Skip to main content
Sign in
Drift Protocol DPRK Exploit (April 2026)1 decision on this page

Audit log

Every state-changing event for Drift Protocol DPRK Exploit (April 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-16 23:05:00Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 426,948,488
    sig
    4WshuXoiSQB3…S65igRtqexplorer ↗
    hash
    79wiSaU44YdK…vWo28ukdsha256 → base58
    verifying row…full verify ↗
    canonical bytes (31189 B) ▸
    {"actor":"system:backfill","investigation_id":"19358cad-4557-4394-a860-f6a360b42cc6","kind":"publish","page_slug":"drift-protocol-dprk-exploit-april-2026","published_at":"2026-06-16T23:05:00.516Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Drift Protocol DPRK Exploit (April 2026)","sections":[{"content":"Drift Protocol, the largest decentralized perpetual futures exchange on the Solana blockchain, was exploited on April 1, 2026, resulting in losses subsequently confirmed by the protocol at $295,706,374.93. The attack was executed in approximately twelve minutes and involved thirty-one withdrawal transactions. The hack wiped out more than half of Drift's total value locked (TVL), which fell from approximately $550 million to under $250 million. The incident is regarded as the largest DeFi hack of 2026 and the second-largest exploit in Solana's history after the $326 million Wormhole bridge hack of 2022. Drift Protocol suspended operations immediately after the breach was detected. Bloomberg reported on the event the same day.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"Incident Recovery Update — April 16, 2026 | Drift Updates (official)","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"}]},{"content":"Blockchain analytics firms Elliptic and TRM Labs independently assessed the attack as likely perpetrated by North Korean state-sponsored actors. On April 5, 2026, Drift Protocol published a post-mortem attributing the operation to UNC4736, a threat actor also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The attribution carries a stated confidence level of medium-high and is supported by: on-chain fund flows connecting the attacker wallets to proceeds from the October 2024 Radiant Capital hack (previously attributed to UNC4736 by Mandiant); laundering methodologies consistent with prior DPRK-linked operations; operational persona overlaps with known DPRK activity; and timing of early preparatory transactions around 09:00 Pyongyang Standard Time on March 12, 2026. Mandiant's full forensic investigation was ongoing at the time of publication. The Drift exploit represents, according to Elliptic, the eighteenth DPRK-linked crypto incident tracked in 2026, bringing total year-to-date DPRK theft to over $300 million. TRM Labs separately reported that North Korean state-backed hackers accounted for approximately 76 percent of global crypto hack losses in 2026.","heading":"DPRK Attribution","severity":"critical","sources":[{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"The long con: How North Korean spies spent months in-person to drain $285 million from Drift — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"}]},{"content":"The preparatory phase of the operation reportedly began in fall 2025, approximately six months before the April 1 execution. Individuals presenting as employees of a quantitative trading firm made initial contact with Drift contributors at a major cryptocurrency conference. The campaign proceeded through several distinct phases. In December 2025 through January 2026, the group onboarded an Ecosystem Vault, held technical working sessions, and deposited over $1 million of their own capital to establish financial credibility and obtain integration access. Between February and March 2026, individuals from the group met Drift contributors in person at multiple industry events across several countries. Drift's post-mortem noted that 'the individuals who appeared in person were not North Korean nationals' and that 'DPRK threat actors operating at this level are known to deploy third-party intermediaries' with fully constructed professional identities capable of withstanding scrutiny during business relationships. Two technical infection pathways were identified. First, a contributor cloned a malicious Microsoft Visual Studio Code (or Cursor) project containing a weaponized 'tasks.json' file; simply opening the folder executed arbitrary code silently due to the 'runOn: folderOpen' option, a known VSCode/Cursor vulnerability. Second, a separate contributor was persuaded to download a wallet application via Apple's TestFlight beta distribution platform, which bypasses App Store security review. Following device compromise, attackers harvested the credentials needed to obtain pre-signed multisig