North Korean Hackers Pull Off Massive Heist on Drift Casino in Under 10 Seconds for $285 Million

Post Views: 8

Cyberattack on DeFi Platform Drift Results in $286 Million Theft

A sophisticated cyberattack attributed to a North Korean threat actor has resulted in the theft of $286 million from decentralized finance (DeFi) platform Drift.

Attack Details

The attack, which lasted for approximately 10 seconds, involved the compromise of multisignature (multisig) signers’ approvals and the creation of a fake collateral market for a worthless token, CVT.

According to blockchain security firm Elliptic, the attack was mounted by a North Korean threat actor, who had previously stolen over $6.5 billion in cryptocurrency.

The attackers set up supporting infrastructure roughly eight days prior to the exploit, preparing multiple nonce-based transactions that would delay execution. They then gained admin control, drained funds from five vaults, and laundered the money through multiple wallets.

Analysis by PIF Research Labs

An analysis of the heist conducted by PIF Research Labs reveals that the attackers created a brand-new wallet eight days before the exploit and performed a series of microtransactions to ensure it could receive seven types of tokens.

The attackers utilized a durable nonce to create a transaction on the Solana blockchain that would never expire and pre-signed every transaction used during the attack to ensure rapid execution.

Five hours before the attack, the hackers gained control of a Drift admin key, which allowed them to modify settings on the protocol. However, this was protected by a multisig mechanism that required approval from two out of five keyholders.

Exploiting Multisig Vulnerability

The attackers exploited this vulnerability by proposing a transfer of the admin key to a new signer, who promptly co-signed the request within one second, allowing the change to take effect instantly due to a zero-second timelock.

Laundering Funds

The attackers then created a fake collateral market for CVT, a worthless token they had minted 20 days earlier, and disabled Drift’s safety system that prevents excessive withdrawals.

This was achieved by modifying the circuit breakers, which are designed to block withdrawals if too many assets are drained from a vault too quickly, and increasing the value to 500 trillion.

Within 10 seconds of initiating the attack, funds were drained from five vaults containing various cryptocurrencies, including JLP, USDC, cbBTC, USDS, dSOL, and wETH. The attackers then laundered the money through multiple wallets, scattering it across 57,331 wallet addresses using automated bots.

Investigation Complexity

Roughly $225 million in assets were swapped to Ethereum and stored in three wallets. Over the course of 34 hours, the attackers made 590 transactions per minute, operating across multiple blockchains and centralized exchanges simultaneously, adding complexity to the investigation.

In total, more than 860,000 transactions were made during this period.