Audit log

Every state-changing event for CarbonVote Token: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1reviewby reviewerreviewer

   2026-05-13 02:43:20Z
   Score: 0 → 0 (no score change)
   The CarbonVote Token investigation page is well-sourced and largely accurate on all major factual claims. The core narrative — CVT deployment on March 12, 750M supply, Raydium wash trading, durable nonce governance compromise, April 1 exploit execution, DPRK attribution, and recovery framework — is confirmed across multiple tier-1 and tier-2 sources. The most significant factual error is the claim of '26 asset types' stolen; the Drift official source shows 19, and Chainalysis reports 'at least 18.' Minor issues include an overstated confidence level for attribution (page says 'medium confidence' citing The Hacker News, but Drift's own post-mortem uses 'medium-high confidence'), slight paraphrase-as-direct-quote issues with BlockSec and Hypernative, and one unverified quote attributed to Drift's post-mortem that does not appear in the cited source.
   anchoranchored

   chain

   ●mainnet-betaslot 419,382,390

   sig

   5oL3pJ7UQErq…J5V7dWDvcopyexplorer ↗

   hash

   4VAxL4vjJGJo…TExEgZP4copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1209 B) ▸

   {"actor":"reviewer","decided_at":"2026-05-13T02:43:20.043Z","decision":"review","investigation_id":"cf85373b-cb36-442c-afb1-d11ef6759762","new_score":0,"page_slug":"carbonvote-token","prev_score":0,"reason":"The CarbonVote Token investigation page is well-sourced and largely accurate on all major factual claims. The core narrative — CVT deployment on March 12, 750M supply, Raydium wash trading, durable nonce governance compromise, April 1 exploit execution, DPRK attribution, and recovery framework — is confirmed across multiple tier-1 and tier-2 sources. The most significant factual error is the claim of '26 asset types' stolen; the Drift official source shows 19, and Chainalysis reports 'at least 18.' Minor issues include an overstated confidence level for attribution (page says 'medium confidence' citing The Hacker News, but Drift's own post-mortem uses 'medium-high confidence'), slight paraphrase-as-direct-quote issues with BlockSec and Hypernative, and one unverified quote attributed to Drift's post-mortem that does not appear in the cited source.","score_delta":0,"sequence_num":1,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 55db330f-9bae-4e0c-840a-66ec858b8a12copy
2. #2review reviseby judgejudge

   2026-05-13 02:43:20Z
   Score: 0 → 0 (-5)
   The page's core narrative is well-sourced and largely accurate: CVT deployment, 750M supply, Raydium wash trading, durable nonce governance compromise, DPRK attribution, and recovery framework are all confirmed across multiple Tier-1 sources. The disputed_pct is 5.9%, below the approval threshold, but two issues warrant revision before the page is cleared. First, claim_findings[18] identifies a material factual error in a critical section: the page states '26 asset types' drained in the exploit, while the cited Drift official recovery update (Tier 1) shows 19 asset types, and Chainalysis independently reports 'at least 18.' Second, claim_findings[22] understates attribution confidence — the page cites 'medium confidence' attributing it to The Hacker News, but Drift's own post-mortem and SEAL 911 use 'medium-high confidence.' An additional high-priority coverage gap exists: the Circle USDC freeze controversy surrounding the $232M CCTP transfer is absent from the page and is directly relevant to the laundering section.
   anchoranchored

   chain

   ●mainnet-betaslot 419,382,393

   sig

   5WwwUqxZszZz…LoPgh3L5copyexplorer ↗

   hash

   Cbam6bTXLwrE…8WGBBfdHcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1387 B) ▸

   {"actor":"judge","decided_at":"2026-05-13T02:43:20.043Z","decision":"review_revise","investigation_id":"cf85373b-cb36-442c-afb1-d11ef6759762","new_score":0,"page_slug":"carbonvote-token","prev_score":0,"reason":"The page's core narrative is well-sourced and largely accurate: CVT deployment, 750M supply, Raydium wash trading, durable nonce governance compromise, DPRK attribution, and recovery framework are all confirmed across multiple Tier-1 sources. The disputed_pct is 5.9%, below the approval threshold, but two issues warrant revision before the page is cleared. First, claim_findings[18] identifies a material factual error in a critical section: the page states '26 asset types' drained in the exploit, while the cited Drift official recovery update (Tier 1) shows 19 asset types, and Chainalysis independently reports 'at least 18.' Second, claim_findings[22] understates attribution confidence — the page cites 'medium confidence' attributing it to The Hacker News, but Drift's own post-mortem and SEAL 911 use 'medium-high confidence.' An additional high-priority coverage gap exists: the Circle USDC freeze controversy surrounding the $232M CCTP transfer is absent from the page and is directly relevant to the laundering section.","score_delta":-5,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 7400c7ae-aeb6-474e-9908-9ba7cf5547f6copy
3. #3publishby system:backfill

