Overview
- Drift Protocol, hit on Wednesday, says attackers pre-staged transactions using Solana’s durable nonce feature and then drained roughly $270 million in under a minute.
- Over six months, impostors posed as a quantitative trading firm, met contributors at conferences in several countries, set up a Telegram group, and deposited more than $1 million to run a vault.
- Devices were likely compromised through a fake TestFlight wallet app or a VSCode/Cursor flaw that could silently run code when a shared file or folder was opened.
- Blockchain intelligence teams link the heist with medium-high confidence to UNC4736, also known as AppleJeus or Citrine Sleet, with on-chain ties to the 2024 Radiant Capital hack.
- Drift says all functions remain frozen, compromised signers are removed, attacker wallets are flagged across exchanges and bridges, and Mandiant and law enforcement are leading forensics, highlighting the need to harden multisig workflows and any device that touches keys.