transactions from at least two of the five Security Council members.","heading":"Social Engineering Operation (Fall 2025 – March 2026)","severity":"critical","sources":[{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"}]},{"content":"The technical execution relied on two complementary vectors: exploitation of Solana's durable nonce feature and introduction of fraudulent collateral. Durable nonces are a Solana mechanism that replaces the normal 60-90 second blockhash expiration window with an indefinitely valid one-time code stored in a special on-chain account. The feature exists for legitimate institutional and offline signing use cases. The attackers created four durable nonce accounts on March 23, 2026 — two associated with legitimate Security Council members and two controlled by the attacker — meaning the attacker had already obtained valid pre-signatures from two of the five required council members. On March 27, Drift executed a planned Security Council migration, and on March 30, a new durable nonce account appeared tied to an updated multisig member, indicating the attacker had re-obtained the necessary two-of-five approval threshold following the migration. On April 1, two transactions four slots apart on the Solana blockchain created and approved a malicious admin transfer, then executed it, granting the attacker full administrative control within minutes. Using this control, attackers deployed a worthless token designated CarbonVote Token (CVT), with a total supply of 750 million tokens created on March 12, 2026 and seeded with a small amount of liquidity. Wash trading was used to artificially inflate CVT's apparent market price. The attacker then whitelisted CVT as eligible collateral within the protocol, deposited 500 million CVT, and used the inflated collateral value to withdraw approximately $285-295 million in real assets including USDC, SOL, JLP tokens, cbBTC, wBTC, and various liquid staking tokens from three core vaults: JLP Delta Neutral, SOL Super Staking, and BTC Super Staking.","heading":"Technical Attack Mechanism: Durable Nonces and Fake Collateral","severity":"critical","sources":[{"credibility":2,"name":"Here is how Drift attackers drained more than $270 million using a Solana feature designed for convenience — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Drift Protocol Suffers $285M Exploit via Oracle Manipulation and Admin Key Compromise — Autheo","type":"research","url":"https://www.autheo.com/signals/drift-protocol-285m-exploit-april-2026"},{"credibility":2,"name":"North Korea Manufactured a Fake Token to Steal $286M From Drift Protocol — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/drift-protocol-hack-north-korea-ai/"}]},{"content":"Following the April 1 drain, stolen assets were rapidly converted and moved cross-chain. On-chain monitoring showed the attacker swapped stolen tokens to USDC via Solana DEX aggregators within hours, then bridged the funds to Ethereum where they were converted to ETH. The laundering velocity reportedly exceeded prior DPRK operations, with individual transactions moving hundreds of thousands to millions of dollars in USDC. On-chain investigator ZachXBT noted publicly that large amounts of stolen USDC were bridged from Solana to Ethereum via Circle's Cross-Chain Transfer Protocol (CCTP) during U.S. business hours without being frozen, raising questions about the speed of stablecoin issuer response. As of the April 16 recovery update, approximately $3.36 million in USDC had been frozen and approximately 130,259 ETH (roughly $31 million at the time) remained concentrated in four monitored wallets with limited successful off-ramping reported. Preparatory on-chain activity included an initial 10 ETH withdrawal from Tornado Cash on March 11, 2026, used to fund CVT deployment on March 12.","heading":"Fund Movement and Laundering","severity":"high","sources":[{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Incident Recovery Update — April 16, 2026 | Drift Updates (official)","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"}]},{"content":"On May 5, 2026, Drift Protocol published a formal recovery plan for affected users. The protocol confirmed that the exact loss figure was $295,706,374.93. The recovery mechanism centers on the issuance of dedicated SPL recovery tokens — separate from the DRIFT governance token — to each affected wallet, with each token representing a $1 claim on a recovery pool. Users may redeem tokens once the pool reaches a minimum funding threshold. Announced funding sources include: approximately $3.8 million in remaining protocol assets; up to $127.5 million from Tether (performance-tied and contingent); up to $20 million from strategic partners; and ongoing exchange revenue contributions after