Decentralized finance platform Drift confirmed that $280 million was withdrawn from the platform during a security incident that took place on Wednesday. 

The platform released a post-mortem on Wednesday night explaining that malicious actors gained access to Drift systems through a “novel attack” that involved the “rapid takeover” of the company’s security council administrative powers. 

“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution,” the statement said. 

The incident affects all money deposited in the platform’s borrow and lend features as well as vault deposits and funds deposited for trading. 

The company denied that there is any bug in Drift’s programs or smart contracts, arguing that the incident was traced back to “unauthorized or misrepresented transaction approvals obtained prior to execution, likely facilitated through… sophisticated social engineering.”

The thieves set up the attack on March 23 and eventually executed two pre-signed transactions on April 1. Drift said the attack was enabled by a combination of the pre-signed transactions that allowed for delayed execution and the compromise of their approvals process. The hacker was able to use their control to remove pre-set withdrawal limits. 

“Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets,” the company said, urging anyone with more information to come forward.

Drift pledged to release a more comprehensive post-incident report in the coming days. 

On Thursday morning, experts at blockchain security company Elliptic said the attack on Drift was conducted by hackers based in North Korea. The country’s government has been the largest force behind crypto thefts and stole more than $2 billion in similar attacks last year. The U.S. has accused Pyongyang’s government of using the stolen cryptocurrency to fund its military weapons program.

Elliptic said it “identified multiple indicators suggesting that the exploit of Drift Protocol is linked to the Democratic People's Republic of Korea (DPRK).”

“The on-chain behavior, laundering methodologies and network-level indicators associated with the attack are consistent with techniques observed in previous DPRK-attributed operations,” Elliptic explained. “If confirmed, this incident would represent the eighteenth DPRK act Elliptic has tracked this year, with over $300 million stolen so far.”

Several other researchers independently pointed the finger at North Korean hackers as well, saying the tactics used resembled those deployed in the $1.5 billion hack of Dubai-based crypto firm Bybit last summer. 

North Korean hackers were recently implicated in another damaging cybersecurity incident involving the compromise of axios, a wildly popular library used in both front-end apps and back-end systems. On Wednesday night, Microsoft and Crowdstrike confirmed Google’s initial assessment that North Korean hackers were responsible for the attack.