DEV Community

qanzhi111
qanzhi111

Posted on

Drift Protocol $285M Exploit - North Korean APT Attack on Solana

#security #web3 #solana #defi

On April 1, 2026, Solana's largest decentralized perpetual futures exchange Drift Protocol suffered an attack, losing approximately $285 million. This is the second-largest DeFi hack of 2026 (behind KelpDAO's $292M attack the same month). Together, these two incidents totaled $577M — 76% of all DeFi stolen funds in 2026.

Key Finding: This was not a smart contract vulnerability. The attacker penetrated protocol personnel through social engineering, used Solana's durable nonce feature to pre-sign malicious transactions, and drained the entire treasury in 12 minutes. Mandiant confirmed the attacker as North Korean state-sponsored APT group UNC6862.

⏱️ Attack Timeline

Time Event
6 months prior North Korean hackers establish fake trading company identities, attend crypto industry events
Weeks prior Operatives attend crypto conferences in person, build deep trust with Drift contributors
Late Feb - Early Mar Telegram group discussions about trading strategies, posing as partners
Dec 2025 - Jan 2026 Fake company "Ecosystem Vault" builds partnership with Drift, deposits $1M+
Feb - Mar Attackers gain access to some contributors' code repositories
Mar 23 Create 4 malicious wallets using Solana durable nonce feature
Mar 27 Security Council migrates to 0-second timelock, removing safety buffer
Apr 1, 16:06:09 UTC Execute pre-signed malicious transactions
16:06 - 16:18 UTC Treasury completely drained in 12 minutes
Post-Apr 1 Funds swapped via Jupiter, bridged to Ethereum via CCTP, mostly dormant

🔧 Attack Technical Analysis

Initial Penetration

The attackers used a multi-layered social engineering + technical infiltration combination:

  1. HUMINT Operation

    • Spent months building credible identities, attending global industry events
    • Used intermediaries rather than direct contact (classic Lazarus tactic)
    • ZachXBT noted this layered identity structure is a hallmark of Lazarus operations

  2. Malicious Code Injection

    • Shared code repositories containing malicious code
    • Exploited unpatched VSCode/Cursor vulnerabilities for silent code execution
    • Distributed TestFlight apps disguised as wallet products

  3. Trusted Relationship Abuse

    • Directly targeted Security Council members
    • Leveraged trust relationships to obtain multisig approvals

Solana Durable Nonce Exploit

Core vulnerability: Solana's durable nonce feature allows pre-signing transactions that can be executed at any future point in time.

Attack Steps:
1. Mar 23: Create 4 nonce accounts (2 belonging to compromised Security Council members, 2 attacker-controlled)
2. Obtain 2/5 multisig approval through social engineering
3. Apr 1: Execute pre-signed transaction sequence
   ├── Introduce fake CVT (CarbonVote Token) collateral
   ├── Manipulate CVT price via DEX wash trading to show inflated value
   ├── Disable circuit breakers
   ├── Remove withdrawal limits
   └── Increase USDC withdrawal limit to 500 trillion
4. Pledge entire treasury using CVT as collateral
5. Extract all assets within 12 minutes
Enter fullscreen mode Exit fullscreen mode

Fund Laundering Path

Step Tool Destination
DEX Swap Jupiter USDC
Cross-chain Bridge Circle CCTP Ethereum (129,000 ETH ≈ $270M)
Mixing Tornado Cash (suspected) Laundered funds
Current Status Mostly dormant on ETH chain

Key Observation: Unlike the KelpDAO attack, Drift stolen funds remain dormant (per TRM Labs May 2 report). KelpDAO funds were laundered to BTC via THORChain within days.

🔍 Unique Analysis

1. The Collapse of DeFi's "Decentralization" Narrative

Drift was designed as a decentralized protocol with a "Security Council" governance structure. Reality:

  • 5 keys control the most sensitive functions
  • Only 2 keys needed to execute arbitrary operations
  • Zero timelock: Major changes take effect immediately, no safety buffer

"Labels don't change the truth. Who actually controls the funds is what matters."

Lesson: "Decentralization" in smart contract code ≠ decentralization in fund security. Protocols where governance power concentrates in a few keys have the same risk profile as CEXs.

2. North Korean HUMINT Operations — A New Level

This is not an ordinary crypto scam. This is a state-level intelligence agency infiltration operation:

  • 6 months of long-term preparation
  • Multi-layered identity cover
  • AI tools accelerating reconnaissance and identity construction
  • In-person interactions to build trust

3. Smart Contract Audit Limitations

Audits Cover Audits Don't Cover
Code correctness Signer composition
Logic vulnerabilities Timelock settings
Re-entrancy risks Parameter range limits
Authorization scope boundaries

Key Issue: Audits are point-in-time assessments of code. Privileged paths evolve dynamically as protocols grow, governance decisions accumulate, and configurations drift from original designs.

4. Tether Bailout — Political Economy

Drift received Tether's $147.5M strategic support, revealing:

  • USDT issuer's strategic interest in the Solana ecosystem
  • Whale bailouts as market influence tools
  • Power asymmetry in protocol life-and-death decisions

📊 Loss & Impact

Direct Losses

  • $285,000,000 (Drift Protocol)
  • $292,000,000 (KelpDAO, same period)
  • Total: $577M, 76% of 2026 DeFi stolen funds

Ecosystem Impact

  • 20 Solana protocols exposed to similar attack risk
  • Security Council model widely questioned
  • Solana cross-chain bridge confidence damaged

Victims

  • All users with deposits on Drift
  • DRIFT token holders (token dropped 80%)

🛡️ Defense Recommendations

Protocol Level

  1. Raise multisig threshold: From 2/5 to 3/5 or higher
  2. Mandatory timelock: At least 24-48 hour delay
  3. Parameter caps: Limit maximum values modifiable in a single operation
  4. Real-time monitoring: Durable nonce account creation and configuration changes should trigger alerts
  5. Expanded audit scope: Include operational configurations and parameter boundaries

Personal Level

  • Verify counterparty identities
  • Hardware wallet isolation
  • Minimize code repository access
  • Separate sensitive operations across devices

🔗 Protect Your Assets with ChainSentinel

Real-time on-chain threat detection and risk assessment for DeFi protocols and wallets.

Check Your Address →

ChainSentinel — On-chain security intelligence, automated.

Top comments (0)