The attack on Drift Protocol was not a hack in the traditional sense.

Nobody found a bug or cracked a private key. There wasn’t a flash loan exploit or manipulated oracle either.

Instead, an attacker used a legitimate Solana feature, ‘durable nonces,’ to trick Drift’s security council into pre-approving transactions that would be executed weeks later, at a time and in a context the signers never intended.

The result was a drain of at least $270 million that took less than a minute to execute but more than a week to set up.

What durable nonces are and why they exist

On Solana, every transaction includes a ‘recent blockhash,’ essentially a timestamp that proves the transaction was created recently. That blockhash expires after about 60 to 90 seconds. If the transaction is not submitted to the network within that window, it becomes invalid. This is a safety feature and helps prevent old, stale transactions from being replayed later.

Durable nonces override that safety feature. They replace the expiring blockhash with a fixed ‘nonce,’ a one-time code stored in a special onchain account, that keeps the transaction valid indefinitely until someone chooses to submit it.

The feature exists for legitimate reasons. Hardware wallets, offline signing setups, and institutional custody solutions all need the ability to prepare and approve transactions without being forced to submit them within 90 seconds.

But indefinitely valid transactions create a problem. If one can get someone to sign a transaction today, it can be executed next week or next month, per the system’s hardcoded rules. The signer has no way to revoke their approval once it is given, unless the nonce account is manually advanced, which most users do not monitor.

How the attacker used them

Drift’s protocol was governed by a ‘Security Council multisig,’ a system in which multiple people (in this case, five) share control, and any action requires at least two of them to approve. Multisigs are a standard security practice in DeFi, where the idea is that compromising a single person is not enough to steal funds.

But the attacker did not need to compromise anyone’s keys. All they needed were two signatures, and they appear to have obtained them through what Drift describes as “unauthorized or misrepresented transaction approvals,” meaning the signers likely thought they were approving a routine transaction.

Here is the timeline Drift published in a Thursday X post.

On March 23, four durable nonce accounts were created. Two were associated with legitimate Drift Security Council members. Two were controlled by the attacker. This means the attacker had already obtained valid signatures from two of the five council members, locked into durable nonce transactions that would not expire.

On March 27, Drift executed a planned Security Council migration to swap out a council member. The attacker adapted. By March 30, a new durable nonce account appeared, tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration.

On April 1, the attacker executed.

First, Drift ran a legitimate test withdrawal from its insurance fund. Approximately one minute later, the attacker submitted the pre-signed durable nonce transactions. Two transactions, four slots apart on the Solana blockchain, were enough to create and approve a malicious admin transfer, then approve and execute it.

Within minutes, the attacker had full control of Drift’s protocol-level permissions. They used that control to introduce a fraudulent withdrawal mechanism and drain the vaults.

What was taken and where it went

Onchain researchers tracked the fund flows in real time. The breakdown of stolen assets, compiled by security researcher Vladimir S., totaled roughly $270 million across dozens of tokens.

The largest single category was $155.6 million in JPL tokens, followed by $60.4 million in USDC, $11.3 million in CBBTC (Coinbase wrapped bitcoin), $5.65 million in USDT, $4.7 million in wrapped ether, $4.5 million in DSOL, $4.4 million in WBTC, $4.1 million in FARTCOIN, and smaller amounts across JUP, JITOSOL, MSOL, BSOL, EURC, and others.

The primary drainer wallet was funded eight days before the attack via NEAR Protocol intents but remained inactive until execution day. Stolen funds were transferred to intermediary wallets that were funded just the day before via Backpack, a decentralized crypto exchange that requires identity verification, potentially giving investigators a lead.

From there, funds moved to Ethereum addresses via Wormhole, a cross-chain bridge. Those Ethereum addresses had been pre-funded using Tornado Cash, the sanctioned privacy mixer.

ZachXBT, a prominent onchain investigator, noted that over $230 million in USDC was bridged from Solana to Ethereum via Circle’s CCTP (Cross-Chain Transfer Protocol) across more than 100 transactions.

He criticized Circle, the centralized issuer of USDC, for not freezing the stolen funds during a six-hour window after the attack began around noon Eastern time.

