How North Korean Hackers Exploited Solana's Durable Nonces to Drain $285M From Drift

A Six-Month Con, a Twelve-Minute Heist

On April 1, 2026, attackers drained approximately $285 million from Drift Protocol — the largest decentralized perpetual futures exchange on Solana — in roughly 12 minutes. No smart contract was exploited. No private key was stolen from a server. Instead, the attackers weaponized a legitimate Solana feature called "durable nonces" alongside months of patient social engineering to hijack Drift's governance from the inside. According to blockchain intelligence firm TRM Labs, the operation bears the hallmarks of North Korean state-linked hackers, making it the largest DeFi exploit of 2026 and the second-largest in Solana's history after the 2022 Wormhole bridge hack.

What makes this incident particularly alarming is not the dollar amount alone but the attack vector. The exploit did not rely on a code vulnerability — it exploited the gap between when a governance action is approved and when it is executed, a gap that Solana's durable nonce feature can stretch from seconds to weeks.

What Are Durable Nonces, and Why Do They Exist?

Every Solana transaction includes a "recent blockhash" — essentially a timestamp proving the transaction was created recently. That blockhash expires after roughly 60 to 90 seconds, according to Solana's official documentation. If a transaction is not submitted within that window, it becomes invalid. This expiration is a safety feature: it prevents old transactions from being replayed.

Durable nonces replace this short-lived blockhash with a stored value in a dedicated on-chain account, removing the expiration window entirely. A transaction signed with a durable nonce remains valid indefinitely — or until the nonce authority manually advances the nonce account, which invalidates the old signature. The feature was designed for legitimate use cases: offline signing for cold wallets, multi-signature approval workflows that span days, and institutional custody operations where multiple parties in different time zones need to co-sign.

The critical consequence, as BlockSec's technical analysis noted, is that durable nonces sever the link between signing and execution timing. Once a signer approves a transaction, that approval persists. There is no built-in mechanism to revoke it. The signer trusts that the transaction will be submitted promptly and in the context they intended — but nothing in the protocol enforces that trust.

The Social Engineering Campaign

The technical exploit was sophisticated, but the attack began with something far more mundane: introductions at a crypto conference.

According to The Cyber Express, the group behind the attack — tracked as UNC4736, also known as AppleJeus or Citrine Sleet — spent approximately six months building relationships with Drift Protocol contributors. Beginning around October 2025, operatives posing as representatives of a quantitative trading firm approached Drift team members at industry events. They attended multiple conferences, established in-person rapport, and built credibility by depositing over $1 million into the protocol and integrating an Ecosystem Vault.

This was not a rushed phishing campaign. It was a patient, multi-month infiltration designed to earn the trust needed to compromise multisig signers — the human gatekeepers of Drift's governance.

The device compromise itself reportedly involved a malicious TestFlight application and a vulnerability in developer tools (VSCode/Cursor), according to The Cyber Express. Through these vectors, the attackers obtained the approvals they needed from two of Drift's five Security Council members — enough to meet the protocol's 2-of-5 multisig threshold.

Anatomy of the Governance Hijack

Drift's Security Council operated as a 2-of-5 multisig using the Squads framework, according to BlockSec. This meant any two of five designated signers could authorize administrative actions. Critically, the configuration included a zero timelock — approved actions took effect immediately, with no delay window for the community or other signers to review or intervene.

The attack unfolded in carefully staged phases.

Phase 1: Infrastructure and Token Manufacturing (March 11-30)

On-chain staging began on March 11, according to TRM Labs. The next day, a 10 ETH withdrawal from Tornado Cash at approximately 12:00 AM GMT — roughly 09:00 Pyongyang time — funded the deployment of CarbonVote Token (CVT). The attackers minted 750 million CVT units, seeded a liquidity pool on Raydium with minimal capital, and used wash trading to build an artificial price history near $1, according to TRM Labs and BlockSec.

