TXSCOPE
HomeAnalyzeCase StudiesInvestigationPricing
FORENSIC INVESTIGATIONApril 5, 2026

Drift Protocol $285M Exploit

Complete forensic reconstruction of the largest DeFi hack of 2026. On-chain data, fund flow tracing, attribution analysis, and vulnerability assessment.

Read the narrative →TX1 Report: Admin TransferTX2 Report: Guard Manipulation
Total Stolen
$285,000,000
Duration
12 minutes
Drain TXs
31
Recovered
$0
Contents
Executive SummaryAttack TimelineAddress RegistryTransaction AnalysisSocial EngineeringCVT TokenFund FlowCross-Chain InfraCircle ControversyAttributionVulnerabilitiesImpactIOCsSources

Executive Summary

On April 1, 2026 at 16:05 UTC, threat actors attributed to North Korea's Lazarus Group (UNC4736 / Citrine Sleet / AppleJeus) executed a $285 million exploit against Drift Protocol, the largest decentralized perpetual futures exchange on Solana.

The attack was the culmination of a 6-month state-sponsored intelligence operationinvolving human intelligence (HUMINT), social engineering, malware delivery, and sophisticated on-chain staging. The attackers compromised 2 of 5 signers on Drift's Security Council multisig, used durable nonce transactions to pre-sign admin authority transfers, created a fabricated token (CarbonVote / CVT) with a manipulated oracle, disabled withdrawal safety limits, and drained 15+ asset types from protocol vaults in 31 transactions over approximately 12 minutes.

Stolen funds were swapped to USDC via Solana DEXs, bridged to Ethereum via Circle's CCTP over a 6-hour window, and converted to approximately 129,066 ETH (~$267M). This is the largest DeFi hack of 2026, the second-largest in Solana history, and reportedly the 18th DPRK-attributed crypto operation in 2026.

Every red flag was documented before the attack

OtterSec published a detailed warning about durable nonce risks on February 22, 2025 — over 13 months before the exploit. Oracle manipulation is a known pattern (Mango Markets, 2022). 2/5 multisig thresholds are known-weak. The tooling gap was the problem, not the knowledge gap.

Attack Timeline

Phase 0 — Reconnaissance & Social Engineering
Fall 2025
Operatives approach Drift contributors at conferences
Pose as employees of a 'legitimate quantitative trading firm.' Start of 6-month HUMINT campaign.
Fall 2025 – Mar 2026
Build credibility with >$1M in legitimate capital
Establish Telegram group, conduct working sessions, onboard Ecosystem Vault.
Phase 1 — Infrastructure Staging
Mar 11, ~00:00 UTC
10 ETH withdrawn from Tornado Cash
09:00 Pyongyang time — DPRK timezone indicator. Initial operational funding.
Mar 12
CarbonVote Token (CVT) deployed on Solana
Mint: G84LEh...QKo. CVT deployment at ~09:30 Pyongyang time — second timezone indicator.
Mar 12–22
CVT liquidity seeded on Raydium (~$500); wash trading begins
Establishes artificial ~$1 price on DexScreener over 10 days.
Mar 17, 17:23 UTC
First nonce account activity
Nonce 45cZ5Fj... — durable nonce infrastructure setup begins.
Mar 23
Four durable nonce accounts created
Two tied to compromised Security Council members, two attacker-controlled.
Phase 2 — Key Compromise & Positioning
~Mar 23
Contributor #1 clones malicious repository
Exploits known VSCode/Cursor IDE vulnerability. First compromise vector.
~Mar 23
Contributor #2 downloads malicious TestFlight app
iOS app presented as the trading firm's 'wallet product.' Second compromise vector.
Mar 24
Attacker wallet funded: 1 SOL via NEAR Intents
Cross-chain messaging used to obscure funding origin.
Mar 27
Security Council migrated to 2/5 threshold, zero timelock
CRITICAL: zero timelock means instant execution upon 2/5 approval.
Mar 30
New nonce account tied to updated multisig member
Attacker adapted to migration within 3 days — implies ≥3 individuals compromised.
Mar 31, 15:05 UTC
Malicious admin wallet activated
H7PiGq... first on-chain activity. 1 day before execution.
Phase 3 — Execution (April 1, 2026)
16:05:19 UTC
TX1: Admin authority transferred
Durable nonce consumed. Admin changed from AiLGdN...PKrW to H7PiGq...7ZgL via Squads 2/5 approval.
16:05:39 UTC
TX2: CVT Market 63 initialized + 5 withdrawal guards raised to 500T
20 seconds after TX1. Guards increased up to 100,000x. New admin signs directly.
16:06:09 UTC
First drain transaction — 41.72M JLP (~$155.6M)
Attacker deposited ~785M CVT as fake collateral. Oracle values it at hundreds of millions.
16:06:09–16:06:19
31 withdrawal transactions in ~10 seconds
15+ token types extracted from 3 vaults. $309M → $24M TVL.
Phase 4 — Laundering
16:20–22:00 UTC
Solana DEX swaps: all tokens → USDC
Jupiter, Raydium, Orca, Meteora. $270.9M consolidated.
~16:30–22:00 UTC
$232M+ USDC bridged via Circle CCTP
100+ transactions over 6 hours during US business hours. Circle did not intervene.
17:49 UTC
19,913 ETH accumulated on Ethereum
~$42.6M at primary consolidation address 0xFcC478...0643.
18:17 UTC
38,820 ETH across all addresses (~$82.66M)
Rapid USDC → ETH swaps on Ethereum DEXs.
End of day
~129,066 ETH total (~$267M)
Distributed across 5+ wallets. Additional funds via HyperLiquid, Binance, ChainFlip.
Apr 3, 05:17–05:25 UTC
Drift sends on-chain messages to 4 Ethereum wallets
'Ready to speak' — via Blockscan chat. No response from attacker.

