A major cybersecurity incident recently hit the crypto world where Drift Protocol lost around $285 million. The attack took place on April 1, 2026, and is now considered one of the biggest DeFi hacks of the year. What makes this case different is that it was not caused by a coding bug or technical failure. Instead, it was a carefully planned social engineering attack. This means the attackers targeted people instead of directly attacking the system. This approach made the attack more dangerous and harder to detect.
The attackers used a method involving something called a durable nonce. This allowed them to prepare transactions in advance and execute them later at the right time. Because of this, the transactions looked normal and did not raise suspicion immediately. The system treated them like regular approved actions. This delay technique helped the attackers stay unnoticed during the early stages. It shows how timing and planning played a key role in the attack.
The hackers were able to gain access to Drift’s administrative controls. Once they got this access, they quickly removed important security protections like withdrawal limits. After that, they started moving funds out of the platform without restrictions. Reports suggest that the entire attack happened in about 12 minutes. More than 30 transactions were executed during this short time. This shows how fast and well-executed the operation was.
One important point is that there was no bug in the smart contract or software. The system itself was working as intended and was not broken. The attackers instead tricked the multi-signature signers into approving harmful transactions. These transactions looked safe on the surface but contained hidden malicious actions. This clearly shows that human decisions were the weak point. Even strong systems can fail if users are manipulated.
The planning for this attack started weeks earlier around mid-March 2026. The attackers slowly built trust and prepared their setup in advance. One key trick they used was introducing a fake token called CarbonVote Token (CVT). They made this token look legitimate by creating fake trading activity and liquidity. Because of this, the system accepted it as valuable collateral. This fake trust became the base of the entire attack.
After gaining trust, the attackers deposited the fake token as collateral. Using this, they were able to withdraw real assets like USDC and ETH. Since the system believed the collateral was genuine, it allowed large withdrawals. No immediate alarms were triggered during this process. This step shows how smartly the attackers combined technical tricks with human manipulation. It was not just hacking but a planned strategy.
Security researchers including TRM Labs and Elliptic linked this attack to hackers from North Korea. The pattern of fund movement matched earlier attacks connected to the same group. Tools like Tornado Cash were used to hide the stolen funds. This method is commonly used to make tracking difficult. Experts believe this attack is part of a larger pattern of state-linked cyber activities. It raises serious global security concerns.
The impact of this attack was very large and immediate. Over $285 million was stolen, and platform operations were temporarily stopped. The value of Drift’s token also dropped by more than 40% after the incident. The stolen funds were quickly moved across blockchains from Solana to Ethereum. This made recovery and tracking even more difficult. Overall, this incident shows that modern attacks are shifting from system hacking to human manipulation.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