Between March 23 and March 30, the attackers created multiple durable nonce accounts and collected pre-signed governance transactions from two compromised Security Council members, according to TRM Labs.

Phase 2: The Timelock Removal (March 27)

On March 27, Drift migrated its Security Council configuration. The new setup maintained the 2-of-5 threshold but — crucially — retained the zero timelock, according to Bitcoin.com News. Previous safeguards had included a 24-to-72-hour delay on administrative actions. The removal of this delay window converted what would have been a detectable multi-day attack into a 12-minute extraction.

The attackers adapted to this migration. They re-obtained the necessary two-of-five approvals under the new configuration, demonstrating the operation's flexibility and the depth of their access to compromised signers, as The Cyber Express reported.

Phase 3: Execution (April 1, 16:05 UTC)

Two pre-signed transactions executed just four slots apart, according to BlockSec. The first created a malicious admin transfer proposal. The second advanced the nonce, approved the proposal, and executed an UpdateAdmin instruction — transferring full administrative control of Drift Protocol to the attacker's address.

With admin control secured, the attacker moved rapidly: they created a new collateral market accepting CVT with deliberately lenient risk parameters, switched Drift's oracle to one they controlled (inflating CVT's price to arbitrary levels), relaxed withdrawal protections and circuit breakers, deposited massively overvalued CVT as collateral, and then executed 31 rapid withdrawals over approximately 12 minutes, according to BlockSec.

The total drained: $285,279,417.69, according to BlockSec's on-chain analysis. Stolen assets included USDC, JLP, SOL, cbBTC, USDT, wETH, dSOL, WBTC, JTO, and FARTCOIN.

The Money Trail

Elliptic's analysis identified the largest single transfer as approximately 41.7 million JLP tokens, valued at roughly $155 million. The fund flow followed a well-rehearsed pattern: stolen tokens were first swapped to USDC via Solana DEX aggregators, then bridged to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP), and finally converted to ETH.

The bridging was notably aggressive. On-chain investigator ZachXBT pointed out that approximately 232 million USDC was bridged via CCTP over roughly six hours — all during U.S. business hours — without Circle intervening to freeze the funds, according to CoinDesk. TRM Labs described the laundering pace as exceeding the aggressiveness seen in the Bybit incident of 2025.

The controversy deepened when ZachXBT contrasted Circle's inaction here with its recent freezing of 16 wallets in an unrelated civil case, according to Bitcoin.com News. Circle's position, as reported, is that it only freezes assets when legally mandated through judicial orders or law enforcement directives.

Attribution: UNC4736 and the DPRK Playbook

Multiple blockchain intelligence firms attributed the attack to North Korean state-linked actors. The Cyber Express identified the group as UNC4736 — also tracked under the names AppleJeus and Citrine Sleet — citing on-chain fund flows that connect to the attackers behind the Radiant Capital exploit.

Elliptic flagged this as the 18th tracked DPRK-linked crypto theft of 2026, with over $300 million stolen collectively this year. The firm noted that DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years, with proceeds linked to funding weapons programs.

Several indicators supported the attribution: the initial Tornado Cash withdrawal timing aligned with Pyongyang working hours (09:00 local time), according to TRM Labs. The laundering methodology and on-chain behavior were consistent with patterns observed in previous DPRK-attributed operations, per Elliptic. And the social engineering approach — long-term impersonation of a legitimate business, device compromise through developer tools — matched UNC4736's established tradecraft.

Adding another dimension, The Cyber Express reported that the Drift exploit occurred simultaneously with the attribution of an npm supply chain attack (Axios) to a separate DPRK group, UNC1069 — suggesting coordinated multi-front operations.

Collateral Damage

The blast radius extended well beyond Drift itself. Bitcoin.com News reported that over 20 protocols were affected by contagion effects. Prime Numbers Fi lost millions. Pyra Protocol disabled all withdrawals preventatively. Carrot Protocol saw its TVL collapse by half. Even smaller protocols like Piggybank reported losses.

