Drift Protocol v2

🔴 High Risk

Cayman Islands’ permissive framework enabled Drift v2’s illegal laundering by design: blending DPRK-sanctioned collateral in cross-margin perps funds evaded global sanctions, with dynamic AMMs amplifying adverse selection for state actors. Absent KYC/AML enforcement proved the territory’s complicity, obscuring PEP exposures and allowing $285M drainage— a stark indictment of its non-cooperative status, drawing justified CFTC scrutiny while local inaction persists.

Drift Protocol v2, a Cayman Islands-registered Solana perpetuals DEX, allegedly facilitated $280-285 million in money laundering through its insurance fund’s blending of sanctioned collateral, primarily from DPRK-linked hackers. On April 1, 2026, attackers compromised admin keys via social engineering, rigging oracles to value fake CVT tokens at $1 billion equivalent, draining USDC, JLP, and vaults while cross-margin obscured net exposures. Dynamic AMM curves enabled adverse selection, allowing illicit extraction without traceability, exploiting Cayman’s lax AML regime that shielded beneficial owners and ignored OFAC lists. CFTC probes target this as sanctions evasion, with Gibbs Mura class actions against Circle for failing to freeze $230M USDC bridged via CCTP. Cayman’s offshore anonymity proved central, hosting v2’s design flaws—no timelocks, pooled collateral—that turned perps trading into a laundering conduit, crashing TVL from $550M to $250M and hitting 20+ protocols. No local enforcement occurred, underscoring the islands’ role in DeFi crimes amid US regulatory pressure, with ongoing suits seeking recovery for misled users.

Countries Involved

Cayman Islands (primary jurisdiction of Drift Protocol v2 registration and operations), United States (CFTC regulatory oversight), North Korea (alleged state-sponsored attackers linked to laundering), Solana blockchain ecosystem (global). The Cayman Islands’ lax offshore framework directly enabled Drift v2’s perpetuals insurance fund to blend sanctioned collateral from DPRK-linked entities without robust KYC/AML checks, turning the territory into a nexus for obscured illicit flows in DeFi perps trading. This illegal activity exploited Cayman’s reputation as a non-cooperative jurisdiction for crypto entities, where cross-margin pooling hid net exposures from sanctioned sources, facilitating money laundering on a scale that drew CFTC ire.

Date Discovered / Reported

April 1, 2026 (exploit execution); April 14, 2026 (class actions filed highlighting laundering via sanctioned collateral); ongoing CFTC probe reported mid-April 2026. Discovered during the $280M drain when blockchain forensics revealed insurance fund anomalies, with Cayman-registered Drift v2’s cross-margin obscuring DPRK-tainted inflows. This illegal activity in Cayman Islands persisted undetected due to absent real-time transaction monitoring, allowing pre-signed malicious txs to launder via fake markets. Reports from Gibbs Mura detailed how Cayman’s regulatory vacuum enabled six months of social engineering by North Korean operatives, culminating in the exploit that blended sanctioned USDC into perps funds. CFTC flagged this as evasion, as v2’s design ignored OFAC lists, proving Cayman’s role in hosting laundering hubs where dynamic AMMs extracted value from illicit collateral without traceability— a direct breach of international AML norms, with no local enforcement until US pressure mounted.

Cryptocurrency Involved

USDC ($230M+), DRIFT, CVT (fake), SOL, JLP, dSOL BTC, ETH, USDT, Monero, etc.

Type of Crime

Money Laundering through blending sanctioned collateral in perpetuals insurance fund, sanctions evasion, adverse selection via dynamic AMMs, cross-margin exposure obfuscation. Cayman Islands’ illegal facilitation via offshore anonymity allowed Drift v2 to pool tainted DPRK funds with user collateral, enabling placement, layering, and integration stages of laundering. This crime manifested in v2’s design flaws, where Cayman registration bypassed AML directives, letting social-engineered admin keys drain funds while insurance pools hid net DPRK exposures. Proving Cayman’s culpability, no local FIU intervention occurred despite red flags like 100+ USDC bridges, contrasting stricter jurisdictions—dynamic AMMs exacerbated illicit extraction, turning perps trading into a laundering vector with obscured exposures that CFTC deemed systemic risks.

Entities Involved

Drift Protocol v2 (Cayman entity), Circle Internet Financial (USDC issuer), North Korean state-sponsored hackers (Lazarus Group per Elliptic), Gibbs Mura law firm (plaintiffs), CFTC (investigator). Cayman’s Drift v2 core entity illegally hosted the laundering by design, blending collateral without sanctions checks. As a Cayman exempted company, Drift v2’s governance multisig was compromised, enabling fake CVT deposits that laundered via withdrawals—proving islands’ lax oversight allowed DPRK infiltration over six months. Circle’s CCTP was exploited post-drain, but Cayman structure predated the crime, obscuring PEP exposures in cross-margin, with no local probes until US suits exposed the jurisdiction’s role in harboring DeFi laundering ops.