The attack was also reminiscent of recent social engineering attempts, using tactics similar to those seen before, according to a social media post by a user who goes by ‘Temmy.’ “we’ve seen this before. we’ve seen this so many times,” the user said.

“bybit. $1.4 billion. the attacker compromised the signing infrastructure and tricked signers into authorizing malicious transactions. same concept. social engineering. not code. ronin bridge. $625 million. compromised validator keys. same story. cetus protocol. $223 million. different method but same result. hundreds of millions gone.” the post said.

What was not compromised

What failed was the human layer around the multisig. Durable nonces allowed the attacker to separate the moment of approval from the moment of execution by more than a week, creating a gap in which the context of the signed document no longer matched the context in which it was used.

All deposits into Drift’s borrow-and-lend products, vault deposits, and trading funds are affected. DSOL tokens not deposited in Drift, including assets staked to the Drift validator, are unaffected. Insurance fund assets are being withdrawn and safeguarded. The protocol has been frozen, and the compromised wallet has been removed from the multisig.

As such, this is the third major exploit in recent months that did not involve a code vulnerability. Social engineering and operational security failures, rather than smart contract bugs, are increasingly how money leaves DeFi protocols.

The durable nonce vector is particularly dangerous because it exploits a feature that exists for good reason and is difficult to defend against without fundamentally changing how multisig approvals work on Solana.

The open question, which Drift’s forthcoming detailed postmortem will need to answer, is how two separate multisig members approved transactions they did not understand, and whether any tooling or interface changes could have flagged durable nonce transactions as requiring additional scrutiny.

Read more: North Koreans hackers likely behind $286 million Drift Protocol exploit

The US dollar has been firm, but the drivers behind the move may be more complex than they first appear.

While geopolitical tension and shifts in risk sentiment play a role, current price behaviour seems increasingly influenced by inflation expectations and yields. As oil prices move higher, markets reassess the outlook for inflation and interest rates, which continues to support the dollar.

This video explores the underlying macro dynamics and why the current environment may be more conditional than it seems.

Watch it now and stay updated with FXOpen.

💬 Don’t forget to like, comment, and subscribe for more professional market insights every week.

This article represents the opinion of the Companies operating under the FXOpen brand only. It is not to be construed as an offer, solicitation, or recommendation with respect to products and services provided by the Companies operating under the FXOpen brand, nor is it to be considered financial advice.

Social media platform X is preparing a new security measure aimed at shutting down a widespread form of crypto phishing that leverages hijacked accounts to promote scam tokens.

The company will soon auto-lock any account that mentions cryptocurrency for the first time in its history, according to the company’s Head of Product Nikita Bier. Users will need to go through additional verification before being allowed to post again.

Bier said the feature targets the core incentive behind these attacks. “This should kill 99% of the incentive,” he wrote, referring to the current wave of phishing that tricks users into giving up their credentials, then uses their accounts to push crypto scams.

The change was unveiled in response to a detailed firsthand account from an X user who lost control of their account after falling for a phishing email disguised as a copyright violation notice.

The attacker, the user said, used a pixel-perfect fake login page to harvest two-factor codes, then locked the user out and began promoting fraudulent crypto projects from their account.

Crypto scams on X

These types of attacks have been extremely common on X, an inheritance from before it was acquired by Elon Musk and was still called Twitter.

One of the most common tactics is the “double your money” scam, in which users are told to send cryptocurrency in exchange for a promise of more. Others push fake memecoins or fraudulent airdrops, often using hijacked accounts to lend credibility.

Impersonation is one of the most powerful tools. Spoofed accounts impersonating major personalities have repeatedly tricked followers into clicking malicious links that mimic legitimate crypto platforms.

Cryptocurrency transactions are irreversible, so once a user falls for such an attack, their funds are gone.

The most infamous example came in 2020, when hackers accessed Twitter’s internal systems and took control of major accounts, including those of Apple, Barack Obama, and Elon Musk.

They used those accounts to promote a fake bitcoin giveaway, netting over $100,000 before the posts were removed. That breach, carried out through social engineering against Twitter employees, resulted in the hacker receiving a 5-year sentence.

X has made several attempts to bolster security. These have included bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts that post about crypto for the first time builds on those efforts, aiming to cut off the tactic at its root: by making hijacked accounts useless for scams.

