Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly $270 million to $286 million after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana durable nonce transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called CVT or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about $550 million to below $250 million and sending the DRIFT token sharply lower.
Subsequent post-mortems described the breach as the culmination of a months-long social-engineering campaign in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including Elliptic and TRM Labs said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of Tornado Cash, and other indicators were consistent with North Korean tradecraft, while Drift linked the operation with medium confidence to UNC4736 / AppleJeus / Citrine Sleet. The fallout widened beyond Drift as critics questioned why more than $230 million in USDC moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to $127.5 million from Tether as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Tether commits up to $127.5 million to Drift recovery
On April 16, Tether announced a strategic collaboration with Drift to support recovery and relaunch efforts, contributing up to $127.5 million as part of a package worth up to $150 million.
Investors sue Circle over failure to freeze stolen USDC
On April 14, Gibbs Mura filed a class action on behalf of affected Drift investors alleging Circle failed to freeze about $230 million in stolen USDC moved after the exploit.
Drift releases detailed post-mortem on fake-company infiltration
By April 10, Drift had published a fuller post-mortem describing a six-month campaign in which attackers used fake companies, in-person meetings, Telegram conversations, and likely malicious tooling to gain access before the theft.
Solana Foundation launches post-Drift security overhaul
On April 7, the Solana Foundation announced Stride and the Solana Incident Response Network to improve DeFi security reviews and crisis response in the wake of the Drift exploit.
Drift attributes hack to six-month UNC4736 operation
On April 5, Drift said the exploit was the culmination of a roughly six-month social-engineering campaign and attributed it with medium confidence to UNC4736, also known as AppleJeus or Citrine Sleet.
Drift publishes post-mortem on durable nonce attack
On April 2, Drift said the theft stemmed from a rapid takeover of Security Council administrative powers using pre-signed transactions created on March 23 and executed on April 1, and stated the incident was not caused by a smart contract flaw or compromised seed phrases.
Elliptic links Drift exploit to likely DPRK operators
On April 2, Elliptic said the $285 million Drift exploit showed multiple indicators consistent with North Korean state-sponsored activity, citing laundering methods, on-chain behavior, and network-level signals.
Stolen Drift assets are swapped and bridged off Solana
After the theft on April 1, investigators said the attacker rapidly consolidated funds, swapped assets into USDC and ETH, and bridged large amounts from Solana to Ethereum using Wormhole and Circle's CCTP.
Drift suspends deposits and withdrawals to contain incident
As the attack unfolded on April 1, Drift said it was experiencing an active cyberattack and suspended deposits and withdrawals while coordinating with security firms, bridges, exchanges, and later law enforcement.
Attackers seize admin control and drain Drift funds
On April 1, attackers used pre-signed durable nonce transactions to take Security Council administrative control, add a malicious asset, remove withdrawal limits, and steal roughly $270 million to $286 million from Drift.
Drift warns users and investigates suspicious activity
Drift announced on April 1 that it was investigating unusual activity on the protocol and told users not to deposit funds while the investigation was underway.
Drift detects unusual outflows from main vault
On April 1, Drift’s main vault saw rapid outflows across more than 15 token types, with roughly $270 million moved to unlabeled addresses in activity the team flagged as abnormal.
Drift migrates Security Council to zero-timelock 2/5 setup
On March 27, Drift migrated its Security Council to a zero-timelock 2-of-5 configuration. Later reporting said the attackers adapted to this change and used it as part of the exploit chain.
Attackers begin preparing Drift multisig compromise
Drift said preparations for the operation began on March 23, including creation of durable nonce accounts and obtaining pre-signed approvals that would later be used to seize Security Council powers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
30 references tracked. Mallory keeps watching after this page renders.
Class Action Lawsuit Filed Against Circle Over Drift Protocol $280 Million Hack: Gibbs Mura Law Group - "The Defiant"
thedefiant.io
Open sourceTether Commits $127.5M to Drift Protocol Recovery Plan Following $270M+ Exploit - "The Defiant"
thedefiant.io
Open sourceRekt - Drift Protocol - Rekt
rekt.news
Open source‘It reads like a spy novel’: $280 million theft from Drift involved North Korean fake companies, cutouts | The Record from Recorded Future News
therecord.media
Open sourceSolana (SOL) DeFi platform Drift investigates suspicious activity, tells users to halt deposits
coindesk.com
Open sourceDe-fi platform Drift suspends deposits and withdrawals after millions in crypto stolen in hack | TechCrunch
techcrunch.com
Open sourceCrypto platform Drift suspends services after millions stolen in security incident | The Record from Recorded Future News
therecord.media
Open sourceDrift Protocol Vault Loses $270 Million in Potential Exploit - "The Defiant"
thedefiant.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about **$280 million to $285 million** after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s **durable nonce** feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called **CarbonVote Token (`CVT`)**, and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into **USDC** and **SOL**, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
May 25, 2026
Drift Protocol Multisig Compromise Removed Withdrawal Caps and Enabled Asset Theft
Drift Protocol was compromised after an attacker gained control of a newly created `2-of-5` Squads v4 admin multisig during a migration from an older `3-of-5` setup. Investigation notes say the migration replaced four of five original members, lowered the approval threshold, and left no timelock, allowing the attacker—who controlled two signer accounts—to use a dual durable nonce pre-signing technique to transfer protocol admin rights to a wallet under their control in less than two seconds. Shortly before the admin takeover, the attacker also withdrew **$10,000 USDC** from the insurance fund. With unilateral admin access, the attacker used the `UpdateWithdrawGuardThreshold` capability to remove withdrawal caps across **16 spot markets**, then created fake collateral markets backed by an attacker-controlled token and oracle to extract real assets from the protocol. Public proof-of-concept material highlighted how the withdrawal guard change could eliminate all withdrawal limits, while on-chain analysis linked the attacker-controlled signers through durable nonce accounts funded by the same wallet, identifying shared nonce funding as a key early warning indicator. Drift later moved protocol upgrade authority to a recovery multisig that excluded the compromised members, but reporting indicated Drift Vaults upgrade authority still remained on a multisig where the attacker retained a seat.
May 25, 2026
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
May 1, 2026