A North Korean threat actor is likely to be blamed for a $285 million heist from decentralized finance (DeFi) platform Drift, executed as part of a carefully planned attack.
The incident, Drift said, was a “highly sophisticated operation” involving “the use of durable nonce accounts to pre-sign transactions that delayed execution” and the compromise of multisig signers’ approvals.
“Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets,” Drift said, promising more details in a future postmortem.
According to blockchain security company Elliptic, the attack was likely mounted by a North Korean threat actor and resulted in the theft of $286 million from Drift. Over the past several years, Pyongyang-aligned hackers are estimated to have stolen over $6.5 billion in cryptocurrency.
The attack was executed with extreme precision: the hackers set up supporting infrastructure roughly eight days before, prepared multiple nonce-based transactions, gained admin control, drained funds from five vaults within seconds, and immediately started laundering them through multiple wallets.
A PIF Research Labs analysis of the heist shows that the attackers created a brand-new wallet eight days before the exploit and performed a series of microtransactions to ensure it could receive seven types of tokens.
The attackers used a durable nonce to create a transaction on the Solana blockchain that would never expire, and then pre-signed every transaction used during the attack to ensure everything was executed rapidly.
Five hours before the attack, the hackers gained control of a Drift admin key, which allowed them to modify settings on the protocol. It was protected by a multisig, but Drift allows for changes to be approved with only 2 out of 5 keyholders.
“Five hours before the exploit, the carryover signer proposed transferring the admin key. One of the new signers co-signed within one second,” and because the change had a zero-second timelock, it was executed instantly, PIF Research Labs explains.
Fake market, fake tokens, real theft
The hackers used the compromised admin key 25 seconds before the heist to create a fake collateral market for CVT, a worthless token they had minted 20 days earlier, and to disable Drift’s safety system that prevents massive, rapid asset drains.
The market was configured to drain as many funds as possible by setting CVT parameters to increase the value of the fake tokens, eliminate penalties for depositing massive supply, and eliminate incentives to liquidate the fake position.
Additionally, CVT’s tier was set to the highest available on Drift, to ensure borrowing power for the fake tokens, and an ‘oracle’ for it was used to increase the value of the worthless tokens to hundreds of millions.
To disable the DeFi platform’s anti-drain system, the hackers modified its circuit breakers, which are designed to block withdrawals if too many assets are drained from a vault too fast, raising the value to 500 trillion.
“The fake market creation and the circuit breaker modifications were bundled into a single on-chain transaction at 16:05:39 UTC. Twenty-five seconds later, the withdrawals began. The entire weaponisation took less time than it takes to order coffee,” PIF Research Labs notes.
Two seconds after depositing 500 million CVT, which the fake oracle valued at over $100 million, the heist started. Within 10 seconds, funds were drained from JLP, USDC, cbBTC, USDS, dSOL, and wETH. The JLP vault was completely drained.
Next, the hackers began laundering the money. The funds were moved from the attackers’ wallet to 27 getaway wallets and then scattered across 57,331 wallet addresses using automated bots. Roughly $225 million in assets were swapped to Ethereum and stored in three wallets.
The bots continued their work for over 34 hours, making 590 transactions per minute, operating across multiple blockchains and centralized exchanges simultaneously, adding complexity to the money-trail investigation. PIF Research Labs says more than 860,000 transactions were made within 34 hours.
Related: Axios NPM Package Breached in North Korean Supply Chain Attack
Related: US Charges Uranium Crypto Exchange Hacker
Related: Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption
Related: North Korea’s Digital Surge: $2B Stolen in Crypto as Amazon Blocks 1,800 Fake IT Workers
