Drift hack traced to long infiltration

When Drift Protocol was drained on April 1, the first explanations sounded familiar. Another crypto hack. Another missing quarter-billion dollars. But the story investigators are now telling is slower, stranger, and more unsettling: the attackers did not smash their way in. They spent months being invited closer. (coindesk.com) (theblock.co) Drift is one of the biggest trading venues on Solana, a place where users can make leveraged bets and park funds in vaults that chase yield. DefiLlama lists the April 1 incident as a $285 million hack, and Elliptic says it hit the largest decentralized perpetual futures exchange on Solana. (defillama.com) (elliptic.co) Drift’s own account of the theft says the attackers did not exploit a bug in the protocol’s smart contracts and did not steal a seed phrase. Instead, they obtained administrative approvals in advance, then used Solana “durable nonce” accounts to hold those approvals until the moment they were ready to act. In plain terms, they got legitimate signers to bless transactions earlier, saved those signed instructions for later, and then executed them in a burst that handed over control of Drift’s security council powers. (theblock.co) (coindesk.com) That mechanism matters because durable nonces are not malware. They are a normal Solana feature meant to let people prepare transactions ahead of time. Drift says the attackers used that convenience against the protocol, combining delayed execution with social engineering or misleading transaction presentation so that signers approved something they did not fully recognize. Once the attackers had that access, Drift says, they added a malicious asset, removed withdrawal limits, and emptied funds from vaults and deposits across the platform. (theblock.co) (cointelegraph.com) The newer reporting fills in how those approvals were won. According to CoinDesk, investigators say the operation began roughly six months earlier with people posing as a quantitative trading firm. They networked at conferences, built trust with the Drift team, made deposits reportedly as large as $1 million, shared cloned code repositories, and slipped poisoned builds through Apple’s TestFlight distribution system. By the time the theft happened, the attackers were not outsiders knocking on the door. They were operating inside a relationship that looked useful and routine. (coindesk.com) The attribution points to a North Korean playbook that security researchers have been watching evolve for years. Mandiant tracks UNC4736 as a suspected North Korea-linked cluster and tied it to the 3CX software supply-chain compromise in 2023, an attack that spread through trusted software updates rather than obvious phishing. More recently, researchers at Silent Push described North Korean operators creating fake crypto companies and using job and collaboration lures to deliver malware to targets in the industry. The Drift case appears to combine those habits: fake business identity, patient relationship-building, reusable tooling, and compromise delivered through something that looked like ordinary work. (cloud.google.com) (silentpush.com) After the theft, the attacker rapidly swapped assets including JLP, SOL, USDC, cbBTC, and wBTC, and moved large amounts of USDC across chains toward Ethereum. Drift froze remaining protocol functions and replaced the compromised multisig wallet, while investigators and exchanges tried to trace and block the funds. The exploit started with signed approvals that looked mundane and ended with wallets buying Ether in industrial size. (theblock.co) (cointelegraph.com) That is what makes the Drift hack feel less like a coding failure than an operations failure. The weak point was not just a line of software. It was the long chain of trust around demos, collaborators, test builds, shared repositories, and admin signatures. By the time $285 million moved, the decisive mistakes had already happened months earlier, in rooms that probably looked like business development. (coindesk.com) (elliptic.co)