The Drift Protocol suffered a loss of over 280 million dollars after a sophisticated attacker seized control of its Security Council administrative powers. Blockchain analysts have attributed the breach to North Korean hackers, citing specific on-chain patterns and timing consistent with previous state-sponsored cyber operations.

The breach occurred on the Solana-based decentralized finance platform through a highly coordinated plan rather than a direct exploit of smart contract code. By gaining administrative control, the perpetrator was able to manipulate asset listings and remove withdrawal protections to facilitate the massive theft. Throughout the incident, the underlying programs remained secure, and no private seed phrases were compromised, as the attacker focused entirely on subverting the governance layer.

Investigators from Elliptic and TRM Labs identified several markers pointing toward the Democratic People's Republic of Korea. The evidence includes the use of Tornado Cash for mixing funds, bridging patterns across different blockchains, and the specific timing of certain deployments that align with the Pyongyang time zone. These methods mirror the tactics used in other major cryptocurrency heists, such as the Bybit hack, reinforcing the theory of a professional state-linked operation.

The logistics of the attack involved a week-long preparation period in late March. The threat actor utilized durable nonce accounts and pre-signed transactions to bypass the typical immediate execution of commands. By obtaining the necessary multisig approvals from Security Council members ahead of time, the attacker reached the required threshold to authorize changes without raising immediate alarms. This allowed them to prepare a digital trap that could be sprung at a precise moment of their choosing.

On April 1st, the attacker finalized the takeover by executing a series of pre-authorized malicious transactions immediately following a legitimate action. Once administrative rights were transferred, the hacker introduced a fraudulent asset into the system and disabled the protocol's safety limits. This sequence of events allowed for the rapid drainage of funds before the platform could intervene, despite Drift Protocol previously boasting high trading volumes and a large user base of 200,000 traders.

As a non-custodial exchange, Drift Protocol emphasized that the incident was the result of a coordinated takeover of administrative authority rather than a vulnerability in its core trading engine. The event highlights the ongoing risks associated with governance structures in decentralized finance. The platform has since been working to trace the movement of the stolen assets and analyze the sophisticated methods used to manipulate its multisig security requirements.

Source: https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack