Drift Protocol · Apr 1, 2026 · UNC4736 · $285,000,000

Six months in person, across the table. Twelve minutes to drain $285 million. The signing infrastructure was not broken. The signatures were valid. The signers had said yes.

Fall 2025. A group walks up to Drift Protocol contributors at a major crypto conference. They present themselves as a quantitative trading firm. They ask informed product questions. They have verifiable professional backgrounds. A Telegram group is established that day. What follows is months of substantive conversation about trading strategies and potential vault integrations. Nothing about the interaction looks unusual. Trading firms onboard with Drift this way every month.

The signers said yes. They said yes weeks ago, in routine signing sessions, to transactions whose payloads they did not fully read. Consent decayed before execution.

December 2025 through January 2026, the group fills out an Ecosystem Vault application. They engage with multiple Drift contributors. They deposit $1 million of their own funds.

February through March 2026, the integration discussions continue. They share links to projects and tools they say they are developing. One Drift contributor clones a code repository the group provides for deploying a frontend to their vault. A second contributor is persuaded to download a wallet product through Apple TestFlight to beta-test an app the group claims to be building. Both repositories carried payloads.

The individuals who appeared in person were not North Korean nationals.

According to Drift’s own post-mortem, the threat actor at this level deploys third-party intermediaries to conduct face-to-face relationship-building. The proxies were technically real. The trading firm was technically real, in the sense that the people behind it were people, in those rooms, at those conferences, drinking coffee with Drift employees, building trust over a period of months. TRM Labs’ Ari Redbord told CoinDesk this morning that this is, to his knowledge, unprecedented in North Korea’s crypto hacking campaign.

Unprecedented is not the right word. Repeated is closer.

§ I — The drain itself was not interesting

Solana’s durable nonce feature, multisig signers operating in routine signing sessions, and the moment of consent decoupled from the moment of action.

Solana has a feature called a durable nonce. It was designed for hardware wallets that need to sign transactions offline before broadcasting them later. A normal Solana transaction is valid for about ninety seconds. A durable nonce transaction stays valid until someone picks it up. Days. Weeks. Indefinitely, in principle.

Drift’s Security Council was a multisig. Cold wallets. Hardware-protected. Signers who knew what they were doing. The threat actor did not break the wallets. They got the signers to authorize transactions in routine signing sessions, days before those transactions would execute. The signers thought they were approving routine integrations. They were authorizing the drain.

Drift attack timeline:

  • FALL 2025 — Threat actors meet Drift contributors at major crypto conference. Telegram group established same day. Months of integration conversation follow.
  • DEC 2025 – JAN 2026 — Group fills Ecosystem Vault application. Deposits $1M of own funds. Onboarded as legitimate trading partner.
  • FEB – MAR 2026 — Code repository shared, claimed for vault frontend deployment. TestFlight wallet app shared, claimed for beta testing. Initial compromise vectors.
  • MAR 11, 2026 — On-chain staging begins. 10 ETH withdrawn from Tornado Cash to finance attack infrastructure.
  • MAR 12, 2026 — Fake token CVT created. Attacker controls ~80% of supply. Small trading pool seeded with $500 of liquidity. Self-trading creates illusion of $1 oracle price.
  • MAR 23 – 30 — Attacker prepares durable nonce accounts. Pre-signed transactions collected from compromised Security Council members through routine signing sessions.
  • MAR 26, 2026 — Drift migrates Security Council to new 2/5 threshold multisig with zero timelock. Attackers re-collect signatures on the new multisig too. They are following the security upgrade.
  • APR 1, 16:05:18 UTC — First pre-signed transaction submitted. Admin key transferred to attacker-controlled address H7PiGq...y7ZgL. Fake CVT whitelisted as collateral.
  • ~APR 1, 16:17 UTC — 31 pre-signed withdrawals execute. $285M drained. Twelve minutes from first transaction to final.

The drain itself was not interesting. The signing infrastructure was not broken. There was no exploit at the moment of execution. The system did exactly what it was told to do.

§ II — Three incidents, one flaw

Bybit. KelpDAO. Drift. Different surfaces. Different attackers. Different security architectures. Same architectural pattern.

Three nine-figure crypto incidents in fourteen months. The industry calls them by different names because the surfaces look different. Underneath the labels, the structural pattern is identical.

  • Bybit · $1.5B · Feb 21, 2025. Centralized exchange. Cold wallet operator workflow. Free storage software exploited mid-transfer, almost certainly coupled with phishing-delivered malware on operator endpoints. The decoupling: operator-side authenticated state on the signing machine persisted past the moment any human was paying attention to the specific transaction being executed.
  • KelpDAO · $292M · Apr 18, 2026. DeFi bridge. LayerZero single-verifier design. Internal RPC nodes compromised. External RPC infrastructure DDoS’d. The verifier accepted poisoned data as authoritative. A fraudulent cross-chain message was approved. The decoupling: bridge consent issued based on what the verifier reported. The verifier was fed manipulated input.
  • Drift · $285M · Apr 1, 2026. DeFi protocol. Multisig Security Council. Six months of in-person social engineering. Pre-signed durable nonce transactions executed days later, against on-chain conditions the attacker had staged in the meantime. The decoupling: signer consent issued in routine signing sessions executed against unrelated, attacker-staged on-chain conditions days later.

