Full Report
The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." [...]
Analysis Summary
# Incident Report: Drift Protocol $280M Administrative Hijack
## Executive Summary
The Drift Protocol, a Solana-based trading platform, suffered a $280+ million theft orchestrated by North Korean threat actors (UNC4736/Labyrinth Chollima). The incident was the culmination of a six-month social engineering campaign involving in-person engagement at global conferences and the eventual compromise of administrative Security Council powers. The attackers successfully drained user assets in approximately 12 minutes following the compromise of key contributors.
## Incident Details
- **Discovery Date:** April 1, 2026
- **Incident Date:** April 1, 2026 (following a 6-month lead-up)
- **Affected Organization:** Drift Protocol
- **Sector:** Decentralized Finance (DeFi / Cryptocurrency)
- **Geography:** Global (Remote and in-person at international conferences)
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately October 2025 (six months prior to the theft)
- **Vector:** Strategic Social Engineering (In-person and Digital)
- **Details:** Threat actors posed as a quantitative trading firm, building rapport with Drift contributors at multiple industry conferences. This was followed by ongoing communication via Telegram regarding trading strategies and vault integrations.
### Lateral Movement
- **Mechanism:** Exploitation of contributor workstations to gain administrative access.
- **Details:** Attackers shared malicious code repositories (targeting VSCode/Cursor vulnerabilities) and a malicious TestFlight wallet application with two high-level contributors.
### Data Exfiltration/Impact
- **April 1, 2026:** Within a 12-minute window, the attackers hijacked Security Council administrative powers and evacuated $280 million in assets to attacker-controlled wallets.
### Detection & Response
- **Detection:** Drift detected unusual activity on the platform on April 1.
- **Response:** All protocol functions were frozen. Compromised wallets were removed from the multisig process, and attacker addresses were flagged across major bridges and exchanges.
## Attack Methodology
- **Initial Access:** In-person social engineering via non-Korean intermediaries at crypto conferences.
- **Persistence:** Ongoing Telegram engagement and "onboarding" activities to remain in the developers' inner circle.
- **Privilege Escalation:** Compromise of Security Council administrative keys via endpoint exploitation of contributors.
- **Defense Evasion:** Use of non-Korean intermediaries to avoid suspicion; immediate deletion of Telegram communication groups post-incident.
- **Credential Access:** Likely harvested through malicious VSCode/Cursor extensions or "TestFlight" wallet applications.
- **Discovery:** 6-month reconnaissance period to understand internal Drift workflows and the Security Council structure.
- **Lateral Movement:** Transitioning from individual contributor endpoints to the protocol's multisig/Security Council environment.
- **Collection:** Identifying and targeting high-value liquid vaults.
- **Exfiltration:** Direct blockchain transfer (Theft).
- **Impact:** Draining of $280M+ and temporary shutdown of protocol operations.
## Impact Assessment
- **Financial:** Over $280 million USD in cryptocurrency stolen.
- **Data Breach:** Compromised administrative keys; personal communications of contributors.
- **Operational:** All protocol functions frozen; significant disruption to user trading and withdrawals.
- **Reputational:** High; loss of trust in the Security Council's decentralized security model.
## Indicators of Compromise
- **Network Indicators:** Targeted Telegram communications (accounts now deleted).
- **File Indicators:** Malicious TestFlight wallet application; malicious code repositories (VSCode/Cursor-specific).
- **Behavioral Indicators:** Sudden, high-velocity drainage of assets using administrative permissions (12-minute duration).
## Response Actions
- **Containment:** Frozen all Drift Protocol functions.
- **Eradication:** Removed compromised wallets from the multisig/Security Council process.
- **Recovery:** Contacting exchanges and bridges to blacklist attacker-controlled addresses:
- [Attacker Wallet Addresses - Redacted/Flagged]
## Lessons Learned
- **Physical Security as a Cyber Vector:** In-person interactions at conferences are increasingly used by state-sponsored actors to bypass digital perimeters.
- **Supply Chain Risks in Tooling:** Sophisticated actors are leveraging developer-specific software (VSCode/Cursor) to gain code execution.
- **Multisig Vulnerability:** Even decentralized "Security Councils" are vulnerable if multiple members are targeted simultaneously through high-touch social engineering.
## Recommendations
- **Operational Security (OPSEC):** Implement strict policies regarding "TestFlight" or beta software installation on administrative devices.
- **Hardware Isolation:** Use air-gapped or dedicated hardware for any administrative/Security Council actions.
- **Vetting Procedures:** Increase scrutiny of third-party firms seeking integration, including background verification of entities met at conferences.
- **Multi-Factor Administrative Actions:** Implement time-locks or geographically distributed approval requirements that cannot be bypassed by a single proximity-based attack.