Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Drift security personnel authorized the transfer of $280 million to hackers., 2026/04/05 15:41:01
The breach of the cryptocurrency protocol Drift, amounting to $280 million, was the result of a phishing attack attributed to the North Korean hacking group Lazarus, also known as TraderTraitor. This conclusion was reached by analysts from several platforms, including Diverg, TRM Labs, and Elliptic.
Blockchain experts noted that the timing of the operations, which occurred on weekdays and aligned with working hours in Pyongyang, pointed to the involvement of the hacker group. The methods employed also resembled those of Lazarus: the use of the Tornado Cash mixer in the preparation of the attack, the application of social engineering, rapid fund transfers across multiple blockchains with a focus on Ethereum, and the retention of the stolen assets.
According to Elliptic, the Drift breach marks the 18th attack by Lazarus this year.
Blockchain researchers found no vulnerabilities in the code, compromised private keys, or manipulations with oracles. Security specialists began to consider the possibility of a phishing attack in which the administrator key was compromised. This hypothesis was also suggested by Lily Liu, chair of the Solana network support fund, and Vibhu Norby, founder of the DRiP platform.
Related Posts
It was discovered that the attackers utilized the durable nonces feature in Solana. In Solana, each transaction includes a timestamp of 60–90 seconds, confirming that the transaction was created recently. If the transaction is not sent to the network within this timeframe, it becomes invalid. This security measure prevents the resubmission of outdated transactions.
Durable nonces eliminate this restriction and render the transaction indefinite—until someone submits it to the network. If an operation is signed today, it can be executed a week or a month later. The signer cannot revoke the approval. This is akin to an empty bank check given to someone: the check lacks an amount and date but bears the signature of the account holder. The recipient can fill it out at any time—whether a day, week, or month later—and withdraw funds from the account.
At the end of March, the attackers created four wallets with a delayed transaction mechanism. Two were linked to actual members of the Drift security council: it is presumed that the perpetrators obtained valid signatures under the guise of a routine technical operation—individuals were unaware that the signature was for a durable nonce, analysts believe.
On the day of the attack, the hackers initiated a withdrawal from the Drift insurance fund, posing as a standard security test. A minute later, the perpetrators sent two pre-signed transactions, which allowed for the approval of the fraudulent transfer at the administrator level, subsequently executing the withdrawal of funds from the protocol.
Lazarus had previously breached the Bybit and Ronin platforms, extracting $1.5 billion and $625 million, respectively. The attack on Drift occurred on April 1. Over a span of six hours, the stolen USDC was transferred through the Circle protocol in more than 100 transactions, as revealed by anonymous researcher ZachXBT.
