CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Drift Protocol administrative takeover and $285 million loss via Security Council manipulation on Solana

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

The April 1, 2026, $285 million Drift Protocol loss was part of a broader campaign by North Korea-linked Lazarus Group (TraderTraitor) targeting DeFi protocols. On April 18, 2026, the group executed a $290 million heist against KelpDAO by exploiting its cross-chain verification layer (DVN) via compromised RPC nodes, falsified data injection, and DDoS attacks, laundering funds through Tornado Cash. The attack paused KelpDAO’s rsETH contracts, froze Aave’s rsETH collateral usage, and was isolated to rsETH without broader contagion. Drift Protocol’s Security Council hijacking, attributed to UNC4736 (AppleJeus/Labyrinth Chollima), and KelpDAO’s DVN compromise both align with Lazarus Group’s pattern of sophisticated state-sponsored attacks on DeFi infrastructure.

Timeline

  1. 02.04.2026 22:03 4 articles · 19d ago

    Drift Protocol Security Council hijack results in $285 million loss via pre-signed transactions on Solana

    The investigation confirms the $285 million theft was enabled by a six-month in-person social engineering campaign, where threat actors posed as a quantitative trading firm and engaged Drift contributors directly at crypto conferences. Attackers compromised at least two contributors via a malicious code repository (exploiting a VSCode/Cursor vulnerability) and a fraudulent TestFlight wallet application, using the access to hijack Security Council multisig controls. The Telegram group used for coordinating with contributors was deleted immediately after the theft occurred. Drift attributes the attack with medium-high confidence to UNC4736 (AppleJeus/Labyrinth Chollima), a North Korea-linked actor previously associated with the 3CX supply-chain attack, the $50 million Radiant cryptocurrency theft in 2024, and Chrome zero-day exploitation. The in-person operatives were non-Korean intermediaries, while the campaign itself is assessed to be North Korean state-sponsored. Drift has flagged the attackers’ wallets across exchanges and bridge operators to prevent fund movement or withdrawal, and continues to freeze all protocol functions while coordinating with Elliptic, TRM Labs, and law enforcement to trace and recover stolen assets. This article further links the attack to the broader North Korean Lazarus Group (TraderTraitor) pattern of DeFi targeting, as detailed in the KelpDAO incident, reinforcing attribution to state-sponsored DPRK actors.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Unauthorized transfer of 50.903 Bitcoin from Bitcoin Depot corporate wallets

Attackers breached Bitcoin Depot’s corporate IT systems on March 23, 2026, and exfiltrated approximately 50.903 Bitcoin (valued at $3.665 million) from the company’s controlled wallets before access was blocked. The intrusion targeted Bitcoin Depot’s corporate environment and did not affect customer-facing platforms, systems, or data. The company activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement and regulators, including the SEC.

Open in new tab

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Exploiter charged for $53.3M Uranium Finance smart contract heist via code flaws and mixer laundering

A Maryland man, Jonathan Spalletta (aka "Cthulhon"), has been charged with orchestrating two smart contract heists against the Uranium Finance decentralized exchange (DEX) in April 2021, stealing approximately $53.3 million in cryptocurrency. The suspect surrendered to law enforcement and appeared in court, where prosecutors alleged he exploited code flaws in Uranium Finance's AMM contracts to drain the exchange's assets, forcing it into insolvency. Proceeds were laundered through Tornado Cash and partially spent on high-value collectibles before law enforcement recovered approximately $31 million in cryptocurrency and seized assets in February 2025. The first breach on April 8, 2021, involved manipulating the AmountWithBonus variable to issue unauthorized zero-token withdrawals, draining about $1.4 million, which he partially extorted back as a sham bug bounty. The second attack on April 28, 2021, exploited a single-character error in transaction-verification logic, allowing him to withdraw 90% of the DEX's assets across 26 liquidity pools while depositing negligible value.

Open in new tab

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines, now expanding to encompass additional open-source ecosystems and attributed to multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) confirming collaboration and horizontal movement across cloud environments. Cisco’s internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories, including proprietary AI product code and data belonging to corporate customers such as banks, BPOs, and US government agencies. Attackers also abused stolen AWS keys across a subset of Cisco’s cloud accounts, with multiple threat actors observed participating in the breach. New developments include the compromise of the Axios NPM package, a top-10 JavaScript library with over 400 million monthly downloads, via malicious versions 0.27.5 and 0.28.0. The attack delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with operational sophistication including pre-staging, platform-specific payloads, and anti-forensic cleanup. Initial attribution suggested TeamPCP involvement, but Google attributed the incident to UNC1069, a suspected North Korean actor linked to Lazarus Group, indicating potential actor diversification or false-flag operations. The Axios compromise highlights escalating tradecraft in open-source supply chain attacks, distinct from opportunistic infections and suggesting a focus on access brokering or targeted espionage rather than indiscriminate data theft.

Open in new tab