Bier also called out Google for failing to stop phishing emails at the email level, pointing the finger at the tech giant’s share of the responsibility for failing to protect its users from phishing attacks.

Solana-based crypto exchange Drift Protocol was hacked for roughly $280 million yesterday as part of a weeks-long operation that likely used social engineering to compromise multiple multisig signers’ approvals.

On April 1, 7 pm UTC+1 time, Drift announced that there was “unusual activity” on the protocol and that users should avoid depositing funds. It stressed, “This is not an April Fools joke.” 

This followed from X users raising alarms that Drift was being exploited and that it was going to be a substantial one. 

Drift then confirmed that it was under an ongoing attack and that it would need to suspend deposits and withdrawals. Researchers began to speculate that Drift’s private keys were compromised. 

Read more: Liquity accused of ‘market manipulation’ after Circle acquisition April Fools’

Drift has since shared a detailed timeline of what took place and how. 

It said, “This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.”

It claims the attack was not caused by a bug in Drift’s programs or smart contracts, there was no evidence of compromised seed phrases, and that the attack involved unauthorized transaction approvals before the hack’s execution.

However, it admitted that these approvals were likely facilitated by a social engineering attack against its staff and the manipulation of “durable nonce mechanisms.”

What went down with Drift

Durable nonce mechanisms are a type of blockchain tool that can bypass blockhash signing and facilitate offline translation signing. 

Drift claims that on March 23, four durable nonce accounts were created, two of which were associated with Drift Security Council multisig members and two associated with attacker-controlled accounts.

Read more: Circle rarely freezes stolen funds but wants reversible transactions

Then, on March 27, “Drift executed a planned Security Council migration due to a council member change.”

Three days later, another durable nonce account was created for a member of the updated multisig, giving the attackers “effective access to 2/5 signers in the updated multisig.”

Day of execution 

Drift claims that on April 1, it executed a test withdrawal from the insurance fund. The attacker then, with access to the multisig approvals, executed “a malicious admin transfer within minutes, gaining control of protocol-level permissions.”

Attackers could then, “Use that control to introduce a malicious asset and remove all pre-set withdrawal limits attacking existing funds.”

Drift hasn’t shared any details about how the likely social engineering attack took place. They can sometimes be the result of an attacker donning a false identity, be it over direct message, email, or phone, and tricking someone into giving them access to key privileges. 

Drift’s partner Circle hasn’t frozen funds

The incident has drawn criticism from the crypto investigator ZachXBT, who took issue with the stablecoin firm Circle and its slow efforts to freeze the stolen funds. 

Drift integrated Circle’s Cross-Chain Transfer Protocol (CTTP) in 2023. ZachXBT noted that “Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.”

“6 hours is how long Circle had to freeze stolen funds from the $280M+ Drift hack,” he said.

Other users have taken issue with the classification of the protocol as “decentralized,” after the attack appears to have exploited centralised mechanisms.

Other users were annoyed that Drift only required two out of the five multig approvals to action the transaction. 

Read more: ‘Bad actor’ Circle slammed for letting stolen $3M USDC sit unfrozen

The platform said that it was working alongside security firms, law enforcement, bridges, and exchanges to figure out what happened and freeze the stolen assets. It added that a more detailed report will arrive in the coming days. 

The Chief Technology Officer for Ledger has already speculated that the events of the hack resemble a similar modus operandi “to the Bybit hack last year, widely attributed to DPRK-linked actors.”

Protos has reached out to Drift for comment and will update this piece should we hear anything back. 

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.

Key Takeaways:

• Ban Scope: Mining restrictions now cover 10 active regions – including Irkutsk Oblast, parts of Buryatia and Zabaikalsky Krai, six North Caucasus republics, and Russian-occupied Ukrainian territories – with seasonal bans running through 2031.
• Affected Miners: An estimated 50,000 operators face enforcement, with major firm BitRiver among the hardest hit due to its reliance on Irkutsk’s low-cost power infrastructure.
• Energy Context: Power shortfalls in Siberian regions have reached nearly 3,000 MW, with miners blamed for exploiting subsidized electricity at grid-destabilizing scale.
• Escalation Path: Year-round bans in southern Buryatia and Zabaikalsky Krai take effect January 1, 2026, moving beyond seasonal restrictions into permanent operational prohibition.
• What to Watch: A government commission on the electric power sector is expected to convene soon to finalize expanded year-round bans; potential amnesty programs in the North Caucasus could redirect illegal miners toward licensed operations.