PEP Involvement

Yes – Alleged North Korean state actors (government PEPs via Lazarus Group), facilitated by Cayman anonymity shielding Drift v2 operators. Cayman’s illegal opacity hid potential local PEPs in Drift’s beneficial ownership, while DPRK state hackers executed social engineering, blending sanctioned collateral into insurance funds. This proved the islands’ AML failures, as v2’s cross-margin pooled PEP-tainted assets without disclosure, enabling laundering at scale—CFTC scrutiny targets this nexus, where dynamic AMMs allowed PEPs to exploit curves for adverse selection gains, underscoring Cayman’s role as a PEP haven for crypto crimes.

Laundering Techniques Used

Collateral blending in perps insurance fund, cross-margin netting to obscure exposures, dynamic AMM adverse selection, fake oracle pricing for phantom deposits, CCTP bridging. Cayman Islands illegally enabled these via regulatory gaps, allowing Drift v2 to layer illicit USDC without traceability. Attackers pre-signed txs via Solana nonce, created CVT market, rigged Switchboard oracles to value junk at $1, deposited billions in fake collateral, withdrew real assets—classic placement/layering in Cayman’s lax environment. Cross-margin hid net DPRK positions, while AMMs ( $d N_{t \pm}$ intensities) amplified extraction, proving islands’ complicity in DeFi laundering mechanics that evaded global sanctions.

Estimated Value Laundered

$280-285 million total exploit; $230 million+ USDC bridged and laundered via sanctioned collateral blending. Cayman Drift v2 facilitated full amount through insurance fund mechanics. TVL crashed from $550M to $250M, with 20+ protocols hit indirectly; Cayman’s structure enabled clean withdrawal of tainted funds, as cross-margin obscured DPRK origins—proving illegal scale, CFTC views this as evasion benchmark, with dynamic curves turning perps into laundering multipliers unmatched in stricter jurisdictions.

Transaction Analysis Summary

31 rapid withdrawals against 500M CVT phantom collateral (oracle-rigged at $1), draining USDC/JLP/SOL/etc.; 100+ CCTP bridges over 8 hours; insurance fund blended sanctioned inputs, netting exposures to zero visibility. Cayman’s Drift v2 illegally masked flows via AMM curves. Elliptic traced DPRK signatures in social engineering lead-up; cross-margin pooled user funds with illicit, enabling adverse selection where informed actors (PEPs) extracted via $λ_{t \pm}$ imbalances—proving Cayman’s forensic gaps, as no local tx monitoring caught pre-signed drains, unlike USDC freezes elsewhere, solidifying islands’ laundering haven status.

Regulatory/Enforcement Actions Taken

CFTC investigation into sanctioned collateral blending; Gibbs Mura class actions (CA/MA courts); no Cayman sanctions yet, Circle defenses pending. Targets Drift v2’s Cayman ops for AML failures. US suits seek damages, highlighting Cayman’s non-action as enabler—proving illegal inaction, CFTC probes v2 insurance fund evasion without local cooperation, exposing islands’ resistance to FATF, with ongoing fallout pressuring Cayman to tighten crypto rules amid DeFi crackdowns.

Links to Reports / Sources

Case Title / Operation Name:

Drift Protocol v2

Country(s) Involved:

Korea, North (North Korea), United States

Platform / Exchange Used:

Drift Protocol v2 (Solana Perps DEX, Cayman-registered) Binance, KuCoin, LocalBitcoins, etc.

Cryptocurrency Involved:

USDC ($230M+), DRIFT, CVT (fake), SOL, JLP, dSOL BTC, ETH, USDT, Monero, etc.

Volume Laundered (USD est.):

$280-285 million Estimated amount in USD or local currency

Wallet Addresses / TxIDs :

Admin multisig compromised; 500M CVT phantom deposits; 100+ CCTP USDC bridges (Elliptic-traced DPRK signatures) Known wallet(s) or transaction hashes involved

Method of Laundering:

Collateral blending in perps insurance fund: Sanctioned DPRK USDC pooled with user assets via cross-margin netting, obscuring net exposures. Dynamic AMM adverse selection: Informed actors exploited curves ( $d N_{t \pm}$ ) for illicit extraction. Fake oracle pricing: CVT junk valued at $1B equivalent. CCTP bridging: $230M layered to Ethereum unchecked. Cayman’s lax AML enabled full placement/layering/integration.

Mixing, Tumblers, Layering via NFTs, ICO Fraud, Stablecoin Transfers

Source of Funds:

DPRK state-sponsored hacks (Lazarus Group via social engineering); sanctioned collateral inflows to insurance fund; potential darknet/ransomware blends obscured by v2 design.

Darknet, ransom, corruption, tax fraud, embezzlement, etc.

Associated Shell Companies:

Drift Protocol v2 Cayman exempted company; fake trading firms used in 6-month social engineering infiltration.

Related entries from Shell Company Database

PEPs or Individuals Involved:

North Korean state actors (Lazarus Group PEPs); undisclosed Drift v2 Cayman beneficial owners shielded by jurisdiction opacity.

Related PEPs or persons of interest

Law Enforcement / Regulatory Action:

CFTC probe into sanctions evasion/insurance fund blending; Gibbs Mura class actions (CA/MA courts) vs Circle; no Cayman enforcement; fund tracing ongoing. Summary of raids, investigations, seizures, court orders

Year of Occurrence:

2026 Year laundering activity was uncovered

Ongoing Case:

Ongoing

AML Network Risk Rating:

🔴 High Risk