Key Takeaway
Drift Protocol, a Solana-based decentralized perpetuals exchange, lost at least $280 million after an attacker compromised the signing keys of its Security Council multisig and used administrative privileges to drain protocol-controlled vaults. The attack targeted the governance layer rather than a smart contract vulnerability, exploiting insufficient key management practices among Security Council signers. Affected users should withdraw remaining funds, revoke token approvals, and avoid unofficial recovery contracts.
Drift Protocol Loses $280 Million After Attacker Seizes Security Council Admin Controls
Disclosure
Drift Protocol, a decentralized exchange and perpetuals trading platform built on the Solana blockchain, suffered a loss of at least $280 million after an attacker gained unauthorized control of its Security Council's administrative privileges. The breach was publicly disclosed following on-chain evidence of the exploit, with the Drift Protocol team confirming the incident shortly after anomalous governance transactions were detected.
What Happened
The attacker executed a targeted takeover of Drift Protocol's Security Council — the administrative multisig body responsible for emergency protocol governance, including the ability to upgrade smart contracts and move treasury assets. By compromising the signing authorities within that council, the attacker obtained the elevated permissions needed to drain funds directly from protocol-controlled accounts.
This was not an opportunistic flash loan attack or a price oracle manipulation. The operation was premeditated and structured. The attacker systematically acquired or compromised enough signing keys within the Security Council to meet the multisig threshold, then issued authorized-looking upgrade or withdrawal transactions that the protocol's smart contracts processed as legitimate.
No CVE identifier applies here, as the vulnerability was not a software bug in the conventional sense. The attack surface was the governance layer itself — specifically, the key management practices and access controls governing the Security Council signers.
Scope and Affected Assets
At least $280 million in protocol-controlled assets were removed. Affected funds include liquidity held in Drift's on-chain vaults and treasury reserves managed under Security Council authority. Individual user positions and deposited collateral within the protocol were exposed to loss depending on their interaction with the compromised vaults.
The exact number of affected user accounts has not been finalized, but given Drift Protocol's position as one of Solana's largest perpetuals venues by open interest, the impact spans a broad segment of active DeFi traders and liquidity providers on the network.
Attack Vector
The attack vector was administrative key compromise at the governance layer. The Security Council operated as a multisig structure, and the attacker obtained sufficient private keys — or otherwise coerced enough signers — to meet the signing threshold required to authorize privileged operations.
Whether the keys were obtained through phishing, insider access, supply chain compromise, or infrastructure intrusion has not been confirmed publicly. The Drift team has not attributed the attack to a named threat actor group as of this report.
The core failure was insufficient operational security around Security Council key holders. Multisig governance structures are only as secure as the key management practices of their signers. Hardware security modules, air-gapped signing environments, and signer identity verification are standard mitigations that, if absent or misconfigured, create exactly this attack surface.
What Affected Users Should Do
Withdraw remaining funds immediately. If any assets remain in Drift Protocol vaults or margin accounts, users should initiate withdrawals as soon as the protocol permits. Monitor official Drift Protocol communications for withdrawal windows or recovery procedures.
Revoke token approvals. Use a tool such as Revoke.cash or the Solana-compatible equivalent to audit and revoke any outstanding token approvals granted to Drift Protocol smart contracts. Compromised or upgraded contracts can be used to drain approved balances.
Monitor wallet addresses for further unauthorized transactions. Set up alerts via on-chain monitoring services such as Tenderly, OtterSec's tooling, or Solana FM for any outbound transactions from wallets that interacted with Drift.
Do not interact with unofficial recovery contracts. Post-exploit periods consistently attract follow-on scams where attackers deploy phishing contracts posing as reimbursement mechanisms. Verify any recovery address through official Drift Protocol social channels and on-chain governance records before signing any transaction.
Document losses for potential legal or insurance claims. Export full transaction histories from Drift and any connected wallets. Some DeFi insurance protocols such as Nexus Mutual or Sherlock may cover losses depending on active cover positions — file claims promptly as coverage windows have deadlines.
SOC teams monitoring Solana ecosystem exposure should review whether any custodied or managed wallets held positions on Drift and assess secondary exposure through aggregators or yield protocols that routed funds through Drift vaults.
Original Source
BleepingComputer
Related Articles
US Justice Department, Canada, and Germany Dismantle Four Major IoT Botnets Behind Record DDoS Attacks
The U.S. DOJ, alongside Canadian and German authorities, dismantled four major IoT botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that compromised over three million devices and launched hundreds of thousands of DDoS attacks. The disruption targeted infrastructure used to attack Department of Defense IPs and aimed to prevent further infections and attacks. Users should audit and update IoT devices and monitor for suspicious activity.
Cisco Talos Links Large-Scale Credential Harvesting Campaign to React2Shell Exploitation
Cisco Talos has attributed a large-scale credential harvesting operation to a tracked threat cluster exploiting the React2Shell vulnerability to steal AWS secrets, SSH keys, GitHub tokens, Stripe API keys, database credentials, and shell history at scale. The campaign used automated post-exploitation tooling to sweep compromised systems for secrets across multiple credential categories simultaneously. Affected organizations should immediately patch React2Shell, rotate all exposed secrets, and review cloud and source control access logs using IOCs published by Talos.
TeamPCP Supply Chain Campaign: Fifth Intelligence Update Confirms Expanded Targeting Through April 1, 2026
TeamPCP, a threat actor group weaponizing security scanning tooling in supply chain attacks, has expanded its campaign through April 1, 2026, with confirmed victims including Databricks and AstraZeneca across dual ransomware and data exfiltration operations. This fifth intelligence update extends coverage from Update 004 and consolidates two days of new developments. Affected organizations should audit CI/CD and scanner tooling, hunt for lateral movement from build infrastructure, and verify backup isolation immediately.
Vacant Property Mail Interception: How Threat Actors Convert Drop Addresses Into Fraud Infrastructure
Flare research documents how threat actors register vacant properties as mail drop addresses by abusing USPS Change of Address mechanisms and synthetic identities to intercept physical mail containing PII, financial credentials, and authentication material. The methodology chains public foreclosure data, dark web identity documents, and reshipping mules into a functional fraud pipeline targeting bank card deliveries, government correspondence, and OTP letters. Individuals should enroll in USPS Informed Delivery and freeze their addresses online; security teams should re-evaluate physical mail as a weak authentication channel.