Symbols

Drift Protocol Hack Drains $285 Million Through Six-Month Social Engineering Operation

Generated by AI AgentAinvest Street BuzzReviewed byThe Newsroom

Wednesday, Apr 8, 2026 10:56 pm ET2min read

SOL--

Aime Summary

- Drift Protocol suffered a $285M hack on April 1, 2026, the year's largest crypto exploit.

- North Korean group UNC4736 exploited governance/oracle vulnerabilities via a 6-month social engineering campaign.

- Attackers used fake CVT token to manipulate governance, draining assets in 12 minutes and collapsing TVL by 45%.

- The breach exposed critical DeFi weaknesses in oracleORCL-- trust and governance security, prompting legal scrutiny of Circle's USDCUSDC-- controls.

Drift Protocol, a Solana-based decentralized perpetuals exchange, was hacked for $285 million on April 1, 2026, marking the largest crypto exploit of the year. - The attack exploited a six-month-long social engineering campaign by a North Korean state-sponsored group, UNC4736, which manipulated oracles and governance controls to drain funds as reported. - The breach exposed weaknesses in governance architecture, oracle trust, and key management within DeFi protocols, raising concerns about insider risks.

Drift Protocol, a Solana-based decentralized perpetuals exchange, was exploited for $285 million on April 1, 2026. The attack did not rely on a code vulnerability but exploited trust in oracle pricing and governance controls. The attacker manipulated a fake token, known as CarbonVote Token (CVT), to gain access to Drift's governance and withdraw assets according to reports.

The attack was attributed to a North Korean state-sponsored group known as UNC4736, which has targeted the cryptocurrency sector since at least 2018. This group has operated under the cryptonyms AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. Attackers posed as a quantitative trading firm and built relationships with protocol insiders at major crypto events as detailed.

The exploitation of governance controls and oracle pricing allowed the attacker to drain assets such as USDC, SOL, JLP, and WBTC from Drift. The attack lasted less than 12 minutes and resulted in Drift's total value locked (TVL) dropping from around $550 million to under $300 million in under an hour.

What Was the Drift Protocol Hack?

The Drift Protocol hack was a $285 million exploit that occurred on April 1, 2026. It marked the largest crypto exploit of the year and one of the most significant DeFi hacks in 2026.

The attack bypassed traditional smart-contract-based security measures by exploiting governance controls and oracle pricing. The attacker used a fake token, CVT, to manipulate Drift's price feeds and then executed 31 rapid withdrawals, draining assets from the protocol.

The attack also highlighted vulnerabilities in DeFi systems, particularly the reliance on oracle pricing and governance controls. This event prompted discussions on improving operational security, access controls, and governance hygiene within the DeFi sector according to analysis.

How Did the Attack Work?

The Drift Protocol hack involved a six-month-long social engineering operation. Attackers posed as a quantitative trading firm and built relationships with protocol insiders at multiple crypto events starting in October 2025.

Through these relationships, attackers gained trust with multisig signers and used a SolanaSOL-- feature called durable nonces to pre-approve hidden transactions. These transactions remained dormant for weeks until executed during the attack as reported.

Additionally, attackers created a fake token, CVT, with a small liquidity pool and manipulated oracle pricing to treat it as legitimate collateral. This allowed them to raise withdrawal limits and execute large withdrawals.

Who Was Involved and What Are the Legal Implications?

The attack was attributed to a North Korean state-sponsored group known as UNC4736. This group has been linked to previous attacks on the crypto sector since 2018 and is also known by the cryptonyms AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces according to reports.

Legal implications have also emerged, with a law firm, Gibbs Mura, investigating potential claims against Circle for its alleged failure to freeze $230 million in stolen USDC. The investigation is examining whether Circle applied its freeze authority inconsistently and failed to maintain adequate monitoring of its cross-chain transfer infrastructure as detailed.

The Drift Protocol hack has also drawn scrutiny toward the broader DeFi ecosystem. The incident highlights the need for stronger governance structures, improved key management, and real-time monitoring to prevent similar attacks in the future according to experts.

Ainvest Street Buzz

Stay ahead with real-time Wall Street scoops.

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments

﻿

Add a public comment...

No comments yet

AInvest
PRO

Editorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process. While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context. Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue