Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Drift Protocol hit by cyberattack

Incident
First reported
Last updated
Happening score
H score 7
1 unique sources, 3 articles

Summary

Hide ▲

Drift Protocol disclosed a security-council takeover that drained at least $280 million and left its protocol functions essentially frozen. The attacker used durable nonce accounts and pre-signed transactions to time the malicious transfer after obtaining 2/5 multisig approvals during the March 23-30 preparation window. On April 1, the attacker executed the payload, moved admin control to themselves, and then removed withdrawal limits before draining funds. Drift says borrow/lend deposits, vault deposits, and trading funds were affected and it is working to trace and freeze the stolen assets.

Related Happenings

North American cryptocurrency company hit by network compromise

Incident
First: 28.04.2026 11:00 Last: 28.04.2026 11:00 Sources 1

About this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...

Open Happening

TrueConf Server exploit chain (multiple vulnerabilities)

Vulnerability
First: 27.04.2026 14:54 Last: 27.04.2026 14:54 Sources 1

About this happening: **TrueConf Server** is exposed by a three-flaw exploit chain that enabled **unauthenticated admin access**, **arbitrary file read**, and **remote command execution** on susceptibl...

Open Happening

KelpDAO hit by cyberattack

Incident
First: 21.04.2026 01:23 Last: 21.04.2026 01:23 Sources 1

About this happening: KelpDAO suffered a cross-chain theft involving rsETH, prompting it to pause rsETH contracts after detecting suspicious activity on April 18, 2026. Reports estimate that about 116,...

Latest development: 21.04.2026 11:30

North Korea’s Lazarus Group targeted LayerZero Labs on April 18, 2026 by poisoning downstream RPC infrastructure, compromising two independent RPC nodes, swapping binaries on op-geth nodes, and forcing a DDoS-driven failover that let a forged cross-chain message pass and enable an unauthorized rsETH transfer.

Open Happening

Scattered Spider SMS phishing and SIM-swap crypto theft campaign

Campaign
First: 20.04.2026 16:33 Last: 20.04.2026 16:33 Sources 1

About this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...

Open Happening

North Korean Drift contributor targeting campaign

Campaign
First: 06.04.2026 19:35 Last: 06.04.2026 19:35 Sources 1

How related: It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months,

About this happening: A **North Korean** targeting campaign against **Drift Protocol contributors** ran for at least **six months** before the later theft, increasing the attackers' access and credibil...

Open Happening

Timeline

  1. 06.04.2026 19:35 1 articles · 1mo ago

    Elliptic, TRM Labs, and Drift attribute Drift Protocol heist to UNC4736

    Attribution Update

    Elliptic and TRM Labs attributed the $280+ million theft from Drift Protocol to North Korean hackers, and Drift said its findings point with medium-high confidence to UNC4736 (AppleJeus/Labyrinth Chollima). The investigation also said the attackers spent at least six months building a functioning operational presence inside the Drift ecosystem, posing as a quantitative firm, meeting Drift contributors at crypto conferences in multiple countries, and continuing discussions over Telegram.

    Show sources
    Open in new tab
  2. 02.04.2026 22:03 2 articles · 1mo ago

    Drift Protocol admin control transferred on April 1

    Exploitation Observed

    After prior preparation between March 23 and 30 using durable nonce accounts and 2/5 multisig approvals from Security Council members, a threat actor executed a legitimate transaction and immediately triggered pre-signed malicious transactions to transfer Drift Protocol admin control to themselves on April 1, 2026.

    Show sources
    Open in new tab
  3. 02.04.2026 22:03 1 articles · 1mo ago

    Drift Protocol warns users after unusual activity is detected

    Initial Disclosure

    After unusual activity was detected, Drift Protocol issued a public warning, started an investigation, and urged users not to deposit any funds until further notice; the platform says borrow/lend deposits, vault deposits, and trading funds were affected, all protocol functions were essentially frozen, DSOL remained unaffected, insurance fund assets were secured, and the team was working with security firms, cryptocurrency exchanges, and law enforcement to trace and freeze the stolen funds.

    Show sources
    Open in new tab
  4. 02.04.2026 22:03 2 articles · 1mo ago

    Drift Protocol admin control transferred on April 1

    Exploitation Observed

    After prior preparation between March 23 and 30 using durable nonce accounts and 2/5 multisig approvals from Security Council members, a threat actor executed a legitimate transaction and immediately triggered pre-signed malicious transactions to transfer Drift Protocol admin control to themselves on April 1, 2026.

    Show sources
    Open in new tab
  5. 02.04.2026 22:03 1 articles · 1mo ago

    Drift Protocol warns users after unusual activity

    Initial Disclosure

    After unusual activity on Drift Protocol was detected, the platform issued a public warning, said it had started an investigation, and urged users not to deposit any funds until further notice. Drift said the compromise had left borrow/lend deposits, vault deposits, and trading funds affected, all protocol functions essentially frozen, DSOL unaffected, insurance fund assets secured, and response efforts under way with security firms, cryptocurrency exchanges, and law enforcement authorities to trace and freeze the stolen funds.

    Show sources
    Open in new tab