What is a durable nonce on the Solana blockchain?

A durable nonce is a feature on Solana that allows a transaction to be signed now but executed later. It uses a special on-chain account to store a unique transaction identifier (the nonce) that doesn't expire like a normal blockhash, making it useful for offline signing but also creating a potential attack vector.

How was social engineering used in the Drift attack?

Attackers likely targeted a key member of Drift's Security Council, tricking them into signing a malicious transaction. This pre-approved transaction, which used a durable nonce, was held by the attackers and executed later to grant them administrative control over the protocol.

Why are DPRK-linked hacking groups targeting cryptocurrency?

U.S. and U.N. intelligence indicates that North Korea uses stolen cryptocurrency to evade international sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs. DeFi platforms, with their large pools of assets, are high-value targets.

Are my funds on Drift Protocol lost?

In this security incident, the attackers drained the core liquidity pools of the protocol. This means funds held directly by the protocol are considered stolen. The chances of a full recovery for affected users are typically very low in hacks of this magnitude.

How can DeFi protocols prevent attacks like this?

Prevention requires a multi-layered approach. This includes strict multi-signature requirements for all administrative actions, mandating the use of transaction simulation tools before signing, rigorous and continuous social engineering training for key personnel, and limiting the use of features like durable nonces for critical governance functions.

Drift loses $285 million in durable nonce social engineering attack linked to DPRK

Anatomy of a Sophisticated DeFi Heist

In a devastating blow to the decentralized finance (DeFi) community, Solana-based perpetuals exchange Drift Protocol has confirmed the loss of approximately $285 million in digital assets. The incident, which unfolded on April 1, 2026, has been attributed to a sophisticated attack that combined advanced social engineering with a little-understood feature of the Solana blockchain. According to a statement from the Drift team, the attackers managed a "rapid takeover of Drift’s Security Council administrative powers," allowing them to drain the protocol's core vaults.

Blockchain security firms, in preliminary analyses, have identified tactical overlaps with known state-sponsored threat actors, pointing to the involvement of groups associated with the Democratic People's Republic of Korea (DPRK). This attack serves as a stark illustration of how adversaries are evolving, moving beyond simple smart contract exploits to orchestrate complex, multi-stage operations that target the human element of decentralized governance.

Technical Breakdown: The Durable Nonce Deception

The success of this heist hinged on the clever exploitation of Solana's "durable nonce" feature. To understand the attack, one must first understand the mechanism itself. In a typical blockchain transaction, a recent blockhash is included to prove the transaction is recent and prevent it from being replayed. This blockhash expires quickly, usually within a couple of minutes.

A durable nonce, however, is designed to circumvent this limitation. It is a separate account on the blockchain that holds a value (a nonce) that can be used in place of a recent blockhash. This allows a transaction to be prepared and signed offline, and then executed at any point in the future. While this feature is useful for custody solutions or users with hardware wallets who may not have immediate network access, it also introduces a unique attack surface, as demonstrated in the Drift incident.

The attack likely unfolded in several distinct phases:

Reconnaissance and Social Engineering: The attackers, exhibiting the patience characteristic of state-sponsored operations, first identified and targeted key members of the Drift Security Council. This council holds the multi-signature administrative keys required to make changes to the protocol. Using sophisticated social engineering tactics—potentially a phishing campaign disguised as a collaboration request or a fake job offer via professional networking sites—the attackers established contact and built a level of trust with at least one keyholder.
Crafting the Malicious Payload: The attacker prepared a transaction designed to grant their own wallet administrative privileges over the Drift protocol. This could involve adding a new member to the Security Council or changing the ownership of a critical smart contract. Crucially, this malicious transaction was constructed to use a durable nonce instead of a standard blockhash.
The Deceptive Signature: The social engineering campaign culminated in the attacker convincing the targeted council member to sign their malicious transaction. The victim may have believed they were signing a routine protocol update or a test transaction. Because the transaction's effects were not immediate, standard wallet interfaces may not have raised sufficient alarms about the dangerous permissions being granted.
Delayed Execution and Takeover: With the pre-signed transaction in hand, the attackers had a proverbial time bomb. They could wait for the opportune moment—such as a holiday or a period of high network congestion—to broadcast it. Once the transaction was processed by the Solana network, the durable nonce was consumed, and the malicious payload was executed. The attackers instantly gained the administrative powers they needed.
Asset Exfiltration: Now in control, the attackers acted swiftly to drain funds from Drift’s liquidity pools and insurance fund into wallets they controlled. The $285 million was then likely funneled through a series of mixers and cross-chain bridges to obscure its origin, a common money laundering technique employed by DPRK-linked groups like Lazarus.

Impact Assessment: A Systemic Shock

The fallout from the Drift hack extends far beyond a single protocol. The immediate and most direct impact is on the users and liquidity providers of Drift, whose funds have been stolen with little chance of recovery. For the Drift protocol itself, a loss of this magnitude is an existential threat, erasing years of development and destroying user trust.

The secondary impact is on the Solana ecosystem. As one of its flagship DeFi projects, Drift's compromise casts a shadow over the security of other applications on the chain. It will likely trigger a decline in Total Value Locked (TVL) on Solana as investors move their capital to perceived safer environments.

More broadly, this incident reinforces the narrative that state-sponsored actors view the DeFi space as a primary target for funding their illicit activities. The U.S. Treasury and FBI have repeatedly linked the Lazarus Group to massive cryptocurrency heists, including the $625 million Ronin Bridge attack and the $100 million Harmony Horizon Bridge exploit. These funds are believed to be used to finance North Korea's weapons programs, adding a serious geopolitical dimension to DeFi security. The novel use of a legitimate blockchain feature for malicious ends will force security auditors and developers to re-evaluate potential threats across all platforms.

How to Protect Yourself

While this attack targeted a protocol's administrative council, the principles of defense apply to DeFi projects, their employees, and individual users alike.

For DeFi Protocols and Developers:

Enforce Strict Operational Security (OpSec): Administrative actions should require a high threshold of signers from a multi-signature wallet. These signers should be geographically distributed and follow strict procedures for verifying any transaction they are asked to sign.
Simulate All Transactions: Before signing any critical transaction, use simulation tools. These tools predict the on-chain outcome of a transaction, revealing any malicious changes like ownership transfers or unexpected token movements.
Mandate Social Engineering Training: Key personnel, especially those with administrative access, must undergo regular and advanced training to recognize sophisticated phishing and social engineering attempts.
Restrict Use of Dangerous Features: For high-stakes administrative functions, consider disallowing the use of features like durable nonces that permit delayed execution. Governance actions should be time-sensitive and transparent.

For Individual Users:

Diversify Your Holdings: Avoid concentrating all your assets in a single protocol or ecosystem. Spreading your investments can mitigate the damage from a single point of failure.
Use Hardware Wallets: A hardware wallet keeps your private keys offline, providing a strong defense against malware that could steal keys from your computer.
Practice Digital Hygiene: Be skeptical of unsolicited messages, emails, and job offers. Protect your online identity and browsing activity by using tools that enhance your privacy protection.
Revoke Permissions: Periodically use tools to review and revoke active token approvals and permissions you have granted to dApps from your wallet. This limits the potential damage if a protocol you once used is compromised.