Drift Protocol DPRK Exploit (April 2026)
Summary
On April 1, 2026, Drift Protocol — the largest decentralized perpetual futures exchange on Solana — suffered a loss of approximately $295 million in user assets after a six-month social engineering campaign attributed with medium-high confidence to UNC4736, a North Korean state-affiliated threat actor also tracked as AppleJeus or Citrine Sleet. Attackers posed as a quantitative trading firm, compromised Security Council members' devices, and exploited Solana's durable nonce mechanism to gain unauthorized administrative control before draining multiple vaults within roughly twelve minutes. Drift Protocol acknowledged the breach and published a token-based recovery framework backed by Tether ($127.5 million) and other partners, with a Q2 2026 protocol relaunch planned.
Connected Entities
1 entities · 10 linked investigations- + 3 more
Timeline(14 events)
2025-01-01
Attackers posing as a quantitative trading firm make initial contact with Drift contributors at a major cryptocurrency conference (approximate date; reported as 'fall 2025')
CoinDesk / Drift post-mortem2025-12-01
Fake trading firm onboards an Ecosystem Vault, begins technical sessions with Drift contributors, and deposits over $1 million in capital to establish credibility
CoinDesk / Drift post-mortem2026-02-01
In-person meetings between attacker intermediaries and Drift contributors occur at multiple industry conferences across several countries
The Hacker News2026-03-11
Attacker withdraws initial 10 ETH from Tornado Cash to fund subsequent attack preparation
TRM Labs2026-03-12
CarbonVote Token (CVT) deployed on Solana with a total supply of 750 million tokens; attack preparatory activity timestamps around 09:00 Pyongyang time noted by TRM Labs
TRM Labs2026-03-23
Four durable nonce accounts created on Solana: two associated with legitimate Drift Security Council members (indicating device compromise), two controlled by the attacker
CoinDesk Tech2026-03-27
Drift Protocol executes a planned Security Council migration to replace a member; attacker subsequently re-obtains required pre-signatures
CoinDesk Tech2026-03-30
New durable nonce account appears tied to updated multisig member, confirming attacker has re-secured the 2-of-5 approval threshold
CoinDesk Tech2026-04-01
Attack executed: two transactions four slots apart on Solana grant attacker full administrative control; CVT whitelisted as collateral; approximately $285-295 million drained from three vaults in roughly twelve minutes via thirty-one withdrawal transactions
Elliptic / TRM Labs / Bloomberg2026-04-01
Stolen assets rapidly swapped to USDC via Solana DEX aggregators and bridged to Ethereum, converted to ETH; Drift Protocol suspends operations
Elliptic2026-04-02
Elliptic flags the exploit as likely North Korea-linked; CoinDesk publishes technical analysis of durable nonce attack vector
CoinDesk2026-04-05
Drift Protocol publishes post-mortem attributing the six-month operation to UNC4736 (AppleJeus / Citrine Sleet) at medium-high confidence, citing Mandiant forensic investigation and on-chain fund flow overlaps with the October 2024 Radiant Capital hack
CoinDesk2026-04-16
Drift Protocol publishes incident recovery update confirming $295,706,374.93 in losses; approximately $3.36 million USDC frozen; ~130,259 ETH (~$31 million) in monitored attacker wallets; public bounty offering 10% of recovered assets announced
Drift Protocol (official)2026-05-05
Drift Protocol publishes full recovery plan: SPL recovery tokens issued to affected wallets at $1 per token, recovery pool targeting $295.4 million backed by Tether ($127.5 million), partners ($20 million), and exchange revenue; USDC-to-USDT settlement migration announced; Q2 2026 relaunch planned
CoinDeskDecision Log
- hash: 79wiSaU44YdKAT5RtugE15rVFEtkTSoSHW2JvWo28ukd
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/16/2026, 11:04:48 PM
last updated: 6/16/2026, 11:05:00 PM
avoid.net — verified advice for a post-truth world