Drift Protocol Hacked for $285M — Highlighting Risks in Multisig Infrastructure and Social Engineering

Generated by AI AgentAinvest Coin BuzzReviewed byAInvest News Editorial Team
Monday, Apr 6, 2026 12:32 am ET2min read
CRCL--
SOL--
ETH--
USDC--
RDNT--
Aime RobotAime Summary

- Drift Protocol suffered a $285M hack via multisig admin key takeover by DPRK-linked UNC4736 group using six-month social engineering campaigns.

- Attackers exploited 2/5 multisig structure to siphon funds, highlighting critical vulnerabilities in decentralized admin infrastructure.

- CircleCRCL-- faced criticism for not freezing stolen USDCUSDC-- through its CCTP, citing legal risks of preemptive asset freezes without court orders.

- UNC4736's sophisticated tactics included posing as a trading firm and infiltrating crypto conferences to compromise targets through in-person relationships.

Drift Protocol, a Solana-based decentralized exchange, was exploited for $285 million on April 1, 2026, through a multisig admin takeover.

Critics, including blockchain investigator ZachXBT, argue that CircleCRCL-- could have acted faster to freeze stolen USDCUSDC-- via its cross-chain transfer protocol (CCTP), but legal constraints may prevent preemptive action without authorization.

The attack was traced to a North Korean-linked group, UNC4736, that engaged in a six-month social engineering campaign targeting Drift Protocol contributors through in-person interactions at crypto conferences.

Drift Protocol was hacked on April 1, 2026, resulting in a $285 million loss. The exploit occurred when attackers gained control of the protocol's multisig admin keys.

The breach highlights vulnerabilities in multisig infrastructure, where the compromise of a small number of admin keys can lead to catastrophic losses.

The attackers used the CCTP to move about $232 million in stolen USDC from SolanaSOL-- to EthereumETH--, drawing criticism for Circle's inaction.

ZachXBT accused Circle of inconsistent application of its freeze authority, contrasting its failure to act in the Drift hack with previous actions against unrelated hot wallets.

Legal counsel for Plume warned that preemptive freezing of assets without court orders could expose Circle to liability, underscoring the need for clear legal frameworks.

The attack was attributed to a DPRK-affiliated group known as UNC4736, which posed as a quantitative trading firm and built relationships with Drift contributors over six months.

After the breach, a wallet presumed to belong to the Drift Protocol team deposited $2.4 million in DRIFT tokens on exchanges, raising questions about the team's strategy and potential market impact.

Drift Protocol has linked the breach to the same actors responsible for the October 2024 Radiant CapitalRDNT-- hack, indicating a pattern of sophisticated social engineering attacks.

The incident highlights the risks of in-person interactions at crypto conferences and the need for heightened security measures in decentralized finance platforms.

What Caused the Drift Protocol Hack?

The $285 million hack occurred through a multisig admin takeover, rather than a smart contract exploit. Attackers gained control of the protocol's admin keys, allowing them to siphon off funds.

The attackers did not exploit a technical vulnerability but instead compromised the administrative infrastructure. This suggests that even decentralized platforms can be vulnerable if they rely on centralized admin keys.

Drift Protocol's use of a 2/5 multisig structure meant that compromising just two keys was sufficient for the attacker to take full control.

Why Did Circle Fail to Freeze the Stolen USDC?

Circle has been criticized for not intervening to freeze the stolen USDC during the Drift exploit. The attacker used Circle's CCTP to move funds from Solana to Ethereum without any action from the stablecoin issuer.

Circle maintains that it only freezes assets when legally required, such as through court orders or law enforcement requests. This approach aims to avoid legal liability from preemptive actions.

Legal experts suggest that lawmakers should clarify the responsibilities of stablecoin issuers, potentially providing safe harbors for those who freeze assets based on reasonable judgments of illicit activity.

Who Was Behind the Drift Hack and How Was It Executed?

The attack was traced to a DPRK-affiliated group known as UNC4736 or Golden Chollima. The group engaged in a six-month social engineering campaign, targeting Drift Protocol contributors at crypto conferences.

Posing as a quantitative trading firm, the group built relationships with contributors and used these connections to deploy malicious tools and links that compromised systems.

The attackers deleted their digital footprints post-exploit, making forensic investigation difficult. The operation was described as an intelligence-style campaign involving third-party intermediaries for face-to-face interactions.

The group has a history of targeting crypto platforms, including the 2023 X_TRADER/3CX supply chain breach and the 2024 Radiant Capital hack. This incident highlights the evolving tactics of DPRK threat actors, who increasingly rely on social engineering and long-term relationship-building to infiltrate high-value targets in the DeFi space.

author avatar
Ainvest Coin Buzz

Blending traditional trading wisdom with cutting-edge cryptocurrency insights.

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments



Add a public comment...
No comments

No comments yet