   2026-05-14 06:01:51Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 419,628,692

   sig

   5Zaqhsnr5CTH…B8og9aULcopyexplorer ↗

   hash

   22ynHwV2XWaa…ywCL6gvccopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (24259 B) ▸

   {"actor":"system:backfill","investigation_id":"cf85373b-cb36-442c-afb1-d11ef6759762","kind":"publish","page_slug":"carbonvote-token","published_at":"2026-05-14T06:01:51.099Z","sequence_num":3,"snapshot":{"content_type":"investigation","entity_name":"CarbonVote Token","sections":[{"content":"CarbonVote Token (CVT) was deployed on the Solana blockchain on March 12, 2026, approximately one day after attackers withdrew 10 ETH from Tornado Cash on March 11 to fund the operation. Multiple sources report the total minted supply at 750 million tokens. At the time of the exploit, the attacker controlled approximately 80% of the total supply—roughly 600 million tokens—according to Hypernative's post-exploit analysis. This concentration of supply in attacker-controlled wallets was a deliberate design choice enabling complete price manipulation without meaningful market resistance. The token had no whitepaper, no disclosed development team, no roadmap, and no utility independent of its role in the exploit.","heading":"Token Creation and Supply Structure","severity":"critical","sources":[{"credibility":1,"name":"Chainalysis: Drift Protocol Hack – How Privileged Access Led to a $285M Loss","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol In USD 285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Hypernative: The Drift Exploit – When Privileged Access Has No Limits","type":"research","url":"https://www.hypernative.io/blog/the-drift-exploit-when-privileged-access-has-no-limits"},{"credibility":2,"name":"CryptoTimes: $285M Gone in 12 Minutes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/03/285m-gone-in-12-minutes-how-a-fake-token-and-stolen-keys-gutted-drift-protocol/"}]},{"content":"Following deployment, the attackers established a liquidity pool on the Raydium decentralized exchange seeded with approximately $500 in real assets—a deliberately minimal amount designed to avoid detection while creating the appearance of a functioning market. Over the subsequent weeks, the attackers executed sustained wash trading: repeatedly buying and selling CVT between their own wallets to generate an artificial price history near $1.00 per token. The Nexus Mutual incident report describes this process as fabricating 'a price history that Drift's oracles would accept.' The entire wash-trading operation spanned approximately three weeks before the April 1 execution date.","heading":"Raydium Seeding and Wash Trading","severity":"critical","sources":[{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":1,"name":"Chainalysis: Drift Protocol Hack – How Privileged Access Led to a $285M Loss","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"CryptoTimes: $285M Gone in 12 Minutes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/03/285m-gone-in-12-minutes-how-a-fake-token-and-stolen-keys-gutted-drift-protocol/"}]},{"content":"The artificial price history generated by weeks of wash trading was harvested by an on-chain oracle—reported across multiple sources as a Switchboard (SwitchboardOnDemand) price feed—which accepted the manufactured trading signals as legitimate market data and reported a CVT price of approximately $1.00. The Hypernative analysis notes that Drift's oracle system 'does not evaluate whether an asset has real economic backing—it evaluates the inputs it is given: price feeds, liquidity signals, collateral parameters.' After seizing admin control of Drift on April 1, the attackers used the protocol's initializeSpotMarket function to whitelist CVT as an accepted collateral asset and specify the attacker-controlled Switchboard feed as its price source, bypassing standard validation layers. The Nexus Mutual incident report characterizes the oracle manipulation as 'a downstream effect of the key compromise, not an independent failure of Drift's oracle system.'","heading":"Oracle Manipulation via Switchboard","severity":"critical","sources":[{"credibility":2,"name":"Hypernative: The Drift Exploit – When Privileged Access Has No Limits","type":"research","url":"https://www.hypernative.io/blog/the-drift-exploit-when-privileged-access-has-no-limits"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":2,"name":"CryptoTimes: $285M Gone in 12 Minutes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/03/285m-gone-in-12-minutes-how-a-fake-token-and-stolen-keys-gutted-drift-protocol/"}]},{"content":"On April 1, 2026 at approximately 16:05 UTC, attackers submitted two pre-signed Solana transactions within four blockchain slots. The second transaction advanced the durable nonce account and executed an UpdateAdmin instruction transferring Drift's administrative control to an attacker-controlled address reported as H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. With admin control secured, the attackers: (1) created a CVT collateral