CredScore
Sign inTry CredScore free
← All autopsies
Autopsy · Drift ProtocolExploit: 2026-04-01·Loss: $286M

Drift Protocol Autopsy: Four DPRK-Linked Wallets, All Escalated on Behavior Alone

Published: 2026-07-05Engine version: 1.0.0Wallets analyzed: 4
Summary

What happened

On April 1, 2026, attackers drained approximately $286M from Drift Protocol, the largest perpetual futures exchange on Solana. The attackers did not break any cryptography — they spent months posing as a quantitative trading firm to build trust with the protocol's contributors, then exploited privileged access to seize administrative control and drain the protocol.

Within days, Elliptic, TRM Labs, and Chainalysis had independently linked the on-chain behavior and laundering methodology to the Democratic People's Republic of Korea (DPRK), the same state-sponsored threat activity associated with the Lazarus Group.

The four wallets Drift named

On April 3, 2026, the Drift team sent on-chain messages to the addresses holding the bridged proceeds, publicly identifying four Ethereum wallets. Together they held roughly 130,000 ETH at analysis time.

Every one shared the same shape: value flowing in from dozens of distinct sources over about two months, and zero outbound transfers. Money in from everywhere, nothing out.

The verdict: four for four

Each of the four wallets was run through CredScore with no sanctions match and no entity attribution in the engine's data. To CredScore, they were four anonymous strings of hex.

All four returned the same verdict: High Risk, score 38/100, Escalate, at 72 percent confidence.

The primary driver in every case was the same behavioral pattern, which CredScore labels unexplained_high_value_accumulation: large value accumulated almost entirely through inbound transfers from many sources, held without spending, with no recognized exchange or known-good funding context. A large balance with an unexplained origin is not a trust signal. It is a common holding pattern for stolen or illicit proceeds.

Every score is deterministic. The same wallet, on the same chain, at the same engine version, produces the same verdict. Reproducible three years from now.

Why this matters

Sanctions lists and attribution databases are lagging indicators. They get populated after investigators, victims, or governments do the work of proving a wallet is dirty — which can take days, weeks, or longer. In the gap between when stolen funds start moving and when an address finally lands on a list, a screening tool that only checks lists is blind.

Behavioral analysis closes that gap. The accumulation pattern that flagged all four Drift wallets was visible on-chain from the moment the funds arrived — long before any list could catch up.

For a compliance desk, the value is simple: an address does not have to be on a list to be dangerous.

What this autopsy does not claim

Retrospective, not discovery. The four wallets were public when CredScore analyzed them. Drift and the analytics firms attributed the funds first. The claim is narrower and still meaningful: the engine independently reaches the Escalate verdict with none of the attribution that was later established.

Ethereum only. The exploit happened on Solana. The stolen funds were bridged to Ethereum, and the four wallets Drift named are Ethereum addresses. Solana coverage is on the CredScore roadmap.

Decision support, not legal conclusion. Unexplained accumulation is a review trigger, not proof of wrongdoing. The same shape can describe a legitimate cold wallet, which is precisely why the engine says escalate and investigate, not guilty.

Wallets involved (4)
LaunderingEthereumPrimary — 25,715 ETH from 36 sources
0xaa843ed65c1f061f111b5289169731351c5e57c1
38
score
LaunderingEthereumSecond — 24,882 ETH from 32 sources
0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7
38
score
LaunderingEthereumThird — 23,097 ETH from 31 sources
0xbddae987fee930910fcc5aa403d5688fb440561b
38
score
LaunderingEthereumLargest — 56,568 ETH from 32 sources
0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674
38
score
CredScore observations

The primary risk driver in all four cases was unexplained_high_value_accumulation. The behavior signature had four elements:

  • Value accumulated almost entirely through inbound transfers (inbound ratio approaching 1.0)
  • Dozens of distinct funding sources per wallet (30+ counterparties)
  • Zero outbound transfers over the observation window
  • No recognized exchange, protocol, or known-good funding context

CredScore's engine had zero sanctions exposure and zero entity attribution for any of the four addresses at analysis time. Every signal a list-based tool relies on came back empty. The verdict was driven entirely by behavior.

All four addresses share the same behavioral shape by construction. In the CredScore Behavioral Watermark, that shape reads as: high inbound share, low outbound share, moderate-to-high counterparty breadth, zero mixer/bridge/CEX/DEX interaction. A fifth Lazarus wallet with the same shape but a new address is exactly the case the Watermark is designed to catch — with enough sanctioned-wallet reference shapes in the corpus, it surfaces future rotations before any label lands.

How to read this. Every wallet score above was produced by the deterministic CredScore engine (version 1.0.0) at publish time. Scores are reproducible: the same wallet, on the same chain, at the same engine version, produces the same verdict. Wallets are cross-referenced live against shared_analyses so if they get re-run later, the latest verdict surfaces on this page.