French stock exchange Lise is preparing to list aerospace components supplier ST Group in what is expected to be Europe’s first fully on-chain initial public offering, according to a report from CoinDesk. The listing on the Paris-based venue would mark a milestone for tokenized primary markets in the EU, moving an IPO’s trading and settlement entirely onto distributed ledger infrastructure.finance.

Lise, short for Lightning Stock Exchange, was authorized last year under the EU’s Distributed Ledger Technology Pilot Regime, becoming the first institution in Europe approved to operate a fully tokenized equity exchange that fuses trading and settlement on-chain. Headquartered in Paris, Lise counts French financial heavyweights BNP Paribas, CACEIS — a subsidiary of Crédit Agricole — and public investment bank Bpifrance among its backers, underscoring that this is not a fringe experiment but a regulated market infrastructure project.

ST Group produces composite material components for aerospace, defense and space projects, positioning it squarely in Europe’s strategic industrial base. CoinDesk reported that potential project revenues linked to the company’s pipeline are estimated at around €59 million, roughly $68 million at current rates, over the next ten years, giving investors a sense of the growth opportunity Lise aims to channel into its tokenized venue.

By opting for an on-chain IPO rather than a listing on a traditional exchange, ST Group is effectively stress‑testing whether tokenization can offer small and mid-sized issuers a cheaper and more flexible way to tap public equity markets. Lise’s stated mission is to provide a lower-cost, more efficient listing path for SMEs and mid-caps, replacing the lengthy, document-heavy IPO process with a digital workflow where ownership is recorded, transferred and settled on a single ledger.

Under the DLT Pilot Regime, Lise is allowed to combine the functions of a multilateral trading facility and a central securities depository on one blockchain system, enabling near‑instant, atomic settlement and continuous 24/7 trading. Advocates argue that such architectures cut post‑trade risk and administrative overhead by collapsing what is now a multi‑day, multi‑intermediary chain into a single synchronized platform.

The French initiative lands as other venues experiment with tokenized securities. In one crypto.news story, tokenization specialist Securitize secured EU‑wide approval to run a regulated trading and settlement system on Avalanche under the same DLT Pilot framework, while another story covered 21X’s plans for an EU‑regulated tokenized securities market using Chainlink for cross‑chain data and interoperability. A separate crypto.news story detailed how JPMorgan executed a tokenized treasuries transaction using Ondo Finance and Chainlink, illustrating how major banks are testing on-chain rails for traditional assets.

If Lise successfully floats ST Group fully on-chain, it will provide a live case study for whether tokenized exchanges can genuinely lower issuance costs and broaden investor access, or whether regulatory and operational frictions still blunt the promise of blockchain in public equity markets.

Crypto markets are stuck in a holding pattern as geopolitical tensions in the Middle East cloud an otherwise improving macro backdrop, according to crypto asset manager Grayscale.

“The war in Iran overshadowed virtually all other market developments in March,” the Grayscale research team said in a Wednesday report.

Before the conflict escalated, global growth appeared to be strengthening and central banks were leaning toward rate cuts. That outlook has been disrupted by a sharp rise in oil prices, which has fueled inflation concerns and pushed interest rate expectations higher, weighing on risk assets and keeping investors on the sidelines, the report said.

Since the outbreak of the Middle East conflict, crypto markets have been volatile but broadly rangebound, with sharp headline-driven swings tied to oil prices and shifting risk sentiment. Bitcoin BTC$66,865.37 initially dropped into the mid-$60,000s on the first escalation, then rebounded toward the low-$70,000s before slipping back again as the conflict dragged on and macro conditions tightened.

More recently, renewed escalation has pushed bitcoin down roughly 10% from March highs, alongside declines in ether (ETH) and other tokens, as investors pulled back from risk assets. Despite the turbulence, performance has held up better than some traditional markets, with bitcoin roughly flat since the start of the war and even outperforming equities at times, underscoring both its sensitivity to macro shocks and its relative resilience.

