North Korea Stole $285M from Drift Protocol Using a Solana Feature Built for Convenience
Attackers linked to North Korea exploited Solana's durable nonces to pre-sign transactions weeks in advance and seize control of Drift's multisig, draining $285M in the largest DeFi hack of 2026. The platform has suspended deposits and withdrawals.
Drift Protocol, a decentralized exchange built on Solana, lost $285 million on April 1 after attackers exploited a legitimate Solana transaction feature to seize control of the protocol’s security council and drain its vaults. Blockchain analytics firm Elliptic linked the attack to North Korean state-sponsored hackers — the same cluster responsible for multiple nine-figure crypto heists in recent years.
The attack vector was “durable nonces,” a Solana feature that lets wallets pre-authorize transactions to be submitted at a later time. Under normal use, durable nonces are helpful for hardware wallets and offline signing workflows. The attackers weaponized them to stage a slow-motion heist: they pre-signed the administrative transfers weeks before execution, bypassing Drift’s multisig approval mechanism in minutes once they were ready to act.
The stolen assets included $155.6 million in JPL tokens, $60.4 million in USDC, $11.3 million in CBBTC (Coinbase-wrapped bitcoin), and smaller amounts across FARTCOIN, wrapped Ether, WBTC, JUP, JITOSOL, and over a dozen other tokens. Different firms put the total at slightly different figures — Elliptic says $286M, CoinDesk’s on-chain forensics land at $270M, Fortune reports $280M. The discrepancy is likely due to token price slippage during the attacker’s rapid selling.
Drift immediately suspended deposits and withdrawals upon detecting the breach and issued an on-chain message to the attacker’s Solana address in an attempt to open a white hat negotiation. As of writing, there has been no response and no funds have been returned.
This is the largest single DeFi exploit of 2026 so far, and it exposes a broader weakness in how Solana-based protocols manage multisig governance. Durable nonces are not a bug — they are documented Solana functionality. The attack worked because Drift’s security model didn’t account for pre-signed transactions being held as leverage. The protocol trusted the nonce system to be used only by authorized parties; the attacker found a way to acquire that authorization in advance.
The incident adds to a long pattern of DPRK cyber units using crypto theft to fund the North Korean state. Chainalysis estimated North Korean hackers stole over $1.3 billion in 2025 alone. The Drift hack would push 2026 totals significantly higher.
For teams building on Solana: review your multisig architecture against pre-signed transaction risks. Nonce-based attacks are not theoretical anymore. Check that your Security Council keys are rotated regularly and that no outstanding durable nonces exist from previous signers. Drift’s post-mortem, expected in the coming days, will likely include a more detailed breakdown of exactly how the signing keys were compromised in the first place.
Deposits and withdrawals remain suspended as the team works with blockchain investigators. The protocol’s governance token dropped over 30% in the hours after the announcement.