CriticalActiveNo recent activityExploitINC-C9275F

Drift Exploit $285M

Confidence94% · High
TypeExploit
Est. Loss$285.0M
Signals15
First DetectedApr 29, 2026, 9:24 PM
Last SignalApr 1, 2026, 3:06 PM

Overview

North Korean hackers posed as a quant firm and socially engineered Drift team members at conferences.

Drift DEX was exploited for $285M in USDC and other assets via social engineering and oracle manipulation.

Protocols
DriftDrift ProtocolCircleGauntlet
Chains
SolanaEthereum
Assets
USDCDRIFTETHJPLCBBTCUSDTDSOLWBTCeETHJLPSOLBTCJTOFRT

Sources & Timeline

  1. NewCoinDesk95%

    Drift protocol reported unusual activity and warned users not to deposit, later confirming active attack and suspension.

    Apr 1, 2026, 6:35 PMRead on Bytewit →
  2. UpdateCointelegraph95%

    Threat researcher says admin signer private key likely compromised, leading to exploit.

    Apr 1, 2026, 6:42 PMRead on Bytewit →
  3. NewCoinDesk95%

    Compromised admin key allowed unrestricted control to alter risk parameters, create fake markets, and drain funds.

    Apr 2, 2026, 11:15 AMRead on Bytewit →
  4. NewCoinDesk90%

    Elliptic identifies on-chain laundering patterns consistent with North Korean state-sponsored hacking groups.

    Apr 2, 2026, 2:50 PMRead on Bytewit →
  5. NewCointelegraph95%

    The exploit was detected when the attacker used pre-signed durable nonce transactions to seize control of the protocol, leading to significant fund outflows.

    Apr 2, 2026, 10:13 AMRead on Bytewit →
  6. NewCoinDesk100%

    Two of five council members mis-signed what they believed were routine transactions, allowing attacker to execute a protocol takeover weeks later.

    Apr 2, 2026, 3:08 PMRead on Bytewit →
  7. NewDecrypt90%

    Attacker gained admin powers via social engineering and introduced a fake token to manipulate withdrawal limits.

    Apr 2, 2026, 7:04 PMRead on Bytewit →
  8. NewCoinDesk95%

    Attacker bridged stolen USDC via CCTP, and Circle cited lack of legal authorization to freeze.

    Apr 3, 2026, 7:02 PMRead on Bytewit →
  9. NewCointelegraph90%

    Exploit occurred on April 1, 2026 after attackers gained trust through in-person meetings and deployed malware.

    Apr 5, 2026, 7:00 AMRead on Bytewit →
  10. UpdateCoinDesk90%

    Drift published a detailed update revealing a six‑month intelligence operation by North Korean group UNC4736 that led to the $270 million exploit.

    Apr 5, 2026, 12:17 PMRead on Bytewit →
  11. Post-mortemCointelegraph100%

    Attackers built trust over six months, then sent malicious links to compromise developer devices tied to multisig controls.

    Apr 5, 2026, 9:41 PMRead on Bytewit →
  12. NewDecrypt95%

    Bad actors used social engineering and a fake token to drain vaults across 31 withdrawals in 12 minutes.

    Apr 6, 2026, 12:18 PMRead on Bytewit →
  13. NewCointelegraph95%

    North Korean hackers posed as a quant firm and socially engineered Drift team members at conferences.

    Apr 9, 2026, 1:05 PMRead on Bytewit →
  14. NewCointelegraph95%

    Exploit detected with on-chain evidence of malicious pre-signed transactions affecting multiple Solana protocols.

    Apr 3, 2026, 10:26 AMRead on Bytewit →
  15. NewDecrypt95%

    Suspicious large transfers from the Drift Vault to address HkGz4K, followed by distribution to other wallets, indicated an active exploit.

    Apr 1, 2026, 8:13 PMRead on Bytewit →
Drift Exploit $285M | Bytewit Incidents