Skip to main content
Sign in

CarbonVote Token

avoid.net/carbonvote-token0/100·92% conf.
[AI-DRAFTED · AWAITING VERIFICATION]

Summary

CarbonVote Token (CVT) is a fictitious Solana-based token deployed on March 12, 2026 as a purpose-built instrument in the DPRK-attributed $285 million exploit of Drift Protocol. The token was minted with a 750 million unit supply, wash-traded on Raydium to fabricate a $1.00 price history, and used as fraudulent collateral after attackers seized admin control of Drift via compromised multisig signatures. CVT itself has no independent utility or legitimate use case; it is documented exclusively as an attack vector.

Have evidence about CarbonVote Token?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Token Creation and Supply Structure

CarbonVote Token (CVT) was deployed on the Solana blockchain on March 12, 2026, approximately one day after attackers withdrew 10 ETH from Tornado Cash on March 11 to fund the operation. Multiple sources report the total minted supply at 750 million tokens. At the time of the exploit, the attacker controlled approximately 80% of the total supply—roughly 600 million tokens—according to Hypernative's post-exploit analysis. This concentration of supply in attacker-controlled wallets was a deliberate design choice enabling complete price manipulation without meaningful market resistance. The token had no whitepaper, no disclosed development team, no roadmap, and no utility independent of its role in the exploit.

Sources

Raydium Seeding and Wash Trading

Following deployment, the attackers established a liquidity pool on the Raydium decentralized exchange seeded with approximately $500 in real assets—a deliberately minimal amount designed to avoid detection while creating the appearance of a functioning market. Over the subsequent weeks, the attackers executed sustained wash trading: repeatedly buying and selling CVT between their own wallets to generate an artificial price history near $1.00 per token. The Nexus Mutual incident report describes this process as fabricating 'a price history that Drift's oracles would accept.' The entire wash-trading operation spanned approximately three weeks before the April 1 execution date.

Sources

Oracle Manipulation via Switchboard

The artificial price history generated by weeks of wash trading was harvested by an on-chain oracle—reported across multiple sources as a Switchboard (SwitchboardOnDemand) price feed—which accepted the manufactured trading signals as legitimate market data and reported a CVT price of approximately $1.00. The Hypernative analysis notes that Drift's oracle system 'does not evaluate whether an asset has real economic backing—it evaluates the inputs it is given: price feeds, liquidity signals, collateral parameters.' After seizing admin control of Drift on April 1, the attackers used the protocol's initializeSpotMarket function to whitelist CVT as an accepted collateral asset and specify the attacker-controlled Switchboard feed as its price source, bypassing standard validation layers. The Nexus Mutual incident report characterizes the oracle manipulation as 'a downstream effect of the key compromise, not an independent failure of Drift's oracle system.'

Sources

Use as Fraudulent Collateral and Exploit Execution

On April 1, 2026 at approximately 16:05 UTC, attackers submitted two pre-signed Solana transactions within four blockchain slots. The second transaction advanced the durable nonce account and executed an UpdateAdmin instruction transferring Drift's administrative control to an attacker-controlled address reported as H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. With admin control secured, the attackers: (1) created a CVT collateral market with permissive risk parameters and effectively unlimited borrowing limits; (2) pointed the CVT oracle to the attacker-controlled Switchboard feed; (3) disabled circuit breakers and raised withdrawal limits across major asset pools. The attackers then deposited 500 million CVT tokens, which the oracle priced at approximately $1 based on the fabricated trading history, treating the deposit as roughly $500 million in legitimate collateral. Thirty-one withdrawal transactions over approximately 12 minutes drained $285–295 million in real assets. The Drift official recovery update of April 16, 2026 itemizes the largest components as JLP tokens ($159.3 million), USDC ($71.4 million), cbBTC ($11.3 million), and SOL ($10.4 million) across 26 asset types.

Sources

Governance Compromise via Durable Nonce

The mechanism that enabled the CVT collateral attack was a prior compromise of Drift's Security Council multisig governance. Beginning in late March 2026, the attackers created durable nonce accounts on Solana—a feature designed to allow pre-signed transactions to remain valid indefinitely until the nonce is advanced. BlockSec's technical analysis identifies that four durable nonce accounts were created: two tied to legitimate Security Council members and two controlled by the attacker. Through social engineering, attackers induced at least two of the five Security Council multisig signers to pre-sign malicious governance transactions. On March 27, 2026, Drift migrated its Security Council to a 2-of-5 signature threshold and removed the operational timelock entirely. BlockSec notes that the authorization 'occurred at the signing stage, not execution—the on-chain transactions merely materialized previously granted permissions.'

Sources

DPRK Attribution (UNC4736 / AppleJeus / Citrine Sleet)

TRM Labs and Elliptic have attributed the Drift Protocol exploit to UNC4736, a North Korean state-affiliated threat actor also tracked under the names AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The Hacker News reports attribution at 'medium confidence.' Supporting indicators include: (1) the Tornado Cash withdrawal on March 11, 2026 at timestamps consistent with Pyongyang working hours; (2) post-hack cross-chain bridging speed and scale matching documented DPRK techniques; (3) on-chain fund flows tracing back to addresses previously associated with the October 2024 Radiant Capital hack, which Mandiant had attributed to UNC4736. The Nexus Mutual incident report notes that the individuals who appeared in person at conferences 'were not DPRK nationals' but third-party intermediaries operating under constructed identities. Elliptic noted this represented 'the eighteenth DPRK-linked act tracked in 2026, with over $300 million stolen so far' at time of publication.

