Drift Protocol Stolen $285 Million: North Korean Hackers Prepared for 6 Months, Using Durable Nonce to Bypass Multi-Signatures

Solana-based derivatives protocol Drift Protocol suffered a hacker attack on April 1, losing about $285 million. The platform’s total value locked (TVL) dropped sharply from about $550 million before the incident to about $230 million afterward. The Drift team later published a detailed investigation report, revealing that this was a social engineering attack that lasted six months and was supported by state-level resources.

Six months of lurking: from crypto conferences to code repositories

According to Drift’s investigation, the attackers began deploying as early as the fall of 2025. Posing as legitimate quant trading firms, they approached Drift contributors at multiple crypto conferences, establishing seemingly real professional relationships. During the six-month infiltration period, the attackers:

Set up a Telegram group to discuss trading strategies with the Drift team

Built credibility by establishing a presence in the ecosystem Vault using real funds (more than $1 million)

Held multiple work meetings in several countries

Ultimately, the compromise may have been carried out through two channels: one contributor copied a code repository that could exploit a known VSCode/Cursor vulnerability; another contributor downloaded a TestFlight App that the attackers provided under the name “wallet product.”

Technical tactics: Durable Nonce pre-signed transactions bypass multi-sig

Technically, the attackers used Solana’s “Durable Nonce” account mechanism—functionality that allows transactions to be pre-signed and executed later. The attackers used it to pre-prepare the signatures for all malicious transactions, then executed them instantly after obtaining sufficient permissions, leaving the defense side with very little time to respond.

The attackers quickly gained management control of Drift’s security committee, and then cleared the related assets. Drift emphasized afterward that all multi-sig members used cold wallets, but that still couldn’t stop the attack—showing that “when an attack targets the human layer, even strict hardware controls may be bypassed.”

Pointing to North Korea’s UNC4736: the same group behind the Radiant Capital attack

Drift stated that, with “high to very high confidence,” it attributed the attack to UNC4736 (also known as Citrine Sleet, AppleJeus), a hacker group associated with the North Korean government. The investigation found that the incident pattern closely matches the attack in October 2024 that caused Radiant Capital to lose $58 million, and it believes the perpetrators were the same group.

Circle under criticism: why couldn’t it freeze the stolen USDC immediately?

After the attack, another controversy centered on Circle’s response speed. According to PeckShield data, the attackers stole about $71 million USDC from Drift, and after converting other stolen assets into USDC, they used Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge about $232 million worth of USDC from Solana to Ethereum, greatly increasing the difficulty of recovery.

On-chain investigator ZachXBT criticized Circle for acting too slowly and pointed to a biting contrast: on the very same day that the attackers set up the Durable Nonce account (March 23), Circle froze 16 commercial hot wallets within minutes, prompted by a U.S. civil lawsuit—yet it did not take equally fast action in the face of a DeFi attack far exceeding nine figures.

Circle’s response was: “Circle is a regulated company and operates in accordance with sanctions rules, law enforcement directives, and court orders. We freeze assets in situations where the law requires it, in order to comply with the rule of law and protect users’ rights and privacy.” Plume’s legal counsel, meanwhile, urged lawmakers to establish a “safe harbor” mechanism so that stablecoin issuers can freeze assets when they have reasonable grounds to believe funds are involved in unlawful activity, without incurring civil liability.

A warning for the DeFi industry

Drift’s announcement drew widespread attention across the industry. The incident clearly shows that state-level hacker organizations are conducting months-long human intelligence (HUMINT) efforts against DeFi protocols, rather than relying solely on technical vulnerabilities. Key lessons include: don’t copy external repositories onto machines that hold production keys or multi-sigs; don’t install third-party applications; and don’t open unknown links. Isolation between devices and access permissions must be implemented thoroughly.

This article: Drift Protocol loses $285 million to theft—North Korean hackers prepare for six months, using Durable Nonce to bypass multi-sig was first published on Chain News ABMedia.