Address Registry & On-Chain State

Solana Addresses
Primary AttackerATTACKER
Balance: 1.10 SOL + dust tokens (2 accounts FROZEN)
First funded Mar 24 via NEAR Intents. Fee payer, nonce authority, drain executor.
Malicious AdminNEW ADMIN
Balance: 2.97 SOL, 0 tokens
Created Mar 31. Signed TX2 (market init + guard manipulation). ~29 total transactions.
Compromised SignerCOMPROMISED
Nonce authority for TX1. Social-engineered multisig member.
Previous Admin (Legitimate)VICTIM
Balance: 0.051 SOL
Drift's legitimate admin before exploit. Authority transferred in TX1.
Drift VaultVICTIM
Balance: Account does not exist (null)
Pre-exploit: ~$309M TVL. Post-exploit: ~$24M. Drained of 15+ token types.
Squads MultisigGOVERNANCE
Drift Security Council. 2-of-5 threshold, zero timelock.
Drift State AccountPROTOCOL
Contains admin field. Modified in TX1 — admin changed.
Nonce Accounts
Nonce 1
Balance: 1.98 SOL (consumed)
First activity: Mar 17, 17:23 UTC. Last: Mar 26, 02:10 UTC. ~20 txs including failed Custom:2001.
Nonce 2
Balance: 0.34 SOL (consumed)
Nonce (TX1)
Used in TX1 admin transfer. Authority: 6UJbu9...Pvu924.
CVT Market Accounts (created in TX2)
CVT Spot Market State
Market 63
CVT Vault Token Account
CVT Insurance Fund
Ethereum Addresses
Primary ETH ConsolidationATTACKER
Accumulated 19,913 ETH (~$42.6M) by 17:49 UTC April 1.
Attacker Wallet #1ATTACKER
Drift-identified. On-chain message received Apr 3, 05:17 UTC.
Attacker Wallet #2ATTACKER
Drift-identified. On-chain message received Apr 3, 05:20 UTC.
Attacker Wallet #3ATTACKER
Drift-identified. On-chain message received Apr 3, 05:23 UTC.
Attacker Wallet #4ATTACKER
Drift-identified. On-chain message received Apr 3, 05:25 UTC.
Drift Messaging WalletDRIFT
Sent 'ready to speak' messages to 4 attacker wallets.