relaunch. Tether also announced a $20 million market-making facility to provide liquidity from day one of relaunch. A public bounty offering 10 percent of recovered assets was launched to incentivize information leading to fund recovery. The protocol also announced it would migrate its settlement layer from USDC to USDT. A Q2 2026 relaunch was planned as a 'security-first' exchange with a narrowed product scope focused on perpetuals trading, enhanced multisig architecture, mandatory timelocks on administrative operations, and independent audits from Ottersec and Asymmetric required before resumption. Community reaction to the recovery plan was mixed, with some users expressing concern about the gap between the $295 million loss and the initially committed funding.","heading":"Recovery Plan and User Compensation","severity":"high","sources":[{"credibility":2,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":2,"name":"Tether Commits $127.5M to Drift Protocol Recovery After $285M DPRK Hack — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/tether-127m-drift-protocol-recovery-dprk-hack"},{"credibility":2,"name":"Drift Sets Out Token-Based Recovery Framework for $295M April Exploit — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/drift-sets-out-token-based-recovery-framework-for-usd295m-april-exploit"},{"credibility":1,"name":"Incident Recovery Update — April 16, 2026 | Drift Updates (official)","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"}]},{"content":"No direct OFAC sanctions actions specifically targeting Drift Protocol attackers had been publicly announced as of the available reporting. However, the U.S. Department of the Treasury's Office of Foreign Assets Control described North Korea's cyber operations and remote IT worker schemes as a meaningful source of regime revenue in a March 2026 sanctions announcement. The U.S. Department of Justice has previously indicted DPRK operatives for cryptocurrency thefts amounting to billions of dollars. Legal analysis from Crowell & Moring LLP noted that organizations compromised in DPRK-linked incidents face OFAC exposure considerations when responding to such attacks and should coordinate legal counsel, compliance functions, and security teams to assess potential sanctions violations and pursue asset-freeze options. Drift Protocol stated it is cooperating with law enforcement and pursuing legal efforts to seize and reissue funds. Tether cited its track record of coordinating with more than 310 law enforcement agencies across 64 countries in announcing its involvement in the recovery plan.","heading":"Regulatory and Legal Context","severity":"high","sources":[{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Mondaq","type":"other","url":"https://www.mondaq.com/unitedstates/fintech/1780962/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}]},{"content":"The Drift exploit occurred within a pattern of accelerating North Korean crypto theft activity. TRM Labs reported that North Korean hackers accounted for approximately 76 percent of global crypto hack losses in 2026 through late April, totaling nearly $600 million across all incidents. The total attributed haul for DPRK-linked actors since 2017 exceeded $6 billion by mid-2026. The Drift attack is notable as the first large-scale in-person social engineering operation attributed to DPRK actors at this scale, following the Radiant Capital hack in October 2024 (attributed to the same group, UNC4736, with a $50-53 million loss). Researchers noted that the use of third-party non-North Korean intermediaries for in-person contact represents an escalation in DPRK tradecraft, as these individuals can withstand identity scrutiny that North Korean nationals could not. The attack also demonstrated increased operational sophistication in the speed of laundering, which exceeded the 2025 Bybit operation in velocity according to TRM Labs.","heading":"Broader DPRK Crypto Threat Context","severity":"high","sources":[{"credibility":2,"name":"The long con: How North Korean spies spent months in-person to drain $285 million from Drift — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"Security analysts identified several structural vulnerabilities that enabled the attack. The Security Council's 2-of-5 multisig threshold was insufficient against a targeted social engineering campaign that could compromise individual signers' devices. The absence of timelocks between approval and execution of administrative transactions meant that pre-signed durable nonce transactions could be executed at any moment without additional verification. No real-time monitoring was in place to detect the creation of durable nonce accounts or flag unusual pre-signing activity by council members. The protocol's