.png){kind=small}
Drift is the largest decentralized perpetual futures exchange on the Solana blockchain, allowing users to trade leveraged positions without a centralized intermediary.
What began as unusual on-chain activity quickly escalated into the year’s largest hack, wiping out more than half of the protocol’s TVL. The team had to clarify on X that this was “not an April Fool’s joke.”
Six Months of Social Engineering
Drift revealed that, starting in fall 2025, individuals posing as a quantitative trading company approached Drift contributors at major cryptocurrency conferences under the pretext of integrating with the protocol, building rapport with specific contributors across several countries over six months. “The individuals who appeared in person were not North Korean nationals,” Drift explained. “DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.”
Durable Nonces
The attackers exploited Solana’s “durable nonces” system, a feature that allows transactions to be signed for later execution, to trick legitimate Security Council members into blindly pre-signing dormant transactions. When triggered, these transactions silently transferred admin control to the attackers.
Fake Token + Oracle Manipulation
The attackers created a fictitious asset, CarbonVote Token (CVT), seeded a small liquidity pool on Raydium, and wash-traded it to pin its price at around $1. They simultaneously deployed a price oracle they controlled to feed that artificial valuation to Drift. Once admin control was secured, they updated protocol parameters to accept CVT as collateral with infinite borrowing limits and drained the vaults.
Within minutes, the attackers drained over $285 million in assets, including USDC, SOL, JLP, WBTC, and others.
More than $230 million in stolen USDC was bridged from Solana to Ethereum using the CCTP bridge across 100+ transactions over eight hours.
In just the past three weeks, over $577 million has been drained across the Drift and Kelp DAO hacks alone, both involving different attack vectors and both highlighting how Lazarus continues to evolve its playbook.
At Merkle Science, we track fund flows, build attribution models, and support law enforcement and compliance teams in unraveling exactly these kinds of multi-chain, multi-actor operations. The tools exist. The data is on-chain. The question is whether the industry moves fast enough.
How Merkle Science Can Help
Merkle Science supports institutions before and after an exploit takes place.
Predictive Analytics within Compass helps teams detect suspicious behaviors, exploit indicators, and high-risk fund flows early.
Tracker enables investigators to trace stolen assets across wallets and chains, monitor how funds move, and support attribution and recovery efforts.
If your team is looking to strengthen exploit detection, trace illicit fund flows, or support recovery efforts, contact Merkle Science.
