platform governance attack. If you are not actively trading, move assets off centralized and decentralized platforms
  • Watch for social engineering. The most sophisticated attacks start with a phishing email or a fake message, not a code exploit

What Happens Next

Drift has promised a detailed post mortem report. The platform's future depends on whether stolen funds can be traced and frozen before they are fully laundered. North Korean operators typically move fast, converting stolen crypto through mixers, cross chain bridges, and eventually into fiat currency to fund state operations.

For the broader DeFi ecosystem, the Drift hack is another data point in a growing pattern: the code can be flawless, the audits can pass, and the platform can still lose everything if the people holding the keys are compromised. The weakest link in decentralized finance continues to be the humans at the center of it.