Full Report
Drift has revealed that the April 1, 2026, attack that led to the theft of $285 million was the culmination of a months-long targeted and meticulously planned social engineering operation undertaken by the Democratic People's Republic of Korea (DPRK) that began in the fall of 2025. The Solana-based decentralized exchange described it as "an attack six months in the
Analysis Summary
# Incident Report: Drift Solana Exchange $285M Compromise
## Executive Summary
Drift, a Solana-based decentralized exchange, suffered a catastrophic loss of $285 million on April 1, 2026, following a six-month social engineering campaign by DPRK-linked actors. The attackers, identified as UNC4736 (Golden Chollima), utilized non-North Korean intermediaries to build long-term trust with Drift contributors before deploying malicious integrations. This incident highlights the extreme sophistication of state-sponsored actors employing physical human intelligence (HUMINT) and professional "long-game" rapport building to breach DeFi protocols.
## Incident Details
- **Discovery Date:** April 1, 2026
- **Incident Date:** April 1, 2026 (Culmination of activity starting Fall 2025)
- **Affected Organization:** Drift Protocol
- **Sector:** Cryptocurrency / Decentralized Finance (DeFi)
- **Geography:** International (Remote/Distributed team with physical interactions in global crypto hubs)
## Timeline of Events
### Initial Access
- **Date/Time:** Fall 2025
- **Vector:** Targeted Social Engineering (Physical & Relationship-based)
- **Details:** Individuals posing as representatives of a quantitative trading firm approached Drift contributors at major international crypto conferences. They built rapport over six months via Telegram and face-to-face meetings.
### Lateral Movement
- **Movement:** Between December 2025 and January 2026, the threat actors onboarded an "Ecosystem Vault" on Drift. This involved submitting strategy details and integrating malicious logic/code under the guise of a legitimate trading partnership.
### Data Exfiltration/Impact
- **Impact:** On April 1, 2026, the attackers leveraged the established vault integrations or associated vulnerabilities to drain $285 million in crypto assets from the protocol.
### Detection & Response
- **Discovery:** On-chain monitoring detected the illicit outflow of $285 million on April 1, 2026.
- **Response actions taken:** Drift engaged law enforcement and blockchain forensic partners (including analysis of fund flows linking the attack to previous Radiant Capital hackers).
## Attack Methodology
- **Initial Access:** High-touch social engineering using third-party intermediaries to bypass geographic/cultural suspicion.
- **Persistence:** Establishing legitimate-looking business partnerships and integrated "Ecosystem Vaults."
- **Privilege Escalation:** Not explicitly detailed, but involved gaining the rights to manage/onboard vaults.
- **Defense Evasion:** Use of technically fluent, professional-seeming "front" personas and non-DPRK nationals for in-person meetings.
- **Credential Access:** Likely gained through Rapport-based deception or fraudulent "onboarding" forms.
- **Discovery:** Six months of "substantive conversations" to understand Drift's internal operations and vault architecture.
- **Lateral Movement:** Transitioning from social Telegram groups to technical protocol integration (Ecosystem Vaults).
- **Collection:** Identifying high-value asset pools within the Drift protocol.
- **Exfiltration:** Large-scale on-chain transfer of $285M to adversary-controlled wallets.
- **Impact:** Financial theft and depletion of protocol liquidity.
## Impact Assessment
- **Financial:** Total loss of $285 million.
- **Data Breach:** Compromise of internal operational processes and contributor communications.
- **Operational:** Significant disruption to the Drift protocol and its vault ecosystem.
- **Reputational:** High-profile breach impacting trust in Solana-based DeFi security.
## Indicators of Compromise
- **Network indicators:** Fund flows tracing back to previous "Radiant Capital" and "AppleJeus" attacker wallets.
- **File indicators:** Malicious Python packages (observed in similar UNC4736 campaigns).
- **Behavioral indicators:** Long-term grooming via Telegram; requests for specialized vault integrations with proprietary code.
## Response Actions
- **Containment:** Pausing of affected protocol features (implied).
- **Eradication:** Investigation of the fraudulent "Ecosystem Vault" and associated personas.
- **Recovery:** Coordination with law enforcement and global exchanges to freeze/track stolen funds.
## Lessons Learned
- **The "Human" Perimeter:** The primary vulnerability was not a software bug, but the trust established with human contributors over several months.
- **Third-Party Proxies:** State-sponsored actors are now hiring non-nationals to conduct "face-to-face" social engineering, rendering "physical intuition" less reliable.
- **Rigorous Onboarding:** Business integrations and "vault" partnerships require the same level of security auditing as the core protocol code.
## Recommendations
- **Enhanced Due Diligence:** Implement strict KYC (Know Your Customer) and background verification for all institutional "Ecosystem" partners.
- **Multi-Party Approval:** Ensure that any integration facilitating large-scale asset movement requires multi-signature approval from diverse, non-socially linked team members.
- **Zero-Trust Communication:** Treat all "professional" outreach from external firms with skepticism, regardless of physical presence at industry events.
- **Code Audits for Partners:** Mandate independent security audits for any third-party code or "strategy" being integrated into the protocol.