DRIFT Protocol suffered a $285 million cryptocurrency heist in what researchers describe as a highly sophisticated attack, with Solana-based Drift noting the incident took place on 1 April 2026. The operation allegedly involved durable nonce accounts used to pre-sign transactions and delay their execution, while multisig approvals were compromised to gain admin control.
The attackers prepared in advance, setting up wallets and testing transactions before draining funds from multiple vaults within seconds and laundering them across wallets. According to Elliptic, the attack shows strong signs of being linked to North Korea (DPRK), based on observed attack behaviour and laundering methods, potentially marking it as the 18th DPRK-linked crypto theft this year if confirmed.
Drift says it is coordinating with law enforcement, security firms and exchanges to trace and freeze stolen assets after halting operations and beginning containment efforts. The incident also underscores DPRK-linked activity and follows recent supply chain attacks, including the Axios npm compromise.