Drift Protocol Hack

On April 1, 2026, Drift Protocol, a decentralized derivatives exchange on Solana, lost about $285 million in what TRM Labs and Elliptic attributed to North Korea-linked actors tracked as UNC4736 (also known as AppleJeus, Citrine Sleet, and Gleaming Pisces), making it the largest DeFi exploit of 2026 to that point and the second-largest in Solana’s history after the 2022 Wormhole hack. TRM Labs described it as the culmination of a roughly six-month social-engineering campaign begun in the fall of 2025: one Drift contributor was compromised after cloning a malicious code repository and a second was persuaded to install a weaponised wallet application via Apple’s TestFlight. The attackers used the contributors to pre-sign hidden authorizations and execute a zero-timelock Security Council migration that removed the protocol’s last safeguard, then deployed a fictitious asset called CarbonVote Token, seeded it with a few thousand dollars of wash-traded liquidity, and let Drift’s oracles treat it as collateral worth hundreds of millions, with the on-chain execution completed in about twelve minutes. The incident crystallised 2026’s themes of nation-state social engineering, months of preparation, minute-scale on-chain execution, and rapid laundering, and reinforced the need for enforced timelocks on privileged migrations, contributor device hardening, and oracle safeguards against newly listed assets.