Skip to content
Back to Home
a laptop computer sitting on top of a desk

Photo by Rolf van Root on Unsplash

North Korean Hackers Steal $285 Million

By ProjectZyper AI 4 min read
LinkedIn X
social-engineeringcryptocurrencynorth-korean-hackersdurable-nonce-attackcritical-infrastructure
Cyber Threat Briefing — Apr 3, 2026 Part 1 of 4
Next Zero-Day Exploits Hit Mercor and TrueConf
Executive Summary

North Korean hackers stole $285 million from Drift, a Solana-based decentralized exchange, in a sophisticated durable nonce social engineering attack that exploited vulnerabilities in the transaction process. The incident highlights the significant threat posed by North Korean hacking groups to cryptocurrency exchanges and financial institutions worldwide. To mitigate such attacks, implement robust security measures including multi-factor authentication, regular security audits, employee training, and incident response planning.

Introduction

A recent incident involving the Solana-based decentralized exchange Drift has resulted in a staggering loss of $285 million, stolen by North Korean hackers in a sophisticated durable nonce social engineering attack as reported by SecurityWeek. This brazen incident highlights the escalating threat posed by these hacking groups to cryptocurrency exchanges and financial institutions worldwide. The crypto landscape's evolution underscores the need for robust security measures to protect against such attacks. The Drift incident serves as a stark reminder of the necessity for heightened vigilance and proactive countermeasures to mitigate social engineering attack risks.

The Solana blockchain, known for its fast transaction processing and low fees, has become an attractive target for hackers due to its growing popularity and large cryptocurrency trade volumes. Decentralized exchanges like Drift, operating on the Solana blockchain, are particularly vulnerable to attacks due to their decentralized nature and lack of centralized control. The fact that North Korean hackers exploited a vulnerability in Drift's security protocols highlights the need for more robust security measures according to The Hacker News.

North Korean Hackers Drain $285 Million From Drift

The attackers employed a durable nonce social engineering attack to take over an admin key, rapidly draining five vaults in just 10 seconds. This incident highlights the significant threat posed by North Korean hacking groups to cryptocurrency exchanges. The attackers prepared infrastructure and multiple nonce-based transactions to execute the attack, demonstrating sophistication and planning. Drift Protocol's Security Council administrative powers were rapidly taken over during the incident, allowing the attackers to carry out malicious activities with ease as reported by SecurityWeek.

The durable nonce social engineering attack used in this incident is a concerning tactic, exploiting vulnerabilities in the transaction process to gain unauthorized access to sensitive information. The fact that attackers prepared infrastructure and multiple nonce-based transactions suggests a high degree of organization and resources. This incident serves as a wake-up call for cryptocurrency exchanges and financial institutions to reassess their security protocols and implement more robust measures according to The Hacker News.

From a technical perspective, the durable nonce social engineering attack involves exploiting a vulnerability in nonce generation and verification. In this case, attackers manipulated the nonce generation process, creating multiple transactions with the same nonce and gaining unauthorized access to the admin key. This highlights the importance of implementing robust nonce generation and verification mechanisms, as well as regular security audits to identify potential vulnerabilities.

Technical Details of the Attack

The attack on Drift involved a combination of social engineering and technical exploitation. Attackers first gained access to an administrator's account through a social engineering tactic, such as phishing or pretexting. Once they had access to the admin account, they manipulated the nonce generation process, creating multiple transactions with the same nonce and gaining unauthorized access to the admin key.

The attack's execution in just 10 seconds highlights the speed and sophistication of the tactics. This suggests that attackers had prior knowledge of Drift's security protocols and planned the attack carefully, using their knowledge to exploit vulnerabilities.

To mitigate such attacks, cryptocurrency exchanges and financial institutions must implement robust security measures, including:

  • Multi-factor authentication: Require multiple forms of verification to prevent unauthorized access to admin accounts.
  • Regular security audits: Conduct regular security audits to identify potential vulnerabilities and address them promptly.
  • Employee training: Educate employees on social engineering attack risks and provide training on responding to suspicious activity.
  • Incident response planning: Develop incident response plans to quickly respond to and contain security incidents.

Recommendations and Takeaways

The theft of $285 million from Drift by North Korean hackers highlights the need for enhanced security measures against social engineering attacks. Cryptocurrency exchanges should implement robust security protocols, including multi-factor authentication, regular security audits, and employee training programs as recommended by SecurityWeek. Users should be cautious when interacting with cryptocurrency exchanges, aware of social engineering attack risks, and take steps to protect personal information.

To combat the threat posed by North Korean hacking groups, international cooperation is essential. Governments and law enforcement agencies must work together to share intelligence and best practices, disrupting these hacking groups' activities and bringing perpetrators to justice according to The Hacker News. Prioritized recommendations for security practitioners include:

  • Implement robust multi-factor authentication protocols to prevent unauthorized access.
  • Conduct regular security audits to identify vulnerabilities and address them promptly.
  • Educate employees on social engineering attack risks and provide training on responding to suspicious activity.
  • Encourage users to be cautious when interacting with cryptocurrency exchanges and report suspicious activity.
  • Foster international cooperation to disrupt North Korean hacking groups and bring perpetrators to justice.

Additionally, cryptocurrency exchanges and financial institutions should consider implementing:

  • Advanced threat detection systems: Implement advanced threat detection systems to quickly identify and respond to potential security incidents.
  • Security information and event management (SIEM) systems: Implement SIEM systems to monitor and analyze security-related data from various sources.
  • Incident response teams: Establish incident response teams to quickly respond to and contain security incidents.

By taking these proactive measures, cryptocurrency exchanges and financial institutions can reduce the risk of falling victim to social engineering attacks and protect customers' assets. The Drift incident serves as a stark reminder of the need for heightened vigilance and cooperation in the face of escalating cyber threats as emphasized by SecurityWeek. As the cybersecurity landscape evolves, staying informed and adapting to emerging threats is essential to ensure digital assets' security and integrity.

Sources
North Korean Hackers Drain $285 Million From Drift in 10 Seconds Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK
Related Articles
ProjectZyper AI ProjectZyper AI

AI-powered cybersecurity threat intelligence. Aggregated, analyzed, and published daily.

Powered by AI

Status

Monitoring threat feeds — updated hourly

AI-generated content. Verify critical information independently.

© 2026 ProjectZyper AI. All rights reserved.