On April 1, 2026, Drift Protocol, Solana's largest decentralized perpetual futures exchange, lost $285 million in user funds across 31 transactions executed in mere minutes. The attack was not the result of a smart contract vulnerability, a private key leak or a zero-day exploit. It was the culmination of a six-month social engineering operation attributed with medium-to-high confidence to DPRK-linked actors (UNC4736/Lazarus Group affiliates).

Drift's team has published detailed disclosures of both the social engineering campaign and the technical execution. That level of transparency strengthens the entire Solana ecosystem. It allows every team building onchain to learn from what happened and take concrete steps to protect their own operations.

This analysis draws on Drift's first-party disclosures and verified onchain data to break down the attack chain, from initial contact through fund exfiltration, and identify the operational security measures that matter most.

The Social Engineering Campaign

Unlike what most people think when they hear “social engineering”, these attackers did not send phishing emails with malicious links. They built fully constructed identities with verifiable professional backgrounds and deployed third-party intermediaries - not North Korean nationals - to execute a structured intelligence operation over six months.

The operation began in fall 2025 at major crypto conferences, where intermediaries posing as a legitimate quantitative trading firm approached Drift contributors. They established ongoing relationships through Telegram, sharing trading strategy discussions and technical questions that demonstrated genuine product knowledge.

Between December 2025 and January 2026, the group completed the onboarding process for Drift's Ecosystem Vault. They submitted detailed strategy documentation, deposited over $1 million of their own capital, and engaged multiple Drift contributors in working sessions, asking informed product questions. The capital deployment and technical depth made standard due diligence checks insufficient; these were not hallmarks of a typical scam operation.

From February through March 2026, various Drift contributors met individuals from this group again, face-to-face, at multiple major industry conferences. By this point, their relationship is half a year old, and the conversations are typical of any partner onboarding. Throughout all of this, links were shared for projects, tools, and apps they claimed to be building, which was standard practice for trading firms working with Drift.

After the April 1 exploit, Drift Protocol identified two infiltration vectors:

• One contributor cloned a code repository shared by the group for a frontend deployment. The repository contained a weaponized VS Code tasks.json configuration that exploited a known auto-execution vulnerability (runOn: folderOpen), silently executing code when the folder was opened.

• A second contributor downloaded a beta wallet application distributed through Apple's TestFlight, presented as the group's own product.

These vectors likely provided the access or intelligence needed to compromise multisig signer workflows. Almost immediately after the exploit,  all Telegram chat histories with this alleged trading firm and the malicious software they sent were scrubbed - a hallmark of operational tradecraft.

This was clearly intelligence tradecraft applied to DeFi governance, and likely the first of its kind executed at this level of detail. The attackers invested months of in-person relationship-building and real capital to gain the trust and access needed to compromise two of the five multisig signers.

The Technical Execution

With signer access secured via social engineering, the attackers executed a precise technical operation that leveraged Solana-native primitives.

Staging (March 11 - March 30)

March 11: The attackers withdrew approximately 10 ETH from Tornado Cash on Ethereum for operational staging. Funds moved hours later, aligning with approximately 09:00 Pyongyang time on March 12, consistent with DPRK operational patterns observed in prior incidents.

March 23: Four durable nonce accounts were created on Solana. Durable nonces let Solana transactions bypass the normal recent-blockhash expiration window. A nonce transaction remains valid until the nonce account’s stored nonce is advanced, rather than expiring after about 90 seconds. Two nonce accounts were associated with compromised multisig members; two were attacker-controlled. At least two of the five Security Council members pre-signed transactions tied to these nonces, likely through misrepresentation of what was being approved.

March 27: Drift executed a planned Security Council migration (prompted by a legitimate member change) to a new 2-of-5 multisig with zero timelock. This removed the prior delay period, typically 24 to 72 hours, on admin actions. The zero-timelock configuration meant that once two signatures were obtained, any admin action could be executed instantly, with no review window.

March 30: An additional durable nonce account was created for the updated multisig configuration, restoring the attacker's 2-of-5 access under the new structure.

Fabricated Collateral

In parallel with nonce preparation, the attacker manufactured a fictitious token: CarbonVote Token (CVT). Approximately 750 million units were minted, minimal liquidity was seeded on Raydium, and wash trading was used to fabricate a stable price history near $1. This manufactured price history was sufficient for Drift’s oracle feeds to report a stable ~$1 price, which the protocol then used to value CVT as collateral.

Execution (April 1, 16:06 UTC)

The pre-signed durable nonce transactions fired in rapid sequence.

1. Admin takeover: Two durable nonce transactions executed four slots apart, creating and then granting the attacker control over protocol permissions.

2. Collateral manipulation: CVT was listed as valid collateral, and withdrawal limits were raised by a factor of 20x (effectively rendering them inert)

3. Fake deposit: Hundreds of millions in CVT were deposited against the oracle-inflated price.

4. Vault drain: 31 withdrawal transactions emptied major vaults in approximately 12 minutes. The first major withdrawal - 41.72 million JLP tokens (roughly $155 million) - executed at 16:06:09 UTC. Assets drained included USDC, JLP, wETH and other tokens across Delta Neutral, Super Staking and stablecoin vaults.

