#DriftProtocolHacked #DriftProtocolHacked

A sophisticated attack involving fake collateral, pre-signed transactions, and North Korean Lazarus Group tactics wiped out over half of Drift’s TVL on April 1, 2026.

The Attack in a Nutshell

On April 1, 2026, Solana’s largest perpetual futures DEX, Drift Protocol, suffered a catastrophic exploit resulting in the loss of $286 million across multiple asset vaults .

What makes this attack particularly alarming is that it did not involve a smart contract vulnerability or compromised seed phrases. Instead, attackers executed a meticulously planned operation combining:

· Social engineering of multisig signers
· Durable nonce pre-signed transactions
· Fake collateral creation worth $0 manipulated to appear as $100M+
· Removal of timelock protections

TVL collapsed from approximately $550 million to under $250 million within an hour. The DRIFT token dropped 45%, bottoming near $0.04 .

---

Timeline: A 3-Week Operation

Phase 1: Infrastructure Setup (March 11-23)

The operation began on March 11 when the attacker withdrew ETH from Tornado Cash, the privacy protocol. On March 12, they deployed the CarbonVote Token (CVT) — notably at approximately 09:00 Pyongyang time, a red flag that would later tie the attack to North Korea .

Over the following weeks, the attacker:

· Minted 750 million CVT tokens (worth essentially $0)
· Seeded minimal liquidity (~$500) on Raydium DEX
· Used wash trading to artificially maintain CVT price near $1.00
· Created 4 durable nonce accounts — 2 tied to Drift Security Council signers, 2 under attacker control

Phase 2: Pre-Signing & Multisig Compromise (March 23-30)

Using Solana’s durable nonce feature (which allows transactions to be pre-signed and executed later without expiration), the attacker induced Drift’s Security Council members to pre-sign what appeared to be routine transactions — but were actually malicious authorization keys held in reserve .

On March 27, Drift performed a scheduled multisig migration, moving to a 2-of-5 signature threshold and — critically — removing the timelock entirely. A timelock typically forces 24-72 hour delays on admin actions, giving communities time to respond. Without it, the attacker had zero-delay execution authority .

By March 30, the attacker had re-established access to 2 of 5 signers in the new multisig structure .

Phase 3: Execution — 12 Minutes to $286M (April 1)

Time (UTC) Action
16:05:39 Attacker activates pre-signed transactions, lists CVT as valid collateral, raises withdrawal limits to ~500 trillion (effectively infinite)
16:05:41 Deposits 500M CVT tokens — manipulated oracle values this at $100M+
16:05:43-16:17 31 withdrawal transactions drain real assets: JLP, USDC, SOL, cbBTC, wETH, and more

The entire weaponization took less time than ordering coffee .

The attack bundled three critical actions into a single transaction:

1. Initialize CVT spot market with attacker-controlled Switchboard oracle
2. Set CVT collateral weight to maximum — worthless tokens treated as prime collateral
3. Disable withdrawal guards — removing all limits on asset outflows

#DriftProtocolHacked

What Was Stolen

The attacker drained multiple vaults across the protocol:

Asset Amount Stolen (approx.)
JLP Tokens $155.6 million
USDC $60.4 million
cbBTC $11.3 million
USDS $5.3 million
FARTCOIN $4.1 million
WBTC $4.4 million
WETH $4.7 million
JitoSOL $3.6 million
SYRUPUSDC $3.3 million
INF $2.5 million
MSOL $2.0 million

Source: On-chain data via @officer_secret

The JLP vault was completely drained .
#DriftProtocolHacked

Who Is Behind the Attack?

Security firms Elliptic and TRM Labs have attributed the attack to DPRK (North Korea)-linked threat actors, specifically the Lazarus Group .

Attribution evidence includes:

· Tornado Cash origin for initial staging
· CVT deployment timestamp matching Pyongyang business hours (09:00)
· Sophisticated social engineering tactics — identical to the 2022 Ronin bridge hack
· Post-hack laundering speed and cross-chain patterns
· Use of Durable Nonces — consistent with DPRK tradecraft

"This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution."
— Drift Protocol Official Statement

If confirmed, this marks the 18th DPRK-linked crypto heist of 2026, with over $300 million stolen** this year alone. North Korean actors are estimated to have stolen **over $6.5 billion in crypto#DriftProtocolHacked