There’s a particular kind of irony that only becomes visible in hindsight. I wrote about the failure to connect signals in time. And then I experienced it.
The idea had been building for years, drawn from decades of watching cyber and fraud teams operate in parallel worlds, each seeing fragments of the same attack, nobody assembling the complete picture in time. I gave it a name – the trust-collapse moment. I wrote a piece about it. And then, for reasons that anyone who works in the commercial world will understand, it sat.
While it was sitting, something happened.
On April 1, 2026, $285 million disappeared from Drift Protocol in twelve minutes. I read the post-mortem as it emerged. And what I found there stopped me.
Five signals, across five different functions. Visible for three weeks before the attack executed, and none of them assembled into a single picture. It was the most precise forensic illustration of the trust-collapse argument I had ever seen.
I wanted to write about it immediately but I couldn’t. Restarting the timeline would have added weeks to a story that was already moving fast. So, I waited, and published the piece last week without the Drift case study. Accurate. Well-argued. But a few weeks behind the moment it was most needed.
A piece about the failure to connect signals in time. Delayed because the signals arrived faster than the timeline could keep up with.
I’ve been thinking about that ever since. Not just as a personal frustration, but as a precise illustration of something that sits underneath the trust-collapse argument itself.
The organisations that fail to connect cyber and fraud intelligence don’t fail just because they lack the capability. They fail because their structures were built for a world that moves more slowly than the one they’re operating in now.
Time, in the adversarial world of cyber and fraud, is not neutral. It compounds.
March 11. The first signal in the Drift attack. A single withdrawal through Tornado Cash. The attack executed on April 1.
Twenty-one days.
The gap between seeing a fragment and assembling the picture. The gap that cost $285 million.
I’m writing about it now, independently, on my own timeline, because some arguments are too important to queue.
If you haven’t read the original trust-collapse moment piece, the link is here. Read them together if you can. This is the case study that thinking deserved from the start.
A month on from the Drift Protocol attack, the forensic trail is complete. The post-mortem is public. The signals have been identified, sequenced, and documented with more precision than most incident reviews ever achieve.
And that completeness makes the question it raises harder to dismiss.
Not, could this have been stopped? The answer to that is clearly yes. Rather, why are most organisations still structured in a way that would miss exactly the same signals today?
The FBI’s 2025 Internet Crime Report, published in April 2026, recorded $20.8 billion in internet crime losses last year — a 26% increase year over year, with 85% involving fraud schemes facilitated or amplified by digital technology. The trust-collapse moment is not a philosophical construct. At $17.6 billion in a single year, it’s one of the most quantifiable and most preventable organisational design failures in modern business.
This is what that failure looks like in forensic detail, and this is precisely where it could have been interrupted.
What Happened At Drift & Where The Signals Were
On April 1 2026, Drift Protocol — the largest decentralised exchange on the Solana blockchain — was drained of $285 million in twelve minutes. North Korean state actors, attributed with medium-high confidence to the group known as UNC4736, had spent six months building the attack. But here’s what the forensic timeline shows — and why it matters for every organisation, not just those in crypto.
The first signal had been visible since October 2025 — five months before the attack executed. A group presenting themselves as a quantitative trading firm had been building relationships with Drift contributors at conferences across multiple countries. They deposited $1 million of real capital to appear legitimate. In any regulated financial institution, a new counterparty relationship of this scale would trigger enhanced due diligence and Know Your Business processes. In DeFi, it didn’t. That is a fraud prevention failure as much as a cyber one.
The second signal was also visible from late 2025 — a publicly documented vulnerability in VSCode and Cursor, the development tools used by Drift’s contributors, that the security community had been flagging for months. A cyber threat intelligence function monitoring developer tooling risks should have caught it and communicated it to the teams using those tools. A fraud function would never have known to look.
The third signal appeared on March 11, 2026 — three weeks before the attack — when a single withdrawal of 10 ETH moved through Tornado Cash, a cryptocurrency mixer with well-documented links to previous North Korean state operations. That is a financial intelligence signal. A blockchain monitoring function, a financial crime team, or a fraud unit watching on-chain activity for known state-actor infrastructure would have flagged it. A cyber team focused on network intrusion would never have seen it.
The fourth signal appeared in the weeks that followed — wash trading in a newly created token called CarbonVote. The attackers minted a worthless asset, seeded it with a few thousand dollars of liquidity, and traded it with themselves to create the appearance of legitimate market price. That is financial market manipulation — the domain of fraud detection and market surveillance, not cyber monitoring. Invisible to a team watching for technical intrusion.
The fifth signal appeared on March 23 — nine days before the attack — when the protocol’s Security Council timelock was removed, changing the multisig governance structure in a way that eliminated the last line of defence. A risk governance function monitoring unusual changes to administrative controls might have queried it. A cyber team focused on external threat actors would not have been watching internal governance parameter changes.