No smart contract code was exploited. The entire attack operated through governance permissions unlocked by pre-signed approvals combined with zero-timelock execution.

Post-Drain Fund Movement

Stolen assets were consolidated and moved with speed, far outstripping even the speed and aggressiveness of Bybit's 2025 laundering.

The attacker swapped stolen tokens to USDC via Jupiter aggregator, Raydium, Orca and Meteora on Solana. Within hours, the bulk of the ~$285 million was bridged to Ethereum through Circle's CCTP, Wormhole and deBridge in parallel. On Ethereum, USDC was rapidly converted to ETH, with approximately 129,000 ETH accumulated across four primary wallets. Partial routes also moved funds through Hyperliquid and Binance.

What This Means for Every Solana Team

The Drift exploit is not an indictment of any single team's security practices. Drift was targeted by a nation-state actor that invested six months and over $1 million in capital to compromise two signers through a sophisticated social engineering campaign. This level of intelligence tradecraft has never before been seen in defi exploits. 

The lessons here apply to every team managing onchain governance.

Multisig governance is the attack surface. 
Code audits and smart contract security do not protect against compromised signers. The Drift exploit involved zero code vulnerabilities. The entire $285 million loss resulted from governance access obtained through social engineering. Every team with a multisig should evaluate signer security as rigorously as contract security.

Timelocks are non-negotiable for admin actions. 
The zero-timelock migration on March 27 removed the last window in which anomalous admin transactions could have been detected and challenged before execution. Minimum timelock periods on all admin actions - member changes, threshold modifications, collateral listings - provide the critical review window that distinguishes a recoverable incident from a catastrophic loss.

Durable nonces require active monitoring. 
Solana's durable nonce feature enables legitimate use cases like offline signing and scheduled transactions. It also allows pre-signed authorizations to persist indefinitely. Monitoring nonce account creation, particularly accounts associated with multisig members, provides early warning of staged attacks.

Oracle manipulation through fabricated tokens is a systemic risk. 
The CVT token had minimal real liquidity and a manufactured price history built through wash trading. Low-liquidity collateral acceptance based primarily on oracle price data creates a vector for synthetic collateral attacks. Collateral governance should incorporate verification of liquidity depth and trading history beyond the spot price.

Nation-state actors invest months before striking. 
In-person meetings at conferences, real capital deployed through legitimate onboarding processes and fully constructed professional identities. Standard phishing awareness training does not prepare teams for this level of operational commitment. Teams managing significant treasury or governance access should assume that sophisticated actors may already be building trust within their networks.

How Teams Can Protect Themselves

Several operational security measures are available to Solana teams today that directly address the vectors exploited in the Drift incident. Range's Advanced Multisig Security provides these capabilities for Solana teams, but more importantly, as a security partner of the Solana ecosystem, we are happy to support every Solana team in implementing these changes.

• Real-time treasury and multisig monitoring: Track every multisig lifecycle event - member changes, threshold modifications, proposal velocity and execution patterns. Flag anomalies such as zero-history wallets being added to multisig configurations or unusual proposal timing.

• Transaction simulation before signing: Decode and simulate every transaction so signers see exactly what they are approving before they sign. Range provides this for all Squads multisigs through the Solana Transaction Security Standard, ensuring signers can verify the full impact of each transaction.

• Alternative UI and proposal visualization channel: Provide an independent interface for reviewing multisig proposals, with clear decoding of instructions, account changes, and transaction intent. Enables signers to verify intent outside the default UI and reduce risk from compromised interfaces.

• Cross-chain exfiltration tracking: Monitor bridge activity across CCTP, Wormhole, deBridge and other interop protocols for rapid high-value outflows that indicate post-exploit fund movement.

• Threat intelligence integration: Sanctions screening, behavioral analysis and intelligence sharing through partners and industry groups. Range is closely partnered with Squads and zeroShadow - founding members of SIRN (Solana Incident Response Network) -  providing coordinated threat intelligence for the Solana ecosystem.

• Operational security training and incident response: Every signer is a potential target. Regular training on social engineering tactics and direct access to a security response team during incidents reduce both the probability of compromise and the time to containment.

• Enforced timelocks on all admin actions: Minimum delay periods on governance changes provide the review window that enables detection and intervention before irreversible damage occurs.

Looking Forward

Drift's decision to publish detailed disclosures of both the social engineering campaign and the technical execution sets an important standard. Every detail shared makes it harder for these tactics to succeed against the next target.

The Solana ecosystem's response - through STRIDE, SIRN and coordinated security efforts - demonstrates that operational security is treated as a shared responsibility. The Drift incident reinforces that the most significant risks to onchain infrastructure are not in the code but in the humans and processes that govern it.

Range remains committed to supporting the Solana ecosystem's risk and security posture. The tools and practices that protect against governance-level attacks are available today, and the ecosystem is stronger when teams adopt them collectively.

If you are building in Solana, get in touch to learn more about how we can help.