Drift Loses $285 Million in Durable‑Nonce Social‑Engineering Attack Linked to DPRK
What Happened — On April 1 2026, attackers exploited a novel “durable nonce” weakness in the Drift decentralized exchange on Solana, hijacking the platform’s Security Council admin privileges. The breach allowed the threat actors to move roughly $285 million worth of crypto assets out of Drift’s treasury in a matter of minutes.
Why It Matters for TPRM
- A successful social‑engineering exploit demonstrates that governance‑level controls on blockchain platforms can be bypassed, exposing third‑party risk beyond traditional IT assets.
- The loss of funds directly impacts any downstream services, custodial partners, and investors that rely on Drift’s liquidity and reputation.
- Attribution to a DPRK‑linked group highlights nation‑state sponsorship, raising geopolitical and compliance considerations for firms with exposure to crypto‑related vendors.
Who Is Affected – Crypto‑exchange operators, DeFi liquidity providers, institutional investors, and any enterprise that integrates Drift’s API or uses its market‑making services.
Recommended Actions –
- Audit all third‑party DeFi integrations for governance‑role segregation and multi‑sig enforcement.
- Validate that any on‑chain admin functions require time‑locked or multi‑party approval mechanisms.
- Conduct a threat‑intel review for DPRK‑linked actors targeting blockchain infrastructure.
- Update incident‑response playbooks to include durable‑nonce exploitation scenarios.
Technical Notes – The attack leveraged a “durable nonce” transaction pattern that allowed the adversary to replay a signed admin action across multiple blocks, effectively bypassing Drift’s role‑based access controls. No public CVE was assigned; the vulnerability resides in the protocol’s governance design rather than a software bug. The primary data compromised were private keys and admin credentials, leading to unauthorized asset transfers. Source: The Hacker News