Five signals. Five different functions. Nobody assembled them into a single picture.
Where The Attack Could Have Been Stopped
The signals were visible from October 2025. A fake trading firm. A known developer tooling vulnerability. Six months of patient relationship-building designed to manufacture legitimacy. Any organisation with a unified view across cyber and fraud intelligence had a window — not of days, but of months — to question what was being constructed.
But the most precise and most actionable intervention point wasn’t October 2025. It was March 11 – the Tornado Cash withdrawal. Three weeks before the attack executed. Before the fake token existed. Before the governance changes were made. Before the pre-signed transactions were approved.
A unified cyber and fraud intelligence function — one watching on-chain financial signals alongside cyber threat indicators — would have flagged a known North Korean-linked infrastructure pattern on March 11 and initiated enhanced scrutiny of every relationship and transaction connected to that wallet. The relationship with the fake trading firm, which had been building for six months at that point, would have been reviewed under a completely different lens. The governance changes nine days later would have been flagged immediately rather than approved routinely.
That’s not hindsight. That’s exactly what integrated threat intelligence is designed to do.
57% of global fraud leaders report being notified of cyber breaches only after fraud losses begin. IIn Drift’s case, the fraud loss and the breach notification arrived simultaneously. There was no gap in which to intervene. Not because the signals weren’t there. Because nobody was watching all of them at once.
Why This Matters Beyond Crypto
The pattern is universal.
An attacker who spends six months building a trusted relationship before executing. Financial signals that appear weeks before the cyber impact becomes visible. A governance change that looked routine to the people who approved it. A developer tooling vulnerability that was publicly known but not acted on. Signals appearing in fraud, financial intelligence, risk governance, and cyber – none of which were connected in time.
I’ve seen this pattern in retail. In healthcare. In financial services. In critical infrastructure.
The technology changes. The silo problem doesn’t.
The financial services sector saw its own version of this play out last year. When Marquis Software Solutions, a fintech and marketing vendor, was hit by a ransomware attack through a SonicWall firewall vulnerability, 74 banks and credit unions across the US discovered simultaneously that a supplier they trusted had become their point of failure. The cyber incident happened at the vendor but the exposure landed with the regulated firms.
That’s the accountability without control problem made visible. And it’s precisely the scenario the FCA’s new framework is designed to address.
The organisations that disrupted attacks early – the ones where the story never became a headline, were the ones that had already broken down the wall between cyber and fraud intelligence. Not because they were more technically sophisticated. But because they’d structured themselves to see the whole attack chain rather than fragments of it.
What Leadership Needs To Ask Right Now
If your cyber and fraud functions are still operating in parallel worlds, the Drift timeline is the clearest possible illustration of what that costs. Not in theory. Not as a pattern observed across a sector. In public, with a forensic trail, documented in post-mortem detail.
The question isn’t whether your organisation could face a Drift-style attack. It’s whether your current structure would have caught the March 11 signal, and connected it to everything that followed.
In the UK, the FCA, PRA, and Bank of England have confirmed a new cyber resilience framework taking effect March 2027. The Cyber Security and Resilience Bill progressing through Parliament (in the UK) proposes mandatory 24-hour notification and penalties of up to £17 million or 4% of global turnover. And in February 2026, the Financial Action Task Force (FATF), the global standard-setter for financial crime, published a specific report on cyber-enabled fraud, calling on governments, regulators, and financial institutions worldwide to strengthen their capabilities to detect, prevent, and disrupt the convergence of cyber and fraud threats.
The principle at the core of all three is the same one the Drift timeline illustrates so precisely.
If a breach originates with a third party, the obligation does not transfer to that supplier. It sits with the regulated firm.
The silo problem is now the subject of formal global regulatory attention. The question is no longer whether integration is necessary. It’s how quickly organisations act before they are tested.
Five signals. Five different functions. One organisation that didn’t connect them. Under the new framework, the accountability for that failure sits unambiguously with the regulated entity.
The Drift attack happened in DeFi. The FCA framework applies to financial services. The FATF report applies globally. But the pattern, and the accountability, are the same.
Whether your organisation is running traditional payment infrastructure, managing customer data across a complex SaaS estate, or beginning to deploy AI agents that act autonomously on your customers’ behalf, the structural question is identical.
Can you see the whole attack chain? Or only the fragment that happens to fall within your team’s domain?
If the answer is only the fragment, that’s the conversation your leadership team needs to have this week. Not after the trust-collapse moment arrives. Before it.
Now I Want To Hear From You
In your experience, which of these five signals do you think most organisations are least equipped to catch? Join me on LinkedIn and tell me in the comments.
If you haven’t read the original trust-collapse moment piece – the thinking that sits underneath this blog – the link is here.
