Lazarus Group's 6-month social engineering operation compromised Drift Protocol's Security Council multisig, draining $285M via fake governance token collateral.
The $285M Drift Protocol heist was the result of a meticulous 6-month operation attributed to UNC4736, a sub-cluster of the DPRK-linked Lazarus Group. Attackers spent months building fake identities and cultivating relationships with Drift Protocol contributors, eventually meeting them in person and compromising their devices. They obtained pre-signed durable nonce multisig transactions from 2 of the 5 Security Council members. On April 1 2026, they created a fake CarbonVote Token (CVT), manipulated its oracle price on Raydium to approximately $1, deposited 750 million fake CVT tokens as collateral, and then drained real assets across 31 transactions over just 12 minutes. The attack was enabled by the removal of the protocol's timelock during a Security Council migration on March 27. Assets stolen included $155.6M JLP, $60.4M USDC, $11.3M cbBTC, plus USDT, WETH, DSOL, WBTC, and others.
Attackers bridged $232M in USDC via Circle's CCTP (Cross-Chain Transfer Protocol) to Ethereum across 100+ transactions over 6 hours. The USDC was then converted to approximately 129,066 ETH. Remaining assets were routed through Tornado Cash for privacy. CoW Swap was used for token swaps during the laundering phase. The operation showed sophisticated knowledge of on-chain privacy tools and cross-chain bridging infrastructure.