On April 1, 2026, Drift Protocol — a decentralized perpetuals exchange on Solana — lost approximately $285 million, more than half of its total value locked, to attackers assessed with medium confidence as the North Korean state-sponsored group UNC4736 (a subgroup of Lazarus). The exploit was not a smart contract vulnerability. It was the endpoint of a meticulously planned six-month infiltration campaign that combined classic social engineering with a Solana-native transaction feature, a fabricated token, and a controlled price oracle. When the attack triggered, it took 12 minutes to seize admin control and less than two hours to drain the protocol entirely.
Background: Drift Protocol
Drift is a non-custodial perpetuals DEX on Solana, offering spot trading, perpetual futures, and lending/borrowing. At the time of the attack, its TVL stood at approximately $550 million across more than 18 supported tokens. The protocol is governed by a Security Council multisig, responsible for parameter changes, contract upgrades, and emergency responses.
Phase 1 — Building trust (Autumn 2025 – March 2026)
The attackers established a false identity as a legitimate quantitative trading firm. Their infiltration strategy was methodical:
- Conference presence: they approached Drift contributors and Security Council members at major crypto industry events starting in autumn 2025
- Telegram relationship management: sustained contact over six months, discussing trading strategies and protocol mechanics to appear credible
- Capital commitment: they deposited over $1 million of real funds into Drift, demonstrating skin-in-the-game and earning trust from the team
- Gradual access: over time, they were included in operational workflows and gained visibility into the protocol’s governance processes
This phase had one objective: get close enough to obtain signatures from Security Council members — without those members understanding what they were signing.
Phase 2 — Infrastructure preparation (March 10–30, 2026)
While maintaining the social engineering operation, the attackers quietly built the technical pieces of their attack:
CarbonVote Token (CVT) — the fake collateral
On March 12, 2026, the attackers deployed CarbonVote Token (CVT) on Solana:
- Total supply: 750,000,000 CVT
- Attacker control: approximately 80% of supply
- Liquidity seeding: ~$500 of real assets placed into a Raydium pool — just enough to establish a price feed
- Wash trading: the attackers traded CVT between their own wallets to fabricate volume and anchor the price at approximately $1 per CVT
- Controlled oracle: a custom price oracle was deployed, pointing to the artificial CVT/USD price, intended later to feed Drift’s collateral valuation system
CVT had no real value. Its entire purpose was to serve as infinite fake collateral.
Solana durable nonces — the invisible time bomb
Solana transactions normally expire within ~60 seconds, anchored to a recent_blockhash. Durable nonces bypass this constraint by replacing the recent_blockhash with a reference to a persistent nonce account. A transaction signed with a durable nonce remains valid indefinitely — it can be executed hours, days, or weeks after signing.
On March 23, the attackers created durable nonce accounts and constructed transactions that would:
- Transfer Drift’s admin key to an attacker-controlled address
- Confirm the transfer in the same atomic window
They then used their social engineering access to present these transactions to Security Council members as routine governance operations. The members signed. They had no reason to suspect the transactions would be executed much later, in a coordinated attack.
Multisig window of opportunity
On March 26, Drift migrated its multisig to a 2-of-5 threshold configuration with zero timelock. This was a critical misconfiguration: without a timelock, any approved multisig transaction executes instantly. There is no observation window, no cancellation mechanism, and no human reaction time.
The attackers may have anticipated or influenced this migration. Regardless, it eliminated the final safety buffer.
Phase 3 — Execution (April 1, 2026)
Admin takeover — 16:05 UTC
At 16:05:18 UTC, the first pre-signed durable nonce transaction was broadcast:
Tx #1 (16:05:18 UTC): admin control → H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL
Tx #2 (16:05:19 UTC): transfer confirmedTwo transactions, one second apart. Drift Protocol’s admin key now belonged to the attackers. The legitimate Security Council had no warning — they had signed the transactions weeks earlier, believing them to be harmless.
With admin control secured, the attackers modified Drift’s protocol parameters:
| Parameter | Change |
|---|---|
| CVT collateral status | Whitelisted as accepted collateral |
| CVT borrow limit | Set to ∞ (infinite) |
| CVT oracle source | Pointed to attacker-controlled oracle ($1/CVT) |
Fund drainage — 16:05 → 18:31 UTC
The attackers deposited 500,000,000 CVT into Drift, valued by the rigged oracle at approximately $500 million. Against this phantom collateral, they borrowed and withdrew every liquid asset in the protocol.
Assets drained (partial list):
| Token | Amount |
|---|---|
| JLP (Jupiter LP) | $159.3M |
| USDC | $71.4M |
| cbBTC | $11.3M |
| SOL, USDT, and 13 other tokens | ~$43M |
| Total | ~$285M |
The final confirmed drainage transaction was broadcast at 18:31 UTC — two hours and 26 minutes after admin takeover.