collateral whitelisting process did not require independent or time-delayed governance approval, allowing the attacker to introduce a fraudulent asset (CVT) rapidly after gaining admin control. Recommended mitigations identified across multiple research reports include: raising multisig thresholds to majority quorums (e.g., 4-of-7); implementing 24-72 hour mandatory delays between transaction approval and execution; monitoring and auditing all durable nonce account activity; requiring independent security vetting for any new collateral type; implementing zero-trust contributor policies with ongoing security audits for all external code and applications; and integrating video verification during business onboarding to counter deepfake and false-identity campaigns.","heading":"Security Failures and Post-Incident Recommendations","severity":"high","sources":[{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"Here is how Drift attackers drained more than $270 million using a Solana feature designed for convenience — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":2,"name":"Reflections on the Drift Protocol Exploit — Four Pillars","type":"research","url":"https://4pillars.io/en/issues/reflections-on-the-drift-protocol-exploit"}]}],"sources_used":[{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"Drift outlines a recovery plan for users after $295 million DPRK-linked exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"},{"credibility":2,"name":"Drift says $270 million exploit was a six-month North Korean intelligence operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"credibility":2,"name":"Elliptic flags $285 million Drift exploit as a likely North Korea-linked operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":2,"name":"Here is how Drift attackers drained more than $270 million using a Solana feature designed for convenience — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"credibility":2,"name":"The long con: How North Korean spies spent months in-person to drain $285 million from Drift — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":2,"name":"Drift Protocol Exploit: Why Social Trust Is the Newest Cybersecurity Gap — Mondaq","type":"other","url":"https://www.mondaq.com/unitedstates/fintech/1780962/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"},{"credibility":1,"name":"Drift DeFi Project on Solana Suffers $285 Million Crypto Exploit — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"Incident Recovery Update — April 16, 2026 | Drift Updates (official)","type":"official","url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"credibility":2,"name":"Tether Commits $127.5M to Drift Protocol Recovery After $285M DPRK Hack — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/tether-127m-drift-protocol-recovery-dprk-hack"},{"credibility":2,"name":"Drift Sets Out Token-Based Recovery Framework for $295M April Exploit — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/drift-sets-out-token-based-recovery-framework-for-usd295m-april-exploit"},{"credibility":2,"name":"Drift Protocol Reveals $285 Million Exploit Was a Six-Month North Korean Intelligence Operation — Unchained","type":"news_article","url":"https://unchainedcrypto.com/drift-protocol-reveals-285-million-exploit-was-a-six-month-north-korean-intelligence-operation-unchained/"},{"credibility":2,"name":"North Korea Stole $285M From a DeFi Protocol. The Attack Started With a Handshake — Enclave AI","type":"other","url":"https://enclave.ai/blog/north-korea-drift-protocol-285m-social-engineering"},{"credibility":2,"name":"Reflections on the Drift Protocol Exploit — Four Pillars","type":"research","url":"https://4pillars.io/en/issues/reflections-on-the-drift-protocol-exploit"},{"credibility":2,"name":"Drift Protocol Suffers $285M Exploit via Oracle Manipulation and Admin Key Compromise — Autheo","type":"research","url":"https://www.autheo.com/signals/drift-protocol-285m-exploit-april-2026"},{"credibility":2,"name":"North Korea Manufactured a Fake Token to Steal $286M From Drift Protocol — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/drift-protocol-hack-north-korea-ai/"},{"credibility":2,"name":"Solana-Based Drift Protocol Suffers $285M Hack, Largest Of 2026 — NewsBTC","type":"news_article","url":"https://www.newsbtc.com/news/285m-solana-protocol-drift-largest-exploit-2026/"}],"summary":"On April 1, 2026, Drift Protocol — the largest decentralized perpetual futures exchange on Solana — suffered a loss of approximately $295 million in user assets after a six-month social engineering campaign attributed with medium-high confidence to UNC4736, a North Korean state-affiliated threat actor also tracked as AppleJeus or Citrine Sleet. Attackers posed as a quantitative trading firm, compromised