Update: Revised story and title based on new information linking the attack with North Korean hackers.

The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation.

Blockchain intelligence firms Elliptic and TRM Labs linked the attacks to North Korean threat actors, based on multiple on-chain indicators consistent with DPRK tradecraft.

These include Tornado Cash usage, CarbonVote deployment timing (09:30 Pyongyang time), cross-chain bridging patterns, and rapid large-scale laundering, consistent with the Bybit hack.

The attacker leveraged durable nonce accounts and pre-signed transactions to delay execution and strike with accuracy at a chosen time, the platform explained.

Drift underlines that the hacker did not exploit any flaws in its programs or smart contracts, and no seed phrases have been compromised.

Drift Protocol is a DeFi trading platform built on the Solana blockchain that serves as a non-custodial exchange, giving users full control of their funds as they interact with on-chain markets.

As of late 2024, the platform claimed to have 200,000 traders, supporting total trading volumes of more than $55 billion and a daily peak of $13 million.

According to Drift's report, the heist was prepared between March 23 and 30, with the attacker setting up durable nonce accounts and obtaining 2/5 multisig approvals from Security Council members to meet the required threshold.

This enabled them to pre-sign malicious transactions that weren’t executed immediately.

On April 1st, the attacker performed a legitimate transaction and immediately executed the pre-signed malicious transactions, transferring admin control to themselves within minutes.

Having gained admin control, they introduced a malicious asset, removed withdrawal limits, and eventually drained funds.

Drift Protocol estimates the losses at about $280 million, while blockchain tracking account PeckShieldAlert has calculated them at $285 million.

When unusual activity on the protocol was detected, Drift issued a public warning to users, stating that started an investigation and urging them not to deposit any funds until further notice.

As a result of the attack, borrow/lend deposits, vault deposits, and trading funds have been affected, and all protocol functions are now essentially frozen. Drift said DSOL is unaffected, and insurance fund assets are secured.

The platform is now working with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and freeze the stolen funds.

Drift promised to publish a detailed post-mortem report in the coming days.