CarbonVote Token

2025-09-01

Approximate start of social engineering campaign. Individuals posing as representatives of a quantitative trading firm begin approaching Drift contributors at cryptocurrency conferences across multiple countries.

2025-12-01

Attackers establish an Ecosystem Vault on Drift and deposit over $1 million in real capital to build operational credibility, while conducting detailed product discussions with Drift contributors via Telegram.

2026-03-11

On-chain staging begins. Attackers withdraw 10 ETH from Tornado Cash on Ethereum to fund token deployment infrastructure. Timing consistent with Pyongyang business hours.

2026-03-12

CarbonVote Token (CVT) deployed on Solana with 750 million total supply, approximately 80% attacker-controlled. A Raydium liquidity pool seeded with approximately $500 is established. Wash trading between attacker wallets begins to fabricate a $1.00 price history.

2026-03-23

Durable nonce exploitation phase begins. Attackers create durable nonce accounts and induce Security Council multisig signers to pre-sign malicious governance transactions through phishing or misleading signing requests.

2026-03-27

Drift Protocol migrates its Security Council to a 2-of-5 multisig threshold and removes the operational timelock, eliminating the time-delay mechanism that could have detected malicious pre-signed transactions.

2026-04-01

At approximately 16:05 UTC, two pre-signed transactions execute within four blockchain slots, transferring Drift administrative control to attacker address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. Attackers whitelist CVT as collateral, disable withdrawal limits, deposit 500 million CVT, and execute 31 withdrawal transactions over approximately 12 minutes, draining approximately $285 million in real assets.

2026-04-01

Within 23 minutes of admin takeover, stolen assets begin bridging from Solana to Ethereum. Approximately $232 million in USDC is transferred via Circle's CCTP across more than 100 transactions.

2026-04-02

Drift Protocol suspends services and begins publishing incident communications. BlockSec, Chainalysis, Elliptic, TRM Labs, and Hypernative publish initial forensic analyses.

2026-04-05

Drift Protocol publishes its post-mortem attributing the exploit to a six-month North Korean state-sponsored intelligence operation, identifying UNC4736 (AppleJeus / Citrine Sleet) as the alleged threat actor.

2026-04-16

Drift Protocol publishes the Incident Recovery Update, confirming total verified losses of $295.7 million across 26 asset types and announcing initial recovery framework structure including Tether's proposed $127.5 million contribution.

2026-05-05

Drift outlines full user recovery plan, with verified total losses cited at $295.4 million. Recovery token issuance structure, $100 million revenue-linked credit facility, and relaunch security requirements disclosed.