Transaction Analysis

CRITICALTX1: Admin Authority Transfer
Slot 410,344,009
Time 16:05:19 UTC
CU 69,273
Fee 5,000 lam.
SIGNATURE
4BKBmAJn6TdsENij7CsVbyMVLJU1tX27nfrMM1zgKv1bs2KJy6Am2NqdA3nJm4g9C6eC64UAf5sNs974ygB9RsN1
Instruction Trace
#0System ProgramadvanceNonce
Consumed nonce EmYEry...vvhQnc. Authority: 6UJbu9...Pvu924
#1Squads v4ProposalApprove
2/5 threshold met
#2Squads v4 → Drift v2 (CPI)VaultTransactionExecute → UpdateAdmin
admin: AiLGdN...PKrW → H7PiGq...7ZgL
View full TxScope threat report for TX1 →
CRITICALTX2: CVT Market Init + Withdrawal Guard Manipulation
Slot 410,344,059
Time 16:05:39 UTC
CU 93,087
Signer H7PiGq...
SIGNATURE
4a5962Rdqd9pkXtk9DMQ9ZYhdGb2k9gPw71GvukJgELhxbCY5gm1c1hhKdwuGefyqJ3XMvihUTDNDn3qbXnst82X
Instructions (6)
InitializeSpotMarketMarket 63 (CVT)
UpdateWithdrawGuardThresholdMarket 19
5B500T(100,000x)
UpdateWithdrawGuardThresholdMarket 0 (USDC)
25T500T(20x)
UpdateWithdrawGuardThresholdMarket 27
10B500T(50,000x)
UpdateWithdrawGuardThresholdMarket 17
5T500T(100x)
UpdateWithdrawGuardThresholdMarket 4
200B500T(2,500x)
View full TxScope threat report for TX2 →
CRITICALTX3–TX33: The Drain (31 transactions)
16:06:09 – 16:06:19 UTC — ~10 seconds total
JLP Tokens
41,720,000~$155,600,000
USDC
66,400,000~$66,400,000
SOL
~125,000~$10,450,000
cbBTC
164,349~$11,290,000
USDT
~$5,650,000
wETH
2,200~$5,280,000
FARTCOIN
23,400,000~$4,110,000
mSOL, BSOL, INF, JitoSOL, dSOL, JTO, SyrupUSDC, +more
~$26,220,000
TOTAL~$285,000,000

Social Engineering Campaign

Threat Actor
Lazarus Group
Sub-group
UNC4736 / Citrine Sleet
Campaign Duration
6 months
Capital Invested
>$1,000,000
Compromise Vectors
VECTOR 1Malicious Code Repository

A Drift contributor cloned an external code repository that exploited a known vulnerability in VSCode/Cursor IDE. The repository likely contained a crafted .vscode/settings.json or extension configuration that executed arbitrary code upon opening the project.

VECTOR 2TestFlight Malware

Another contributor downloaded a TestFlight application presented as the trading firm's proprietary “wallet product.” The iOS app contained a malicious payload that likely exfiltrated signing credentials or installed a persistent backdoor.

Key Insight — Adaptation to Multisig Rotation

When Drift migrated its Security Council on March 27 (swapping out a member), the attacker adapted within 3 days. By March 30, a new durable nonce account appeared tied to a member of the updatedmultisig. This demonstrates the attacker had compromised at least 3 individuals (to maintain 2/5 access across the rotation) and had real-time visibility into Drift's governance operations.

Cold Wallet Limitation

Drift confirmed “no seed phrases have been compromised.” All signers used hardware wallets. The attacker compromised the people and their computing environments, not the keys directly.

