- Attackers spent six months infiltrating Drift Protocol via conferences, Telegram, and fake integrations before compromising developer environments and using Solana’s durable nonce feature to pre-sign malicious transactions weeks in advance.
- The exploit drained the JLP Delta Neutral vault of approximately US$155 million and emptied two additional vaults in roughly 10 minutes.
- Blockchain analytics firm Elliptic attributed the attack to North Korean state actors, noting it was the 18th suspected DPRK-linked crypto operation of 2026.
This is social engineering (and a true dedication to crime) taken to another level.
Turns out Drift Protocol disclosed that its US$280 million (AU$406 million) April 1 exploit was the culmination of a six-month social engineering operation, during which North Korean-linked attackers posed as a legitimate trading firm and systematically gained access to developer environments before pre-authorising the transactions that drained the platform.
As Crypto News Australia reported, the protocol suspended operations immediately after the attack and shortly after its total value locked (TVL) fell from approximately US$550 million (AU$800 million) to under US$250 million (AU$375 million) within hours.
Related: Bitcoin ETFs Snap Outflow Streak with $1.3B Inflows in March
Six Months In The Making
According to the post, the attackers began the infiltration roughly in November, building trust through appearances at crypto industry conferences, Telegram outreach, and fake protocol integration proposals.
The objective was access to developer machines, not smart contract vulnerabilities. Once inside developer environments, the group planted malicious tools that allowed them to pre-sign transactions using Solana’s durable nonce feature.
The attackers used Durable nonces to obtain two of the five multisig approvals required from Drift’s Security Council (the threshold needed to authorise administrative changes) without those approvals being immediately actionable.
When triggered, the malicious transactions disabled the protocol’s circuit breaker safety systems and handed administrative control to the attacker, who drained the JLP Delta Neutral vault, the SOL Super Staking vault, and the BTC Super Staking vault within approximately 10 to 12 minutes.
They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. A Telegram group was established upon the first meeting, and what followed were months of substantive conversations around trading strategies and potential vault integrations. These interactions are typical of how trading firms interact and onboard with Drift.
Drift Protocol Blockchain analytics firm Elliptic confirmed the attack bore “multiple indicators” consistent with DPRK tradecraft, including on-chain behaviour patterns and laundering methodologies matching prior North Korean operations.
Related: Bitcoin Treasury Sell-Off Sparks Fears of Crypto Contagion
Blockchain,Drift Protocol,Hackers#Drift #Protocol #Hack #Revealed #MonthsLong #Social #Engineering #Operation1775466997
