Drift Protocol $285M Solana DEX Infiltration Attributed to UNC4736

Drift Protocol said its Solana-based DEX was hit by a structured six-month intelligence operation, attributed with “medium-high confidence” to UNC4736. The attackers posed as a quantitative trading firm, coordinated via Telegram, and met contributors in person before building a working Ecosystem Vault inside Drift and triggering the exploit. Drift Protocol reported the intruders deposited over $1M to gain trust, then drained about $285M. Multiple pools were fully emptied, including USDC, USDT, and ARB-related liquidity, plus wrapped assets like WETH, WBTC, wBNB, wbETH, and wstETH. During the incident, Drift paused deposits and withdrawals. On the technical side, Drift Protocol pointed to potential entry paths such as a cloned vault frontend repository and a possible malicious TestFlight app, plus a VSCode/Cursor-related vulnerability that could enable silent code execution. Drift added that it froze remaining platform functions, removed compromised wallets from its multisig, and flagged accounts with exchanges and bridge operators. For traders, the key takeaway is that Drift Protocol highlights a shift toward “intelligence-unit” style attacks targeting contributors, dev tools, and signer environments—raising focus on transaction-intent checks and multisig security rather than only smart-contract audits.