market with permissive risk parameters and effectively unlimited borrowing limits; (2) pointed the CVT oracle to the attacker-controlled Switchboard feed; (3) disabled circuit breakers and raised withdrawal limits across major asset pools. The attackers then deposited 500 million CVT tokens, which the oracle priced at approximately $1 based on the fabricated trading history, treating the deposit as roughly $500 million in legitimate collateral. Thirty-one withdrawal transactions over approximately 12 minutes drained $285–295 million in real assets. The Drift official recovery update of April 16, 2026 itemizes the largest components as JLP tokens ($159.3 million), USDC ($71.4 million), cbBTC ($11.3 million), and SOL ($10.4 million) across 26 asset types.","heading":"Use as Fraudulent Collateral and Exploit Execution","severity":"critical","sources":[{"credibility":2,"name":"BlockSec: Drift Protocol Incident – Multisig Governance Compromise via Durable Nonce Exploitation","type":"research","url":"https://blocksec.com/blog/drift-protocol-incident-multisig-governance-compromise-via-durable-nonce-exploitation"},{"credibility":1,"name":"Chainalysis: Drift Protocol Hack – How Privileged Access Led to a $285M Loss","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"Drift Protocol: Incident Recovery Update – April 16, 2026","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":1,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"}]},{"content":"The mechanism that enabled the CVT collateral attack was a prior compromise of Drift's Security Council multisig governance. Beginning in late March 2026, the attackers created durable nonce accounts on Solana—a feature designed to allow pre-signed transactions to remain valid indefinitely until the nonce is advanced. BlockSec's technical analysis identifies that four durable nonce accounts were created: two tied to legitimate Security Council members and two controlled by the attacker. Through social engineering, attackers induced at least two of the five Security Council multisig signers to pre-sign malicious governance transactions. On March 27, 2026, Drift migrated its Security Council to a 2-of-5 signature threshold and removed the operational timelock entirely. BlockSec notes that the authorization 'occurred at the signing stage, not execution—the on-chain transactions merely materialized previously granted permissions.'","heading":"Governance Compromise via Durable Nonce","severity":"critical","sources":[{"credibility":2,"name":"BlockSec: Drift Protocol Incident – Multisig Governance Compromise via Durable Nonce Exploitation","type":"research","url":"https://blocksec.com/blog/drift-protocol-incident-multisig-governance-compromise-via-durable-nonce-exploitation"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":1,"name":"Chainalysis: Drift Protocol Hack – How Privileged Access Led to a $285M Loss","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"TRM Labs and Elliptic have attributed the Drift Protocol exploit to UNC4736, a North Korean state-affiliated threat actor also tracked under the names AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The Hacker News reports attribution at 'medium confidence.' Supporting indicators include: (1) the Tornado Cash withdrawal on March 11, 2026 at timestamps consistent with Pyongyang working hours; (2) post-hack cross-chain bridging speed and scale matching documented DPRK techniques; (3) on-chain fund flows tracing back to addresses previously associated with the October 2024 Radiant Capital hack, which Mandiant had attributed to UNC4736. The Nexus Mutual incident report notes that the individuals who appeared in person at conferences 'were not DPRK nationals' but third-party intermediaries operating under constructed identities. Elliptic noted this represented 'the eighteenth DPRK-linked act tracked in 2026, with over $300 million stolen so far' at time of publication.","heading":"DPRK Attribution (UNC4736 / AppleJeus / Citrine Sleet)","severity":"critical","sources":[{"credibility":1,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol In USD 285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"The Hacker News: $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"}]},{"content":"The CVT token was the technical instrument of the final exploit phase, preceded by a six-month human intelligence operation. Beginning in fall 2025, individuals presenting themselves as representatives of a quantitative trading firm began attending major cryptocurrency conferences across multiple countries. Between December 2025 and January 2026, the group established an Ecosystem Vault on Drift and deposited more than $1 million of real capital to build operational credibility. The Drift post-mortem notes that they 'filled out intake forms, asked detailed product questions, and built a functioning operational presence inside the Drift ecosystem.' The social engineering campaign allegedly resulted in the compromise of at least two Security Council members' devices. Alleged attack