Aon | Financial Services Group
Back to FSG Quick Insights | Subscribe to FSG Quick Insights >>
Alex Krasnow
The recent Drift hack highlighted an elaborate new attack pattern in decentralized finance.
The event highlights a gap in many current market protections: traditional cyber forms and many digital asset policies can struggle to respond cleanly when losses are driven by authorized governance actions executed with stolen keys rather than by classic network intrusion, physical theft, or smart contract code defects. As a result, privileged-access compromise, especially when paired with governance/oracle manipulation, can sit in an uncomfortable boundary between operational security and protocol risk that is not always contemplated by standard wordings.
Incident BackgroundA threat group associated with UNC4736, a North Korea state affiliated actor, spent six months posing as a legitimate quantitative trading firm. During that time, they attended conferences, met the Drift team in person and deposited about $1 million of real capital on the protocol to establish trust.
They then sent a file with embedded malicious code to two Drift employees who had access to signing keys. Simply opening the file gave the attackers control of 2 of Drift’s 5 signing keys – enough to exercise the protocol’s governance authority. Eight days later, they used that access to execute the exploit and drain approximately $285 million in one minute.
With governance control, the attackers:
- Minted a new token, CarbonVote Token (CVT), and traded it between wallets they controlled to fabricate a trading history and a price of $1.
- Exploited Drift’s price oracle, which ingested this activity and treated CVT as a legitimate asset valued at $1.
- Forced the protocol to accept CVT as collateral, bypassed normal listing processes, disabled circuit breakers and raised withdrawal limits.
- Removed automatic safeguards that would typically flag or pause unusual behavior.
- Deposited CVT into Drift’s margin lending system at the manipulated oracle price and received about $285 million in USDC, WBTC, SOL and JLP from three vaults.
In essence, the attackers gained trust through personal relationships, compromised two Drift employees’ signing keys, manufactured fake collateral, convinced oracles that collateral was fairly priced and then borrowed real assets against it.
Risk and Governance ControlsOrganizations can design insurance programs and implement protocols that respond to this type of loss and establish preventative measures against threat actors. While Drift’s baseline security controls were reasonable, several weaknesses made this exploit possible:
-
Signing thresholds
A 2 of 5 signing threshold is too low for a protocol holding around $550 million. Moving to a 3 of 5 or 4 of 7 structure would materially increase the difficulty of any social engineering led attack.
-
Isolating signing devices
Signing keys should live on hardened, dedicated machines that are never connected directly to the internet, do not run development software and are used only for signing. When a signing device is also a day to day work laptop, the attack surface expands significantly.
-
Internal and external key management
The attackers built strong enough relationships with Drift to identify who held key access and then targeted those individuals. A governance structure that separates internal operators from external key managers would make this type of targeting far more difficult.
-
Mandatory time locks on critical actions
A 24–48 hour time lock on all security council or admin level actions is likely the single most important missing control. A delay window would have given the Drift team the opportunity to detect, investigate and reverse the malicious changes before value was drained.
Additional risk controls, such as including stronger operational governance, independent monitoring and standardized listing criteria, could also have disrupted this attack chain.
This incident underlines why clear, consistent standards for DeFi vaults are essential. Risk transfer solutions can be developed for scenarios like this when the organization’s governance design, key custody model, and control environment are demonstrably aligned with insurer expectations.
Aon is focused on defining and helping organizations implement best practices and controls so that similar attacks can be identified earlier, contained more effectively and, in many cases, prevented altogether. If you have any questions or are interested in obtaining coverage, please contact your Aon broker.
Sources:
Drift Protocol Hack: How Privileged Access Led to a $285M Loss
North Korean Hackers Attack Drift Protocol In USD 285 Million Heist | TRM Blog
The Drift Exploit: When Privileged Access Has No Limits | Hypernative
About Aon
Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.
Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.
©2026 Aon plc. All rights reserved.
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.