- Attackers spent six months infiltrating Drift Protocol by way of conferences, Telegram, and faux integrations earlier than compromising developer environments and utilizing Solana’s sturdy nonce function to pre-sign malicious transactions weeks prematurely.
- The exploit drained the JLP Delta Impartial vault of roughly US$155 million and emptied two further vaults in roughly 10 minutes.
- Blockchain analytics agency Elliptic attributed the assault to North Korean state actors, noting it was the 18th suspected DPRK-linked crypto operation of 2026.
That is social engineering (and a real dedication to crime) taken to a different stage.
Seems Drift Protocol disclosed that its US$280 million (AU$406 million) April 1 exploit was the fruits of a six-month social engineering operation, throughout which North Korean-linked attackers posed as a legit buying and selling agency and systematically gained entry to developer environments earlier than pre-authorising the transactions that drained the platform.
As Crypto Information Australia reported, the protocol suspended operations instantly after the assault and shortly after its complete worth locked (TVL) fell from roughly US$550 million (AU$800 million) to beneath US$250 million (AU$375 million) inside hours.
Associated: Bitcoin ETFs Snap Outflow Streak with $1.3B Inflows in March
Six Months In The Making
In line with the post, the attackers started the infiltration roughly in November, constructing belief by way of appearances at crypto business conferences, Telegram outreach, and faux protocol integration proposals.
The target was entry to developer machines, not sensible contract vulnerabilities. As soon as inside developer environments, the group planted malicious instruments that allowed them to pre-sign transactions utilizing Solana’s sturdy nonce function.
The attackers used Sturdy nonces to acquire two of the 5 multisig approvals required from Drift’s Safety Council (the brink wanted to authorise administrative adjustments) with out these approvals being instantly actionable.
When triggered, the malicious transactions disabled the protocol’s circuit breaker security programs and handed administrative management to the attacker, who drained the JLP Delta Impartial vault, the SOL Tremendous Staking vault, and the BTC Tremendous Staking vault inside roughly 10 to 12 minutes.
They have been technically fluent, had verifiable skilled backgrounds, and have been aware of how Drift operated. A Telegram group was established upon the primary assembly, and what adopted have been months of substantive conversations round buying and selling methods and potential vault integrations. These interactions are typical of how buying and selling companies work together and onboard with Drift.
Blockchain analytics agency Elliptic confirmed the assault bore “a number of indicators” in step with DPRK tradecraft, together with on-chain behaviour patterns and laundering methodologies matching prior North Korean operations.
Associated: Bitcoin Treasury Sell-Off Sparks Fears of Crypto Contagion
The publish Drift Protocol Hack Revealed as Months-Long Social Engineering Operation appeared first on Crypto News Australia.