Elliptic noted that Drift's total value locked collapsed from approximately $550 million to under $250 million. The DRIFT governance token fell between 37% and 42%, according to Bitcoin.com News.

Drift froze all protocol functions, removed the compromised wallet from the multisig, and began coordinating with security firms, exchanges, bridges, and law enforcement. As of April 3, no comprehensive reimbursement plan had been announced, per Bitcoin.com News.

The Deeper Problem: Authorization Without Expiration

The Drift exploit exposes a structural tension in blockchain governance that extends beyond any single protocol.

Durable nonces exist for good reason. Institutional custody, multi-party signing across time zones, and cold wallet operations all require transactions that persist longer than 90 seconds. The feature solves a real problem. But it also creates a new one: an approved transaction that cannot expire is an approved transaction that the signer has permanently lost control over.

BlockSec's analysis emphasized three structural lessons. First, authorization pipeline integrity matters as much as key custody — knowing who holds the keys is irrelevant if the approval process can be subverted. Second, timelocks on high-privilege operations create essential response windows; Drift's zero-timelock configuration eliminated the last line of defense. Third, delayed execution mechanisms need additional safeguards: higher approval thresholds, time-bound validity on signatures, and restrictions preventing indefinite authorization.

The uncomfortable reality is that durable nonces are functioning exactly as designed. The feature's documentation clearly states that signed transactions remain valid until the nonce authority manually advances the account. The vulnerability is not a bug — it is an emergent property of combining a convenience feature with high-stakes governance, then adding social engineering.

For the broader Solana ecosystem, the question is not whether to remove durable nonces — their utility is clear — but whether governance frameworks need protocol-level guardrails that prevent durable nonce transactions from being used for administrative actions without additional safeguards such as mandatory timelocks, higher signature thresholds for admin operations, or time-bounded approval windows that expire regardless of nonce validity.

What This Means for DeFi Governance

The Drift exploit represents an evolution in attack sophistication. Previous major DeFi hacks typically exploited code vulnerabilities — reentrancy bugs, oracle manipulation through flash loans, or bridge validation failures. The Drift attack exploited the governance layer itself, turning the protocol's own administrative mechanisms into the attack surface.

This shifts the threat model. Code audits, formal verification, and bug bounties — the standard DeFi security toolkit — would not have prevented this attack. The smart contracts functioned correctly. The multisig threshold was met. The transactions were valid. Every on-chain action was technically authorized. The failure was in the human layer: social engineering that compromised signers, and a governance design that offered no recovery window once those compromises were leveraged.

For protocols that rely on multisig governance — which is to say, most of DeFi — the lesson is that signer security is a protocol-level concern, not a personal one. A compromised signer does not just lose their own keys; they potentially hand over protocol control. And when combined with features that allow pre-signed transactions to persist indefinitely, a single moment of compromise can be weaponized weeks later, in a context the signer never anticipated.

North Korea's crypto theft operations have evolved from targeting centralized exchanges to exploiting the most sophisticated governance mechanisms in decentralized finance. The Drift hack demonstrates that state-level patience — six months of relationship building — combined with deep protocol knowledge creates a threat that no amount of code auditing can address alone.

Key Takeaways

• Durable nonces are a feature, not a bug — but using them for high-privilege governance actions without timelocks or expiration safeguards creates a critical vulnerability where signing and execution become dangerously decoupled.
• Social engineering remains the most effective attack vector. Six months of in-person relationship building gave DPRK operatives the access that no technical exploit could have provided.
• Zero-timelock governance is a single point of failure. The removal of Drift's 24-to-72-hour delay window converted a potentially detectable attack into a 12-minute extraction.
• Stablecoin issuers face an unresolved tension between legal liability for unauthorized freezes and moral responsibility when stolen funds transit their infrastructure during business hours.
• DeFi's security model must expand beyond code. Smart contract audits, formal verification, and bug bounties are necessary but insufficient when the attack surface is the governance process itself.