← All Reports

Drift Protocol $285M Exploit: North Korean APT Attack via HUMINT & Solana Nonce

📅 2026-06-05 🔍 onchain-shadow
north-korea apt solana defi-hack humint durable-nonce
$285,000,000 Stolen

Date of Attack: April 1, 2026
Attacker Attribution: UNC6862 (DPRK state-sponsored, Lazarus Group linked)
Attack Vector: HUMINT social engineering + Solana durable nonce exploit
Time to Drain: 12 minutes

Executive Summary

On April 1, 2026, Solana's largest decentralized perpetual futures exchange — Drift Protocol — was drained of approximately $285 million in a sophisticated attack executed by a North Korean state-sponsored threat group (UNC6862).

This was not a smart contract vulnerability. The attack was a 6-month nation-state intelligence operation combining human infiltration, social engineering, and exploitation of Solana's durable nonce feature to pre-sign transactions that executed in 12 minutes flat.

Combined with the KelpDAO $292M attack the same month, North Korean APT groups stole $577 million in April 2026 alone — 76% of all DeFi losses this year.

Attack Timeline

6 months priorDPRK operatives build fake trading firm identity, attend crypto conferences
Weeks priorIn-person networking with Drift contributors, establishing trust
Dec 2025 - Jan 2026Fake "Ecosystem Vault" partnership established, $1M+ deposited
Feb - Mar 2026Gained access to contributor code repositories via malware
Mar 23, 20264 malicious nonce accounts created on Solana
Mar 27, 2026Security Council migrated to 0-second timelock
Apr 1, 16:06:09 UTCPre-signed malicious transactions executed
16:06 - 16:18 UTC12 minutes — treasury fully drained
Post-attackFunds swapped via Jupiter → USDC → CCTP → Ethereum (mostly dormant)

Technical Analysis: Solana Durable Nonce Exploit

The core vulnerability exploited was Solana's durable nonce feature, which allows pre-signed transactions to execute at any future time.

Attack Execution Steps

  1. March 23: Created 4 nonce accounts (2 controlled via compromised Security Council members, 2 by attacker)
  2. Obtained 2/5 multisig approvals via social engineering
  3. April 1: Executed pre-signed transaction sequence:
    • Introduced fake CVT (CarbonVote Token) collateral worth $285M
    • Wash-traded on DEXs to inflate CVT price
    • Disabled circuit breakers
    • Removed withdrawal limits
    • Raised USDC withdrawal limit to 500 trillion
  4. Staked entire treasury using CVT as collateral
  5. Extracted all assets in 12 minutes

Fund Flow

StepToolDestination
DEX SwapJupiterUSDC
Cross-chain BridgeCircle CCTPEthereum (129,000 ETH ≈ $270M)
MixingTornado Cash (suspected)Laundered funds
Current StatusMostly dormant on ETH

Key Observation: Unlike KelpDAO funds (moved via THORChain within days), Drift stolen funds remain largely dormant (per TRM Labs May 2 report). DPRK is patient.

The "Decentralization" Illusion

Drift was marketed as "decentralized" with a Security Council governance structure. The reality:

  • 5 keys control the most sensitive functions
  • Only 2 keys needed to drain everything
  • Zero timelock on critical changes — zero safety buffer
  • No limit on what a single transaction could modify

"The label doesn't change who actually controls the funds."

Smart contract code "decentralization" ≠ fund safety decentralization. A protocol with governance concentrated in a few keys has the same risk profile as a centralized exchange.

Why Audits Didn't Catch This

Audits CoverAudits Miss
Code correctnessSigner composition
Logic vulnerabilitiesTimelock settings
Re-entrancy risksParameter range limits
Authorization boundaries

Point-in-time audits can't track operational drift. The vulnerability wasn't in the code — it was in the configuration.

Defense Recommendations

Protocol Level

  1. Raise multisig threshold: 3/5 minimum, not 2/5
  2. Enforce timelock: 24-48 hours minimum delay
  3. Set parameter caps: Single transaction can't change everything
  4. Monitor durable nonce creation: Flag suspicious activity in real-time
  5. Expand audit scope: Include operational configurations and parameter boundaries

Personal Level

  • Verify counterparty identities rigorously
  • Hardware wallet isolation for sensitive operations
  • Minimize code repository access
  • Separate sensitive operations across devices

🛡️ Protect Your Protocol with ChainSentinel

Real-time monitoring for suspicious governance changes, durable nonce creation, and configuration drift. Don't wait 12 minutes — catch threats in seconds.

Try ChainSentinel Free →

Sources

  • Drift Protocol Official Statement (2026-04-01)
  • CoinDesk Detailed Analysis (2026-04-30)
  • Mandiant Investigation Report (2026-06-03)
  • TRM Labs On-Chain Tracking (2026-05-02)
  • Hypernative Technical Analysis (2026-06-04)
  • ZachXBT Tracking (ongoing)

Related Incidents

EventDateLossConnection
KelpDAO rsETH Attack2026-04$292MSame DPRK APT, shared tactics
Radiant Capital2024-10UndisclosedDPRK attack, Solana nonce method