Security Council members' devices, and exploited Solana's durable nonce mechanism to gain unauthorized administrative control before draining multiple vaults within roughly twelve minutes. Drift Protocol acknowledged the breach and published a token-based recovery framework backed by Tether ($127.5 million) and other partners, with a Q2 2026 protocol relaunch planned.","timeline":[{"date":"2025-01-01","event":"Attackers posing as a quantitative trading firm make initial contact with Drift contributors at a major cryptocurrency conference (approximate date; reported as 'fall 2025')","source":"CoinDesk / Drift post-mortem","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"date":"2025-12-01","event":"Fake trading firm onboards an Ecosystem Vault, begins technical sessions with Drift contributors, and deposits over $1 million in capital to establish credibility","source":"CoinDesk / Drift post-mortem","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"date":"2026-02-01","event":"In-person meetings between attacker intermediaries and Drift contributors occur at multiple industry conferences across several countries","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-03-11","event":"Attacker withdraws initial 10 ETH from Tornado Cash to fund subsequent attack preparation","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-12","event":"CarbonVote Token (CVT) deployed on Solana with a total supply of 750 million tokens; attack preparatory activity timestamps around 09:00 Pyongyang time noted by TRM Labs","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-23","event":"Four durable nonce accounts created on Solana: two associated with legitimate Drift Security Council members (indicating device compromise), two controlled by the attacker","source":"CoinDesk Tech","source_url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"date":"2026-03-27","event":"Drift Protocol executes a planned Security Council migration to replace a member; attacker subsequently re-obtains required pre-signatures","source":"CoinDesk Tech","source_url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"date":"2026-03-30","event":"New durable nonce account appears tied to updated multisig member, confirming attacker has re-secured the 2-of-5 approval threshold","source":"CoinDesk Tech","source_url":"https://www.coindesk.com/tech/2026/04/02/how-a-solana-feature-designed-for-convenience-let-an-attacker-drain-usd270-million-from-drift"},{"date":"2026-04-01","event":"Attack executed: two transactions four slots apart on Solana grant attacker full administrative control; CVT whitelisted as collateral; approximately $285-295 million drained from three vaults in roughly twelve minutes via thirty-one withdrawal transactions","source":"Elliptic / TRM Labs / Bloomberg","source_url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"date":"2026-04-01","event":"Stolen assets rapidly swapped to USDC via Solana DEX aggregators and bridged to Ethereum, converted to ETH; Drift Protocol suspends operations","source":"Elliptic","source_url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"date":"2026-04-02","event":"Elliptic flags the exploit as likely North Korea-linked; CoinDesk publishes technical analysis of durable nonce attack vector","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"date":"2026-04-05","event":"Drift Protocol publishes post-mortem attributing the six-month operation to UNC4736 (AppleJeus / Citrine Sleet) at medium-high confidence, citing Mandiant forensic investigation and on-chain fund flow overlaps with the October 2024 Radiant Capital hack","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/04/05/drift-says-usd270-million-exploit-was-a-six-month-north-korean-intelligence-operation"},{"date":"2026-04-16","event":"Drift Protocol publishes incident recovery update confirming $295,706,374.93 in losses; approximately $3.36 million USDC frozen; ~130,259 ETH (~$31 million) in monitored attacker wallets; public bounty offering 10% of recovered assets announced","source":"Drift Protocol (official)","source_url":"https://www.drift.trade/updates/incident-recovery-update-april-16-2026-now"},{"date":"2026-05-05","event":"Drift Protocol publishes full recovery plan: SPL recovery tokens issued to affected wallets at $1 per token, recovery pool targeting $295.4 million backed by Tether ($127.5 million), partners ($20 million), and exchange revenue; USDC-to-USDT settlement migration announced; Q2 2026 relaunch planned","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/05/05/drift-outlines-a-recovery-plan-for-users-after-usd295-million-dprk-linked-exploit"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision f7c521a8-37e7-4d17-b468-c57885869138
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.