For now, Grayscale expects many market participants to wait for greater clarity. If the conflict eases and energy prices retreat, markets could quickly reprice toward a more supportive macro environment. If not, persistently high oil prices may continue to pressure growth and delay a broader recovery.

Even so, crypto has shown notable resilience. Prices have held relatively steady through the volatility, suggesting a more durable bottom may be forming. The research team also pointed to continued inflows into spot crypto investment products and a pickup in futures positioning as signs that risk appetite is stabilizing beneath the surface.

Looking ahead, the report argued that the key catalyst for a sustained rebound will be a reduction in macro uncertainty. But it maintains that the long-term drivers of the asset class, including growing adoption of stablecoins and tokenized assets, remain intact.

The stablecoin market has expanded rapidly in recent years, with total supply rising from about $20 billion in 2020 to more than $300 billion by 2025, and sitting around $315 billion, according to industry data.

The sector added roughly $100 billion in 2025 alone, reflecting renewed growth after a brief contraction, as demand for dollar-pegged digital assets surged across trading, payments and onchain finance.

Periods of heightened uncertainty like the current one have historically presented attractive opportunities for long-term investors positioning for the next phase of growth, the report added.

Read more: Bitcoin holds ground as gold, silver slide on ETF outflows and liquidity strains: JPMorgan

Arkham flagged a 500 Bitcoin outflow from a wallet it attributes to Riot Platforms on Wednesday, in a possible sale the company had not publicly commented on by publication time.

The Bitcoin (BTC) wallet outflow sale comes shortly after Riot posted record 2025 revenue of around $647 million, driven by an increase in Bitcoin mining revenue, and amid other recent Bitcoin disposals by large listed miners.

Last week, MARA Holdings disclosed that it sold about $1.1 billion worth of Bitcoin in March to repurchase convertible debt at a discount, reflecting similar moves by other public miners that have collectively sold over 15,000 BTC in recent months as they balance operational needs and investment plans against a more volatile price and cost backdrop.

The pattern is not uniform. Bitcoin treasury companies, including Metaplanet, are still aggressively adding to their holdings. Nakamoto, meanwhile, disclosed in a recent filing that it sold about 284 Bitcoin for $20 million in March.

On the other hand, onchain tracker Lookonchain, citing Arkham data, reported that wallets it links to Empery Digital, one of the largest listed BTC treasuries, transferred out what it described as “the remaining 1,795 BTC” (about $122.5 million) to Gemini after a series of smaller BTC sales throughout March.

Delisting risk grows for miners

Listing pressures are also in focus for some mining-linked stocks. Cango, which has built out its Bitcoin mining operations, announced Wednesday it received a notice from the New York Stock Exchange after its shares traded below $1 for 30 consecutive trading days, triggering a six-month period to regain compliance with continued-listing standards.

On the same day, Cango also announced a new $65 million capital raising transaction and $10 million convertible note financing. Its share price rose on the news, closing the day at $0.42, 4.6% higher, but was trading at $0.41, 3.59% lower, in premarket Thursday, according to data from Yahoo! Finance, well below NYSE requirements.

Juliet Ye, head of investor relations and communications at Cango, told Cointelegraph that the company would maintain its strategic roadmap despite the notice, and that it had been “proactively implementing cost optimization and efficiency enhancement measures over the past several months,” including divesting obsolete capacity and migrating to lower electricity cost regions.

She added that the recent completion of the two financing transactions, alongside “the adjustment of our treasury strategy,” served as concrete examples of measures to help address both the listing requirements and current market conditions.

Related: Bitcoin mining difficulty falls 7.7% as miner pressure persists

In January, crypto mining hardware maker Canaan Inc. disclosed a similar minimum-bid deficiency notice from Nasdaq after its American depositary shares stayed under the $1 threshold for 30 straight sessions, and it likewise had 180 days to cure the issue. 

Despite share price pressure, Canaan has continued expanding operations. The company’s Bitcoin reserves increased in Q1 2026, despite many peers offloading their holdings. Earlier in March, it also acquired a 49% stake in two Texas-based mining sites, part of its broader strategy to diversify geographically and strengthen US market exposure.

Magazine: Bitcoin may take 7 years to upgrade to post-quantum — BIP-360 co-author