CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A sophisticated North Korean state-sponsored threat actor seized control of the Drift Protocol’s Security Council administrative powers on Solana, enabling the malicious transfer of approximately $285 million in user funds on April 1, 2026. The attacker exploited durable nonce accounts, social engineering to obtain multisig approvals, and a zero-timelock Security Council migration to eliminate the last line of defense. Post-takeover actions included deploying a fictitious CarbonVote Token treated as legitimate collateral and removing withdrawal limits to drain funds across borrow/lend deposits, vault deposits, and trading funds. Drift confirmed no smart contract flaws or seed phrase compromises, attributing the breach to unauthorized transaction approvals via durable nonce mechanisms and social engineering. The platform froze all functions, issued a public warning, and is working with security firms, exchanges, and law enforcement to trace and recover stolen assets. On-chain analysis by Elliptic and TRM Labs indicates DPRK involvement, with indicators consistent with prior state-sponsored campaigns targeting crypto infrastructure.

Timeline

  1. 02.04.2026 22:03 2 articles · 1d ago

    Drift Protocol Security Council hijack results in $285 million loss via pre-signed transactions on Solana

    Between March 23–30, 2026, an attacker established durable nonce accounts and secured 2/5 multisig approvals from Drift Protocol’s Security Council through a novel social engineering campaign. On April 1, 2026, the attacker executed pre-signed malicious transactions immediately after a legitimate transaction, transferring admin control within minutes. The attacker then deployed a malicious asset (CarbonVote Token) with seeded liquidity and wash trading, treated as legitimate collateral by Drift’s oracles, and removed all pre-set withdrawal limits to drain funds from borrow/lend deposits, vault deposits, and trading funds, resulting in an estimated $285 million loss. Drift confirmed the attack did not exploit smart contract vulnerabilities or seed phrase compromises, attributing the breach to unauthorized transaction approvals via durable nonce mechanisms and sophisticated social engineering. The platform froze all protocol functions, issued a public warning, and is coordinating with multiple security firms, exchanges, and law enforcement to trace and recover stolen assets. On-chain indicators, laundering methodologies, and network-level patterns align with known tradecraft associated with North Korean threat actors (DPRK), including deployment timing at 09:30 Pyongyang time. Blockchain intelligence firms Elliptic and TRM Labs analyze this incident as potentially the eighteenth DPRK-linked crypto theft tracked in 2026, with over $300 million stolen to date this year.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Exploiter charged for $53.3M Uranium Finance smart contract heist via code flaws and mixer laundering

A Maryland man, Jonathan Spalletta (aka "Cthulhon"), has been charged with orchestrating two smart contract heists against the Uranium Finance decentralized exchange (DEX) in April 2021, stealing approximately $53.3 million in cryptocurrency. The suspect surrendered to law enforcement and appeared in court, where prosecutors alleged he exploited code flaws in Uranium Finance's AMM contracts to drain the exchange's assets, forcing it into insolvency. Proceeds were laundered through Tornado Cash and partially spent on high-value collectibles before law enforcement recovered approximately $31 million in cryptocurrency and seized assets in February 2025. The first breach on April 8, 2021, involved manipulating the AmountWithBonus variable to issue unauthorized zero-token withdrawals, draining about $1.4 million, which he partially extorted back as a sham bug bounty. The second attack on April 28, 2021, exploited a single-character error in transaction-verification logic, allowing him to withdraw 90% of the DEX's assets across 26 liquidity pools while depositing negligible value.

Open in new tab

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

UNC4899 Exploits AirDrop to Compromise Crypto Firm's Cloud Environment

UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.

Open in new tab

Unleash Protocol suffers $3.9M loss after multisig hijack

Unleash Protocol, a decentralized intellectual property platform, lost approximately $3.9 million in cryptocurrency after an attacker gained administrative control of its multisig governance system. The attacker performed an unauthorized contract upgrade, enabling unauthorized asset withdrawals. The stolen funds were subsequently laundered through Tornado Cash, a cryptocurrency mixing service. Unleash Protocol has paused operations and initiated an investigation.

Open in new tab

Sha1-Hulud Supply Chain Attack Results in $8.5 Million Trust Wallet Chrome Extension Hack

On December 24, 2025, users of the Trust Wallet Chrome extension reported significant cryptocurrency losses after a compromised update (version 2.68.0) was released. The update contained malicious code that exfiltrated sensitive wallet data to an external server. Trust Wallet confirmed the security incident and released a patched version (2.69). Losses are estimated to exceed $8.5 million, with ongoing investigations into the incident. The malicious code iterated through all wallets stored in the extension and triggered a mnemonic phrase request for each wallet. The encrypted mnemonic was decrypted using the password or passkey entered during wallet unlock and sent to the attacker's server. The stolen funds include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The incident has claimed hundreds of victims, and Trust Wallet is actively finalizing the process to refund the impacted users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider. Trust Wallet confirmed that approximately 2,596 wallets were drained in the attack and received around 5,000 claims, indicating a significant number of false or duplicate submissions. Trust Wallet has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns.

Open in new tab