Previous DPRK Operations (Same Methodology)
2022Ronin Bridge
$625M
2022Wormhole
$326M
2024Radiant Capital
~$50M
2025Bybit
$1,400M
2026Drift Protocol
$285M

CarbonVote Token (CVT) — Fabricated Collateral

Mint Address
G84LEh...QKo
Decimals
9
Total Supply
~750,000,000
Backing Liquidity
~$500
Mint Authority
Revoked (null)
Freeze Authority
Revoked (null)
Oracle Manipulation Mechanics
Created a completely fabricated SPL token with zero intrinsic value
Seeded Raydium liquidity pool with ~$500
Wash trading over 10 days established artificial ~$1 price on DexScreener
Assigned attacker-controlled Switchboard oracle feed
Oracle reports CVT at hundreds of millions in value
Drift's price infrastructure treats CVT as legitimate
Attacker deposits ~785M CVT as “collateral”
Protocol recognizes this as hundreds of millions in usable margin
Attacker withdraws $285M in real assets
Comparison: Mango Markets (October 2022)
Amount$110M$285M
TokenMNGO (real, illiquid)CVT (entirely fabricated)
Admin accessNot neededRequired (key compromise)
Durable noncesNoYes — key enabler
AttributionSolo actor (Eisenberg)DPRK state actors

Fund Flow Analysis

Origin of Funds
Tornado Cash (Ethereum) — 10 ETH withdrawn March 11
Cross-chain via NEAR Intents to Solana
HkGz4K...ZES funded with 1 SOL (March 24)
Funded 4 nonce accounts (March 17–23)
Funded new admin wallet H7PiGq...7ZgL (March 31)
Solana-Side Laundering
Drift Vaults ($309M) drained via 31 withdrawal TXs in ~10 seconds
15+ token types: JLP, USDC, SOL, cbBTC, USDT, wETH, mSOL, BSOL, ...
All tokens swapped to USDC via Jupiter, Raydium, Orca, Meteora
$270.9M USDC consolidated
Cross-Chain Bridge
Circle CCTP (primary) — $232M+ USDC burned on Solana, minted on Ethereum
100+ transactions over 6 hours during US business hours
Circle did not intervene
Secondary routes: Wormhole, deBridge, Mayan
SOL directly to HyperLiquid and Binance
Ethereum-Side Consolidation
USDC arrives on Ethereum via CCTP mint
USDC → ETH swaps on Ethereum DEXs
Distributed across 5+ wallets
17:49 UTC: 19,913 ETH at 0xFcC478...0643
18:17 UTC: 38,820 ETH across all wallets (~$82.66M)
End of day: ~129,066 ETH (~$267M)
Additional transfers via ChainFlip
Fund Flow Summary
Staging10 ETH + 1 SOLMar 11–24
Drain~$285M (15+ tokens)~10 seconds
Solana swaps$270.9M → USDC~2 hours
Bridge$232M+ USDC~6 hours
ETH conversion~129,066 ETH~8 hours

Cross-Chain Infrastructure

Tornado Cash10 ETH (seed)
NEAR Intents1 SOL
Circle CCTP$232M+
WormholePartial
deBridgePartial
ChainFlipUnknown
BackpackUnknown
MayanPartial
JupiterMajority of swaps
HyperLiquidSOL portion
BinancePartial

Circle USDC Freeze Controversy

$232M in stolen USDC flowed through Circle's own CCTP unblocked

Over a 6-hour window during US business hours, the attacker bridged $232M+ in stolen USDC from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol. Circle did not deploy its USDC blacklist/freeze authority at any point during this window. The attacker deliberately chose USDC over USDT, presumably betting Circle would be slower to act.

“Circle was asleep while many millions of USDC were swapped via CCTP from Solana to Ethereum for hours from the 9-figure Drift hack during US hours” — ZachXBT
The Contradiction

Just 9 days earlier (March 23), Circle froze 16 legitimate business hot wallets — including exchanges, casinos, and the DFINITY Foundation's ckETH Minter contract — as part of a civil case. ZachXBT called it “potentially the single most incompetent freeze” in five years and documented $420M+ in alleged compliance failures by Circle since 2022.

