North Korean operatives used social engineering and Solana durable nonce multisig abuse to steal $285M from Drift Protocol.
On April 1, 2026, Drift Protocol on Solana suffered the largest hack of the year when North Korean (Lazarus Group) operatives compromised the protocol through a sophisticated social engineering campaign targeting key personnel. The attackers exploited Solana's durable nonce feature in combination with multisig weaknesses to gain control of critical protocol wallets. The total stolen amount reached approximately $285 million in various Solana-based assets. Drift Protocol paused all operations and is working with international law enforcement and blockchain analytics firms.
The $285M in stolen Solana assets was rapidly swapped and bridged. A significant portion was moved through cross-chain bridges to Ethereum and Bitcoin. The Lazarus Group's typical laundering pattern involves mixing through Tornado Cash, Sinbad mixer, and bridging to Avalanche and Bitcoin. Some funds were deposited into exchanges including Binance and OKX, though freeze actions are limited due to the speed of movement. The FBI and Chainalysis are actively tracing the flow. Recovery is considered unlikely.