Sources

Six-Month Social Engineering Operation

The CVT token was the technical instrument of the final exploit phase, preceded by a six-month human intelligence operation. Beginning in fall 2025, individuals presenting themselves as representatives of a quantitative trading firm began attending major cryptocurrency conferences across multiple countries. Between December 2025 and January 2026, the group established an Ecosystem Vault on Drift and deposited more than $1 million of real capital to build operational credibility. The Drift post-mortem notes that they 'filled out intake forms, asked detailed product questions, and built a functioning operational presence inside the Drift ecosystem.' The social engineering campaign allegedly resulted in the compromise of at least two Security Council members' devices. Alleged attack vectors included a malicious code repository with a weaponized VS Code tasks.json file and a fraudulent wallet product distributed via Apple TestFlight.

Sources

Post-Exploit Fund Laundering

Following the 12-minute drainage on April 1, 2026, stolen assets began moving within approximately 23 minutes of the admin takeover. The largest component—approximately $232 million in USDC—was bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP) across more than 100 transactions. Remaining assets were rapidly swapped through Solana DEX aggregators into liquid tokens before bridging. On Ethereum, consolidated funds were converted into ETH and began passing through Tornado Cash and other mixing infrastructure consistent with documented DPRK laundering tradecraft. The Drift recovery update of April 16, 2026 confirmed total verified losses of $295.7 million—higher than initial estimates due to additional asset categories identified during forensic reconciliation.

Sources

Recovery Framework and Victim Compensation

As of May 2026, Drift Protocol has published a recovery plan centered on issuing a dedicated recovery token pegged to verified user losses, with each token representing $1 of verified loss. The framework is funded through: Tether's proposed contribution of up to $127.5 million; an additional $20 million from other partners; and a $100 million revenue-linked credit facility. The recovery pool was initially seeded at approximately $3.8 million. CoinDesk reports total verified losses at $295.4 million as of the May 2026 recovery plan announcement. Nexus Mutual confirmed that Drift Protocol was not listed on its coverage platform and that no claims resulted from the incident. Drift's relaunch is conditioned on independent audits by Ottersec and Asymmetric, migration of the settlement layer from USDC to USDT, and implementation of a new community-governed multisig with enforced timelocks.

Sources

Timeline

2025-09-01

Approximate start of social engineering campaign. Individuals posing as representatives of a quantitative trading firm begin approaching Drift contributors at cryptocurrency conferences across multiple countries.

The Hacker News

2025-12-01

Attackers establish an Ecosystem Vault on Drift and deposit over $1 million in real capital to build operational credibility, while conducting detailed product discussions with Drift contributors via Telegram.

Nexus Mutual Incident Report

2026-03-11

On-chain staging begins. Attackers withdraw 10 ETH from Tornado Cash on Ethereum to fund token deployment infrastructure. Timing consistent with Pyongyang business hours.

TRM Labs

2026-03-12

CarbonVote Token (CVT) deployed on Solana with 750 million total supply, approximately 80% attacker-controlled. A Raydium liquidity pool seeded with approximately $500 is established. Wash trading between attacker wallets begins to fabricate a $1.00 price history.

Chainalysis

2026-03-23

Durable nonce exploitation phase begins. Attackers create durable nonce accounts and induce Security Council multisig signers to pre-sign malicious governance transactions through phishing or misleading signing requests.

BlockSec

2026-03-27

Drift Protocol migrates its Security Council to a 2-of-5 multisig threshold and removes the operational timelock, eliminating the time-delay mechanism that could have detected malicious pre-signed transactions.

Chainalysis

2026-04-01

At approximately 16:05 UTC, two pre-signed transactions execute within four blockchain slots, transferring Drift administrative control to attacker address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. Attackers whitelist CVT as collateral, disable withdrawal limits, deposit 500 million CVT, and execute 31 withdrawal transactions over approximately 12 minutes, draining approximately $285 million in real assets.

BlockSec / Chainalysis

2026-04-01

Within 23 minutes of admin takeover, stolen assets begin bridging from Solana to Ethereum. Approximately $232 million in USDC is transferred via Circle's CCTP across more than 100 transactions.

Elliptic

2026-04-02

Drift Protocol suspends services and begins publishing incident communications. BlockSec, Chainalysis, Elliptic, TRM Labs, and Hypernative publish initial forensic analyses.

The Record from Recorded Future News

2026-04-05

Drift Protocol publishes its post-mortem attributing the exploit to a six-month North Korean state-sponsored intelligence operation, identifying UNC4736 (AppleJeus / Citrine Sleet) as the alleged threat actor.

CoinDesk

2026-04-16

Drift Protocol publishes the Incident Recovery Update, confirming total verified losses of $295.7 million across 26 asset types and announcing initial recovery framework structure including Tether's proposed $127.5 million contribution.

Drift Protocol Official

2026-05-05

Drift outlines full user recovery plan, with verified total losses cited at $295.4 million. Recovery token issuance structure, $100 million revenue-linked credit facility, and relaunch security requirements disclosed.

CoinDesk

model: claude-code-investigator

generated: 5/10/2026, 6:08:39 AM

last updated: 5/10/2026, 6:08:39 AM

avoid.net — verified advice for a post-truth world