North Korea‑Linked Hackers Drain $285 M from Drift DeFi Exchange via Compromised Multisig and Durable‑Nonce Exploit
What Happened – On April 1 2026, the Solana‑based decentralized exchange Drift Protocol suffered a $285 million cryptocurrency theft. Attackers had spent weeks preparing durable‑nonce accounts and covertly gaining control of two of the five multisig signers, allowing them to pre‑sign and instantly execute malicious admin transfers.
Why It Matters for TPRM –
- Nation‑state actors can target third‑party crypto platforms, exposing partner funds and reputational risk.
- Governance‑level compromises (multisig, admin keys) bypass typical perimeter controls, highlighting gaps in privileged‑access management for blockchain services.
- Large‑scale asset loss can cascade to downstream users, custodians, and integrated DeFi applications.
Who Is Affected – Cryptocurrency exchanges, DeFi protocols, blockchain infrastructure providers, and any organizations that integrate with or rely on Drift’s liquidity services.
Recommended Actions –
- Review and harden multisig governance processes; enforce split‑key policies and real‑time signer monitoring.
- Implement detection for durable‑nonce account creation and pre‑signed transaction patterns on supported blockchains.
- Conduct third‑party risk assessments of DeFi partners, focusing on incident‑response capabilities and law‑enforcement coordination.
- Align crypto‑asset custody controls with NIST 800‑53 AC‑6 and CIS Control 16 for privileged‑access management.
Technical Notes – The attackers leveraged stolen multisig credentials and durable‑nonce accounts on Solana to delay transaction execution until the final admin takeover. No public CVE was involved; the exploit was a novel abuse of blockchain transaction mechanics. Source: Security Affairs