Cyber Incident Victim: Drift
Date:
Apr 2026
Location:
United States of America
Summary
Drift, a Solana‑based perpetual futures protocol, was compromised after a six‑month social engineering campaign by North Korean actors who obtained private‑key access through methods such as a compromised code repository, a malicious TestFlight wallet app, and an undisclosed vector. The attackers altered the protocol’s approval mechanism to require only two of five signatures and removed any delay, then minted 750 million fake CarbonVote tokens that were treated as valuable collateral, enabling them to raise borrowing limits and drain roughly $285 million in stablecoins and other assets via rapid withdrawals. The stolen funds were swapped to USDC on Solana, bridged to Ethereum, and laundered through a mixing service before the protocol suspended operations and investigators linked the intrusion to prior North Korean‑linked hacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In fall 2025, individuals posing as representatives of a quantitative trading firm approached Drift contributors at a major crypto conference, continued contact in person at events in multiple countries, established a Telegram group, discussed trading strategies and vault integrations, and onboarded an Ecosystem Vault with over $1 million in deposits. In mid-March 2026, the attackers began moving funds through Tornado Cash to obscure their trail and set up accounts for preparing transactions. On March 27, 2026, Drift’s security team changed its approval mechanism to require only two of five key holders to authorize major changes and removed any built‑in waiting period that could have triggered an alert. Following this change, the attackers created 750 million new tokens named CarbonVote Token (CVT) and manipulated the platform’s price‑checking mechanisms to treat these tokens as high‑value collateral.
On April 1, 2026, the attackers executed the pre‑prepared transactions, which added the fake CVT tokens to Drift, raised borrowing limits, flooded the system with hundreds of millions of the counterfeit tokens, and initiated 31 rapid withdrawals that drained real assets from the protocol’s storage pools containing USDC, JLP, SOL and other crypto assets. The entire extraction took approximately twelve minutes, after which the stolen funds were swapped for USDC on a Solana‑based exchange and bridged to the Ethereum network to obscure the trail. The amount removed was roughly $285 million, as reported by Drift and confirmed by blockchain analysts TRM Labs and Elliptic.
TRM Labs and Elliptic linked the on‑chain activity to North Korean actors within days of the April 1 incident, citing timing that matched Pyongyang local time and behavioral patterns consistent with prior DPRK‑linked operations. Drift subsequently suspended its services on April 2, 2026, pending further investigation. Law enforcement reviewed additional potential compromise vectors, including a contributor cloning a code repository that exploited a known VSCode or Cursor vulnerability for silent arbitrary code execution, another contributor downloading a TestFlight app presented as a wallet product, and a third vector still under investigation. The SEAL 911 team attributed the campaign with medium‑to‑high confidence to the same North Korean state‑affiliated group responsible for the October 2024 Radiant Capital hack, noting that the individuals who interacted with Drift in person were third‑party intermediaries rather than North Korean nationals.