vectors included a malicious code repository with a weaponized VS Code tasks.json file and a fraudulent wallet product distributed via Apple TestFlight.","heading":"Six-Month Social Engineering Operation","severity":"high","sources":[{"credibility":2,"name":"The Hacker News: $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":2,"name":"Crowell & Moring LLP: Drift Protocol Exploit – Why Social Trust Is the Newest Cybersecurity Gap","type":"research","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"}]},{"content":"Following the 12-minute drainage on April 1, 2026, stolen assets began moving within approximately 23 minutes of the admin takeover. The largest component—approximately $232 million in USDC—was bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP) across more than 100 transactions. Remaining assets were rapidly swapped through Solana DEX aggregators into liquid tokens before bridging. On Ethereum, consolidated funds were converted into ETH and began passing through Tornado Cash and other mixing infrastructure consistent with documented DPRK laundering tradecraft. The Drift recovery update of April 16, 2026 confirmed total verified losses of $295.7 million—higher than initial estimates due to additional asset categories identified during forensic reconciliation.","heading":"Post-Exploit Fund Laundering","severity":"critical","sources":[{"credibility":1,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":1,"name":"Drift Protocol: Incident Recovery Update – April 16, 2026","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":1,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol In USD 285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"}]},{"content":"As of May 2026, Drift Protocol has published a recovery plan centered on issuing a dedicated recovery token pegged to verified user losses, with each token representing $1 of verified loss. The framework is funded through: Tether's proposed contribution of up to $127.5 million; an additional $20 million from other partners; and a $100 million revenue-linked credit facility. The recovery pool was initially seeded at approximately $3.8 million. CoinDesk reports total verified losses at $295.4 million as of the May 2026 recovery plan announcement. Nexus Mutual confirmed that Drift Protocol was not listed on its coverage platform and that no claims resulted from the incident. Drift's relaunch is conditioned on independent audits by Ottersec and Asymmetric, migration of the settlement layer from USDC to USDT, and implementation of a new community-governed multisig with enforced timelocks.","heading":"Recovery Framework and Victim Compensation","severity":"high","sources":[{"credibility":1,"name":"Drift Protocol: Incident Recovery Update – April 16, 2026","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":1,"name":"CoinDesk: Drift Outlines a Recovery Plan for Users After $295 Million DPRK-Linked Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"}]}],"sources_used":[{"credibility":1,"name":"Chainalysis: Drift Protocol Hack – How Privileged Access Led to a $285M Loss","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"TRM Labs: North Korean Hackers Attack Drift Protocol In USD 285 Million Heist","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic: Drift Protocol Exploited for $286 Million in Suspected DPRK-Linked Attack","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"The Hacker News: $285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"BlockSec: Drift Protocol Incident – Multisig Governance Compromise via Durable Nonce Exploitation","type":"research","url":"https://blocksec.com/blog/drift-protocol-incident-multisig-governance-compromise-via-durable-nonce-exploitation"},{"credibility":2,"name":"Hypernative: The Drift Exploit – When Privileged Access Has No Limits","type":"research","url":"https://www.hypernative.io/blog/the-drift-exploit-when-privileged-access-has-no-limits"},{"credibility":2,"name":"Nexus Mutual: Drift Protocol Incident Report","type":"research","url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"credibility":1,"name":"Drift Protocol: Incident Recovery Update – April 16, 2026","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":1,"name":"CoinDesk: Drift Outlines a Recovery Plan for Users After $295 Million DPRK-Linked Exploit","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":1,"name":"CoinDesk: Drift Says $270 Million Exploit Was a Six-Month North Korean Intelligence Operation","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"CCN: Drift Protocol Hit by $285M Exploit – Crypto's Biggest Hack of 2026 Unfolds on April Fool's Day","type":"news_article","url":"https://www.ccn.com/news/crypto/drift-protocol-285m-biggest-hack-2026-april-fools-day/"},{"credibility":2,"name":"CryptoTimes: $285M Gone in 12 Minutes – How a Fake Token and Stolen Keys Gutted Drift Protocol","type":"news_article","url":"https://www.cryptotimes.io/2026/04/03/285m-gone-in-12-minutes-how-a-fake-token-and-stolen-keys-gutted-drift-protocol/"},{"credibility":2,"name":"Crowell & Moring LLP: Drift Protocol Exploit – Why Social Trust Is the Newest Cybersecurity Gap","type":"research","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"The Record from Recorded Future News: Drift Crypto Heist on Solana","type":"news_article","url":"https://therecord.media/drift-crypto-heist-solana-hacker"}],"summary":"CarbonVote Token (CVT) is a fictitious Solana-based token deployed on March 12, 2026 as a purpose-built instrument in the DPRK-attributed $285 million exploit of Drift Protocol. The token was minted with a 750 million unit supply, wash-traded on Raydium to fabricate a $1.00 price history, and used as fraudulent collateral after attackers seized admin control of Drift via compromised multisig signatures. CVT itself has no independent utility or legitimate use case; it is documented exclusively as an attack vector.","timeline":[{"date":"2025-09-01","event":"Approximate start of social engineering campaign. Individuals posing as representatives of a quantitative trading firm begin approaching Drift contributors at cryptocurrency conferences across multiple countries.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2025-12-01","event":"Attackers establish an Ecosystem Vault on Drift and deposit over $1 million in real capital to build operational credibility, while conducting detailed product discussions with Drift contributors via Telegram.","source":"Nexus Mutual Incident Report","source_url":"https://nexusmutual.io/blog/drift-protocol-incident-report"},{"date":"2026-03-11","event":"On-chain staging begins. Attackers withdraw 10 ETH from Tornado Cash on Ethereum to fund token deployment infrastructure. Timing consistent with Pyongyang business hours.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-12","event":"CarbonVote Token (CVT) deployed on Solana with 750 million total supply, approximately 80% attacker-controlled. A Raydium liquidity pool seeded with approximately $500 is established. Wash trading between attacker wallets begins to fabricate a $1.00 price history.","source":"Chainalysis","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-03-23","event":"Durable nonce exploitation phase begins. Attackers create durable nonce accounts and induce Security Council multisig signers to pre-sign malicious governance transactions through phishing or misleading signing requests.","source":"BlockSec","source_url":"https://blocksec.com/blog/drift-protocol-incident-multisig-governance-compromise-via-durable-nonce-exploitation"},{"date":"2026-03-27","event":"Drift Protocol migrates its Security Council to a 2-of-5 multisig threshold and removes the operational timelock, eliminating the time-delay mechanism that could have detected malicious pre-signed transactions.","source":"Chainalysis","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-04-01","event":"At approximately 16:05 UTC, two pre-signed transactions execute within four blockchain slots, transferring Drift administrative control to attacker address H7PiGqqUaanBovwKgEtreJbKmQe6dbq6VTrw6guy7ZgL. Attackers whitelist CVT as collateral, disable withdrawal limits, deposit 500 million CVT, and execute 31 withdrawal transactions over approximately 12 minutes, draining approximately $285 million in real assets.","source":"BlockSec / Chainalysis","source_url":"https://blocksec.com/blog/drift-protocol-incident-multisig-governance-compromise-via-durable-nonce-exploitation"},{"date":"2026-04-01","event":"Within 23 minutes of admin takeover, stolen assets begin bridging from Solana to Ethereum. Approximately $232 million in USDC is transferred via Circle's CCTP across more than 100 transactions.","source":"Elliptic","source_url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"date":"2026-04-02","event":"Drift Protocol suspends services and begins publishing incident communications. BlockSec, Chainalysis, Elliptic, TRM Labs, and Hypernative publish initial forensic analyses.","source":"The Record from Recorded Future News","source_url":"https://therecord.media/drift-crypto-heist-solana-hacker"},{"date":"2026-04-05","event":"Drift Protocol publishes its post-mortem attributing the exploit to a six-month North Korean state-sponsored intelligence operation, identifying UNC4736 (AppleJeus / Citrine Sleet) as the alleged threat actor.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"date":"2026-04-16","event":"Drift Protocol publishes the Incident Recovery Update, confirming total verified losses of $295.7 million across 26 asset types and announcing initial recovery framework structure including Tether's proposed $127.5 million contribution.","source":"Drift Protocol Official","source_url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"date":"2026-05-05","event":"Drift outlines full user recovery plan, with verified total losses cited at $295.4 million. Recovery token issuance structure, $100 million revenue-linked credit facility, and relaunch security requirements disclosed.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 37ef60ae-cc88-4591-b3f8-a109e41e3bfbcopy