North Korean Hackers Drain $280 Million from DeFi Platform Drift via Security Council Takeover
What Happened – On April 1 2026, threat actors linked to the North Korean state‑sponsored group seized administrative control of Drift Protocol’s Security Council, pre‑signed malicious transactions, and drained roughly $280 million in user funds. The attackers leveraged durable nonce accounts and obtained the required 2‑of‑5 multisig approvals without exploiting any smart‑contract bugs.
Why It Matters for TPRM –
- Governance‑level compromises can bypass code‑level security controls, exposing downstream vendors and investors.
- Large‑scale fund loss demonstrates the financial impact of supply‑chain attacks on DeFi infrastructure.
- The incident highlights the need for robust multisig key management and continuous monitoring of on‑chain activity.
Who Is Affected – Financial services (DeFi), cryptocurrency exchanges, custodial and non‑custodial wallet providers, and any third‑party services integrated with Drift (e.g., analytics, liquidity providers).
Recommended Actions –
- Review any contracts or integrations with Drift for exposure to the compromised admin keys.
- Verify multisig governance processes and enforce hardware‑based key storage for all privileged accounts.
- Implement real‑time on‑chain anomaly detection and enforce transaction‑level whitelisting.
Technical Notes – The attackers did not exploit a smart‑contract vulnerability; instead they obtained 2 of 5 Security Council signatures, used durable nonce accounts, and executed pre‑signed transactions at a precise time (09:30 Pyongyang). Laundering was facilitated through Tornado Cash, CarbonVote, and cross‑chain bridges, mirroring known DPRK tradecraft. Source: BleepingComputer