Drift Exploit Linked to Coordinated Infiltration Effort

• Drift hack drained $285M in 12 minutes, but the operation was built over six months.
• Attackers used social engineering and pre-signed multisig approvals for the attack.
• A fake token (CVT) was used as collateral after manipulating oracle pricing with minimal liquidity.

Drift Protocol has released a detailed breakdown of the April 1 exploit that drained $285 million in user funds and confirmed the attack was not a simple bug but a long-term, coordinated operation.

The team said the exploit was the result of months of targeted infiltration, which combined social engineering, technical exploits, and staged on-chain activity.

Six-Month Infiltration Led to Breach

According to Drift Protocol, the attack began as early as Fall 2025. Individuals posing as a quantitative trading firm approached contributors at multiple crypto conferences.

They built credibility over time and held technical discussions, joined working sessions, and deposited over $1 million into the protocol. A Telegram group was created, and interactions continued for months.

By early 2026, they had fully integrated into Drifts ecosystem through a vault strategy. Contributors had met them in person several times, and trust was established, which became the entry point.

Attack Execution Was Fast, Setup Was Slow

The actual exploit took around 12 minutes, but the preparation took weeks on-chain and months off-chain.

TRM Labs found that staging began on March 11. Attackers used Tornado Cash to fund operations, deployed a fake token called CarbonVote (CVT), and built artificial price history through wash trading.

At the same time, they targeted multisig signers. Using social engineering, they got approvals on transactions that appeared routine but contained hidden permissions.

On March 27, a critical change was made. Drift migrated its Security Council to a 2/5 setup with zero timelock and removed the delay layer that could have stopped the attack.

On April 1, everything was executed. The attacker listed CVT as collateral, inflated its value by manipulating oracle data, and withdrew real assets such as USDC in 31 transactions. Funds were bridged to Ethereum within hours.

Key Weak Points: Multisig and Oracle Design

The breach did not rely on a smart contract flaw. It exploited process weaknesses. First, multisig signers approved transactions without detecting hidden actions.

Second, the removal of the time lock eliminated the safety window. Third, the oracle system accepted a fake asset with minimal liquidity as valid collateral.

Drifts internal review also points to a possible device-level compromise. One contributor may have been exposed through a malicious code repository. Another may have installed a compromised TestFlight app presented as a wallet.

A known vulnerability in development tools like VSCode may have allowed silent code execution.

It is important to note that Elliptic and TRM Labs both flagged patterns linked to North Korean operations. These include Tornado Cash usage, timing aligned with Pyongyang hours, and rapid cross-chain laundering.

Drift said there is medium-high confidence that the same group behind the October 2024 Radiant Capital hack is involved. The group has been linked to UNC4736, also known as AppleJeus or Citrine Sleet.