Attribution — DPRK / Lazarus Group

TRM Labs
Likely DPRK
Elliptic
Consistent with DPRK
Mandiant
Investigation ongoing
Attribution Evidence
01 Tornado Cash pre-funding — consistent with DPRK operational playbook
02 Pyongyang timezone alignment — CVT deployed at 09:00/09:30 local time
03 6-month social engineering campaign — identical to Radiant Capital (Oct 2024)
04 VSCode/Cursor exploit + TestFlight malware — consistent with known DPRK tooling
05 Rapid multi-chain bridging — matches Bybit ($1.4B) laundering pattern
06 On-chain fund tracing links to same actors behind Radiant Capital breach
07 State-level resources — >$1M invested in credibility building
08 18th DPRK-attributed crypto operation in 2026 (Elliptic)

Vulnerability Analysis

CRITICAL

2/5 Multisig Threshold with Zero Timelock

Only 2 signatures needed for any action including admin transfers. Zero timelock means instant execution. Compromising 2 individuals gave complete control with no detection window.

CRITICAL

Durable Nonce Abuse (Warned 13 Months Prior)

OtterSec published detailed warning on February 22, 2025. The exact attack vector used in this exploit was publicly documented. No ecosystem tooling existed to surface the risk to signers.

CRITICAL

Blind Signing Problem

Multisig signers presented with unreadable hex data. Cannot mathematically verify transaction outcome. OtterSec described it as 'roughly equivalent to blind signing.'

HIGH

Withdrawal Guards Modifiable Without Limits

Admin role could modify withdrawal guard thresholds by up to 100,000x in a single transaction with no timelock, maximum change limit, or separate governance approval.

HIGH

No Oracle Quality Checks for New Markets

New spot market listed with oracle backed by $500 in liquidity and 21-day price history. No minimum liquidity, feed age, or gradual collateral ramp-up requirements.

MEDIUM

Social Engineering Susceptibility

Despite hardware wallets, contributors were vulnerable to IDE-based exploits and mobile malware delivered through 6 months of trust building.

Impact Assessment

Total Stolen
$285M
TVL Before
$550M
TVL After
$255M
TVL Decline
53%
DRIFT Token
-35%
Recovered
$0
Ecosystem Impact
Largest DeFi hack of 2026 (as of April 5)
Second-largest Solana exploit (after Wormhole $326M)
20+ Solana protocols confirmed exposure (including Gauntlet: $6.4M loss)
Arthur Hayes publicly questioned Solana multisig infrastructure
Ledger CTO: “looks like Bybit all over again”
35 protocols exploited in 2026 YTD, ~$453M extracted total

Indicators of Compromise (IOCs)

Solana Addresses
Primary attacker
Malicious admin
Compromised signer
CVT token mint
Nonce account 1
Nonce account 2
Nonce (TX1)
Squads multisig
Ethereum Addresses
Primary ETH consolidation
Attacker wallet #1
Attacker wallet #2
Attacker wallet #3
Attacker wallet #4
Transaction Signatures
TX1: Admin Transfer
4BKBmAJn6TdsENij7CsVbyMVLJU1tX27nfrMM1zgKv1bs2KJy6Am2NqdA3nJm4g9C6eC64UAf5sNs974ygB9RsN1
TX2: Market Init + Guard Manipulation
4a5962Rdqd9pkXtk9DMQ9ZYhdGb2k9gPw71GvukJgELhxbCY5gm1c1hhKdwuGefyqJ3XMvihUTDNDn3qbXnst82X

Sources

Security Research
OtterSec — “Solana Multisig Security” (February 22, 2025)
NomosLabs — “Drift Trade 2026 Exploit Analysis”
Attribution Reports
TRM Labs — “North Korean Hackers Attack Drift Protocol in $285 Million Heist”
Elliptic — “Drift Protocol Exploited for $286M in Suspected DPRK-Linked Attack”
News Coverage
Bloomberg, CoinDesk, The Hacker News, BleepingComputer, Security Affairs, CCN, Benzinga
On-Chain Investigation
ZachXBT — real-time tracking and Circle accountability analysis
Arkham Intelligence — wallet labeling and fund flow tracking
Lookonchain — exploit alert and fund movement tracking
Solana RPC — live balance and transaction queries (api.mainnet-beta.solana.com)

This report will be updated as additional information becomes available from Mandiant's investigation, law enforcement actions, and on-chain fund movement tracking.

This attack was preventable with better tooling.

TxScope surfaces durable nonces, authority transfers, oracle manipulation, and every other red flag in this attack — before any signer approves.

SCAN YOUR MULTISIG