The longer the gap between the moment of consent and the moment of action, the easier it is for an attacker to operate inside that gap. The fix is not to close the gap with faster MFA. The fix is to remove the gap by binding consent to the specific action it authorizes, at the moment it is taken.

This is the deeper continuity with the Coinbase insider breach in May 2025, the Kraken user social-engineering loss on March 31, 2026, the Grinex bridge exploit on April 16. Different mechanics. Same flaw. Each event treats I authenticated as a state that persists, rather than I authenticated this specific action right now as an event bound to the action it authorizes.

North Korean proxies sitting across a table from protocol employees over a period of months. That is, to my knowledge, unprecedented in North Korea’s crypto hacking campaign. This is no longer just a remote keyboard operation.

— Ari Redbord, TRM Labs · CoinDesk · April 30, 2026

What is genuinely new in the Drift incident is the duration of the relationship-building, not the structural flaw it exploited. Pre-signed envelopes, blind signing on hardware wallets, and signature replay against multisig governance contracts have been documented attack patterns since at least 2022. What is new is that a state-affiliated actor was willing to invest six months and at least $1 million of operational capital into a single relationship to make the attack work.

That is the part that should worry every CISO reading this. Not the technical mechanism. The willingness to spend six months in person.

Authentication is not a state. It is an event bound to the action it authorizes, at the moment it is taken, with an artifact replayable nowhere.

§ III — The honest limit and the architectural insight

A biometric step-up at the withdrawal moment is not the defense for a multisig pre-signing attack. The two surfaces have different threat models. The architectural insight applies to both.

Direct disclosure first. Drift’s surface was multisig signers operating governance contracts. The actors compromised were Drift contributors and Security Council members. The technical control that would have intercepted the attack closer to its origin is not biometric step-up at a customer withdrawal moment. It is per-action signing context, signer-side transaction simulation, hard timelocks on admin-key changes, and operational separation between routine signing sessions and pre-signed envelopes that can be replayed days later.

Lorica is built for a different surface. Step-up biometric verification at the moment of high-risk action is the defense for centralized exchange withdrawals, custody platform redemptions, OTC desk wires, neobank transfers, and any rail where a real human is meant to authorize a real movement of value at a specific moment, against a specific counterparty, for a specific amount. The Drift signer surface is adjacent to that. It is not the same.

The architectural insight bridges both surfaces.

An authentication artifact that binds the human, the specific action, the specific counterparty, the specific amount, and the exact moment of authorization, signed once and replayable against nothing else, is structurally different from an authentication artifact whose validity outlives the moment of intent. Whether the surface is a customer authorizing a withdrawal or a multisig holder authorizing a governance transaction, the same shift applies. Move authentication from a state that persists to an event bound to the action it authorizes.

The signed JWT Lorica issues at the moment of a verification is one expression of that primitive. It binds the user, the action context, the moment of authorization, and the score of every signal layer that participated in the verification. It expires immediately. It cannot be replayed against a different action. It is the artifact an underwriter can attach a coverage condition to, because it answers a question the underwriter actually has.

At the moment this specific transaction was authorized, was the human who claimed to be authorizing it actually present and consenting to this specific thing?

That question is not adequately answered by the existing identity stack. KYC at signup answers was this person who they said they were six months ago. MFA answers did someone holding the second factor approve a generic challenge. Hardware multisig answers did someone holding the key produce a valid signature against an envelope that may or may not match the action that ultimately executes. None of those is the same question.

The next renewal cycle will start asking the question directly. Evertas, the largest crypto-native carrier, restructured its 2026 questionnaires around per-action attribution. The Lloyd’s syndicates writing crypto E&O are tightening through 2026. NYDFS recommended biometric liveness in October 2024. NYDFS does not require it. Underwriters do not have to wait for the regulator to require what their actuaries already need.

§ IV — What the next twelve months looks like

TRM’s analysts have begun to speculate that North Korean operators are incorporating AI tools into reconnaissance and social engineering. The next iteration of the Drift attack does not require six months in person.

TRM’s April 30 report includes a careful sentence. Their analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows. The language is soft. The trajectory is not.

The 2027 version of this attack does not require six months across the table. The relationship-building can be partly synthetic. Conference selfies, LinkedIn histories, technical writing samples, voice messages on Telegram, and video calls during the integration phase can each be partly or fully model-generated. The Drift signers compromised in late 2025 had to be physically met. The KelpDAO verifier compromised in April 2026 had to be technically reached. The next iteration combines the two: synthetic relationship history at conference scale, deepfake video on the integration calls, malicious tooling delivered through repositories that look like every other code repository, and authentication targets selected for the surfaces that still treat consent as state.

The defense is the same regardless of how the attack scales. Bind every authentication to the specific action it authorizes. Make the artifact replayable against nothing else. Make the audit trail something an underwriter can read in one cell of one row.

Six months in person.

Twelve minutes to drain.

The signatures were valid.

The next renewal questionnaire will ask whether you have controls in place at the moment of high-risk action authorization. Some questionnaires already do. Most will by the end of 2026. The vendors holding the IDV contract for your onboarding flow do not answer that question, because they were not built to. They sit at signup. The action moment is downstream of where they live.

Add the layer that does.

— Tristan