Cascade effects across Solana DeFi
Drift’s TVL did not exist in isolation. At least 20 other Solana protocols experienced disruptions following the drain, caused by:
- Shared liquidity pools: many Solana protocols route liquidity through Drift
- JLP dependency: $159M in JLP tokens drained from Drift represented significant exposure to Jupiter’s liquidity ecosystem
- Oracle contagion: protocols relying on Drift’s price feeds for Solana-native assets saw temporary feed disruptions
- Confidence shock: mass withdrawals from DeFi protocols across Solana in the hours following the announcement
This is not a Drift-specific failure. It is a demonstration of the systemic risk inherent in deeply interconnected DeFi ecosystems.
Attribution: UNC4736 / Lazarus Group
TRM Labs assessed with medium confidence that the attack was carried out by UNC4736, a DPRK-linked threat actor previously associated with cryptocurrency theft operations. Key indicators:
- On-chain infrastructure overlaps with wallets used in prior DPRK-attributed attacks
- The six-month social engineering timeline is consistent with DPRK APT operational patterns
- Funds were initially bridged and mixed using techniques consistent with DPRK laundering playbooks
- The use of a front company with conference presence mirrors tactics from previous operations (notably the Axie Infinity / Ronin Bridge 2022 attack)
Important caveat: formal attribution was not confirmed at time of writing. Elliptic and Chainalysis both noted DPRK-consistent indicators without claiming certainty.
What made this attack possible
1. Zero timelock on multisig
A timelock introduces a mandatory delay between a governance approval and its execution — typically 24 to 72 hours. This window allows the community and security teams to observe, verify, and cancel malicious transactions.
A zero-timelock multisig is functionally equivalent to a hot wallet in an emergency: once signatures are collected, there is no ability to intervene.
2. Durable nonces without social context
Solana’s durable nonces are a legitimate feature with valid use cases (hardware wallets, offline signing). They become dangerous when combined with social engineering: a signer cannot know when a pre-signed transaction will be executed or what conditions will hold at that future moment.
Protocols requiring multisig signatures should:
- Never accept durable nonce transactions for governance operations
- Require signatures to be collected and executed within a short, bounded time window
3. Unchecked oracle for collateral
Drift accepted CVT as collateral based on a price feed the attackers themselves controlled. A robust collateral onboarding process would require:
- Price feed operated by an independent, established oracle (Pyth, Switchboard, Chainlink)
- Multi-source aggregation with deviation thresholds
- Minimum liquidity and market cap requirements
- Governance delay before new collateral goes live
None of these checks blocked CVT from becoming the instrument of a $285M heist.
4. Social engineering resilience
The most difficult problem to solve: humans with legitimate authority were deceived. The standard defenses apply:
- Mandatory identity verification for protocol contributors with admin access
- Out-of-band confirmation of governance transactions before signing
- Separation of duties: no single relationship should be able to obtain quorum
- Regular security training on social engineering patterns for Security Council members
Attack flow summary
Autumn 2025 – March 2026
└─ Fake quant firm establishes trust with Drift Security Council
March 12
└─ CVT token deployed, wash-traded to $1, fake oracle live
March 23
└─ Durable nonce accounts created
└─ Pre-signed admin takeover transactions obtained via social engineering
March 26
└─ Drift migrates to 2/5 multisig with zero timelock
April 1, 16:05:18 UTC
└─ Durable nonce tx #1 fires → admin → H7PiGqq...
└─ Durable nonce tx #2 fires → transfer confirmed
16:05 → 18:31 UTC
└─ CVT whitelisted, borrow limit → ∞
└─ 500M CVT deposited as collateral
└─ $285M in real assets withdrawn
18:31 UTC
└─ Final drainage transaction confirmed
└─ Drift suspends all deposits and withdrawalsAttacker address (confirmed)
H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL (Solana — Drift admin)Sources
- Chainalysis post-mortem: https://www.chainalysis.com/blog/lessons-from-the-drift-hack/
- TRM Labs — DPRK attribution: https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist
- Elliptic — on-chain analysis: https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack
- The Hacker News — social engineering deep-dive: https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html
- Bloomberg — breaking news: https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit
- TechCrunch — Drift suspends operations: https://techcrunch.com/2026/04/01/de-fi-platform-drift-suspends-deposits-and-withdrawals-after-millions-in-crypto-stolen-in-hack/
- CCN — incident summary: https://www.ccn.com/news/crypto/drift-protocol-285m-biggest-hack-2026-april-fools-day/