CIPHER — Drift-hack wallet exposure API

Did your wallet touch Drift before April 1, 2026?

On April 1, 2026 Drift Protocol was drained for $285M via a DPRK-linked social-engineering + durable-nonce + fake-oracle attack. This endpoint tells an AI agent whether a given Solana wallet had Drift exposure at the time of the hack, which attacker addresses from the post-mortem it interacted with, and a rough USD loss estimate. Paid per request — no account, no login.

API

GET https://cipher-drift-exposure.vercel.app/api/drift-exposure/{wallet}

Price: $0.01 USDC on Base per query, via the x402 protocol. An AI agent (Claude Code, GPT Actions, Perplexity Comet) fetches, receives HTTP 402 with the v2 accept-list, auto-pays, refetches, and receives JSON.

Response shape (paid)

{
  "wallet": "<input>",
  "hadDriftPosition": true,
  "hadExposureTo": ["<attacker addr 1>", "<attacker addr 2>"],
  "estimatedLossUsd": 1842.51,
  "recommendation": "Rotate wallet. File loss report. ..."
}

How the data is built

Wallet history is queried via Helius RPC getSignaturesForAddress with a block-height filter around April 1, 2026.
Drift exposure is detected by matching dRiFTd...jPj3 (program ID) plus the public Drift user PDA seeds in token-account lookups.
Attacker addresses come from the published Chainalysis post-mortem, CoinDesk write-up, and Cyfrin learnings.

Related (free + paid)

Free CIPHER Solana playbook: cryptomotifs/cipher-starter
Free wallet-security CI action (v1.1.0 adds 3 Drift-derived rules): cryptomotifs/cipher-solana-wallet-audit
Sister x402 endpoint (premium playbook chapters): cipher-x402.vercel.app
Post-mortem article: dev.to/cryptomotifs

Disclaimer. Pattern-based best-effort signal. Not financial advice, not a complete forensic report, not an audit. The attacker-address list reflects the public post-mortems; the USD loss figure is an estimate from block-time prices. If your wallet is flagged, assume it is compromised and proceed to a fresh wallet via a CEX hop before any further on-chain action.