Drift Protocol exploit drained $280M after months-long social engineering campaign
Drift Protocol, a Solana-based decentralized trading platform, said attackers stole about $280 million to $285 million after a months-long intrusion culminated in the takeover of administrative control and the draining of protocol vaults in roughly 12 minutes. Drift’s preliminary findings said the operation abused Solana’s durable nonce feature and pre-signed transactions rather than a simple smart contract flaw, while investigators reported that the attackers staged activity weeks in advance, created a fake asset called CarbonVote Token (CVT), and manipulated its trading history so protocol oracles would accept it as collateral. The stolen assets were then swapped largely into USDC and SOL, bridged to Ethereum through Circle’s Cross-Chain Transfer Protocol, and moved onward through additional services and exchanges.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Attorney argues Drift incident may constitute civil negligence
Attorney Ariel Givner said Drift Protocol could face civil negligence claims because the team allegedly failed to follow basic operational security practices, including isolating signing keys and properly vetting external contacts. The commentary framed the exploit as a warning about social engineering risks in crypto development.
Investigators attribute Drift attack to UNC4736/North Korea-linked actors
In post-mortem and follow-on reporting, investigators attributed the campaign with medium-high confidence to UNC4736, also known as AppleJeus or Citrine Sleet, and said it was likely linked to North Korean threat actors. Drift also said the same actors were behind the October 2024 Radiant Capital hack.
Drift says exploit required months of deliberate preparation
In later public findings, Drift said the exploit was the result of months of deliberate preparation by the attackers. The update reinforced that the theft stemmed from a prolonged social-engineering and malware campaign rather than a single isolated technical flaw.
Drift publishes preliminary findings on nonce-based exploit
By April 2, Drift had publicly described the incident as a highly sophisticated exploit involving abuse of Solana's durable nonce feature and pre-signed transactions rather than a simple smart contract bug. The disclosure also intensified scrutiny of Circle over its failure to freeze moved USDC during the response window.
Stolen assets swapped, bridged to Ethereum, and laundered
On-chain investigators said the attacker converted much of the stolen crypto into USDC and SOL, then bridged funds from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol. The proceeds were subsequently moved through additional wallets and centralized exchanges.
Drift suspends protocol functions and starts incident response
After detecting the exploit, Drift suspended deposits and withdrawals or otherwise froze protocol functions, removed the compromised wallet from its multisig, and began coordinating with security firms, exchanges, bridges, and law enforcement. The DRIFT token reportedly fell more than 20% following the incident.
Drift Protocol exploited for about $280M-$285M
On April 1, 2026, attackers used Solana's durable nonce mechanism and pre-signed transactions to gain unauthorized Security Council administrative control and drain Drift vaults in about 12 minutes. Reports put the losses at approximately $280 million to $285 million.
Attackers stage on-chain setup using fake CarbonVote Token
Before the theft, the attackers created a fake asset called CarbonVote Token (CVT) and wash traded it to fabricate a price history. Investigators said Drift's oracle system then accepted the manipulated asset as legitimate collateral.
Attackers deliver malicious links and malware to Drift staff
Over roughly the next six months, the attackers allegedly sent malicious links and malware that compromised developer machines. Drift later said this developer compromise enabled the later administrative takeover.
Attackers begin social-engineering Drift developers at crypto conference
Drift said the operation began when attackers engaged team members at a major crypto conference in October 2025. The adversaries then spent months building trust with developers as part of a long-term infiltration campaign.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Drift Protocol Exploit Took 'Months Of Deliberate Preparation'
cointelegraph.com
Open sourceNorth Korea Spent 6 Months To Drain $285M From Drift Protocol In 12 Mins
thecyberexpress.com
Open sourceAttorney Says Drift Protocol May Be Liable for Damages After Attack
cointelegraph.com
Open sourceDrift Says Nonce Attack Drove Exploit as Circle Faces USDC Scrutiny
cointelegraph.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 8, 2026
Drift Protocol Multisig Compromise Removed Withdrawal Caps and Enabled Asset Theft
Drift Protocol was compromised after an attacker gained control of a newly created `2-of-5` Squads v4 admin multisig during a migration from an older `3-of-5` setup. Investigation notes say the migration replaced four of five original members, lowered the approval threshold, and left no timelock, allowing the attacker—who controlled two signer accounts—to use a dual durable nonce pre-signing technique to transfer protocol admin rights to a wallet under their control in less than two seconds. Shortly before the admin takeover, the attacker also withdrew **$10,000 USDC** from the insurance fund. With unilateral admin access, the attacker used the `UpdateWithdrawGuardThreshold` capability to remove withdrawal caps across **16 spot markets**, then created fake collateral markets backed by an attacker-controlled token and oracle to extract real assets from the protocol. Public proof-of-concept material highlighted how the withdrawal guard change could eliminate all withdrawal limits, while on-chain analysis linked the attacker-controlled signers through durable nonce accounts funded by the same wallet, identifying shared nonce funding as a key early warning indicator. Drift later moved protocol upgrade authority to a recovery multisig that excluded the compromised members, but reporting indicated Drift Vaults upgrade authority still remained on a multisig where the attacker retained a seat.
May 25, 2026
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
May 1, 2026