Insights

Security research, incident analysis, and threat intelligence from the Scoprix team.

Analysis

How SentinelCRE Would Have Caught the $285M Drift Hack

A 6-month DPRK intelligence operation — and why multisigs weren't enough

·5 min read

A six-month operation, not a flash exploit

On November 2025, Drift Protocol — one of Solana's largest perpetual DEXs — lost $285 million in a single drain. The attack wasn't a flash loan exploit or a reentrancy bug. It was a six-month intelligence operation run by a DPRK-affiliated threat group. The attackers attended conferences, built genuine professional relationships with the team, deposited over $1 million in real capital to establish credibility, and then compromised a developer's device through a malicious IDE extension. By the time the drain happened, they had full access to the multisig keys.

Why traditional security failed

This is what makes the Drift hack so instructive: every traditional security measure was in place. The protocol had been audited by top firms. It used a multisig with geographically distributed signers. The team had met the attackers face-to-face at multiple events. None of it mattered. Once the keys were compromised, the attacker simply signed valid transactions. From the blockchain's perspective, everything looked authorized.

Layer 1 — policy enforcement stops the drain

SentinelCRE's three-layer defense is designed precisely for this scenario. The first layer — policy enforcement — would have flagged the drain immediately. Value limits on single transactions and daily volume caps mean that even a compromised key holder cannot move $285 million in one operation. The transaction would have been blocked on-chain before it executed, regardless of who signed it.

Layer 2 — behavioral analysis catches the pivot

But the more interesting protection comes from the second layer: behavioral analysis. The attackers spent six months building a legitimate baseline — normal deposits, standard interactions, reasonable patterns. The moment they pivoted to a massive drain, their behavioral profile would have shifted dramatically. A frozen baseline means that six months of "normal" behavior cannot be overwritten or gradually shifted. The system compares every action against the original profile, and a $285 million withdrawal from an account that typically moves five-figure amounts would trigger immediate intervention.

The takeaway: defend behavior, not just keys

The key insight from Drift isn't that multisigs are bad — they're necessary. It's that key-based security has a fundamental limitation: it assumes the key holder is who they claim to be. Proactive behavioral defense operates on a different assumption entirely. It doesn't care who holds the key. It cares whether the action is consistent with what that agent has always done. When your security works even after keys are compromised, you've moved from reactive to proactive defense.

Research

Why AI Agents Need Behavioral Defense — Not Just Code Audits

Smart contract audits verify code. Behavioral defense verifies behavior.

·4 min read

The gap in today's security stack

There's a gap in how we secure on-chain AI agents today. Smart contract audits verify that code behaves correctly — that functions do what they claim, that access controls are enforced, that mathematical operations don't overflow. Multisig schemes protect keys — ensuring no single compromised signer can authorize a transaction. But neither of these protects against the most dangerous class of attacks: an authorized agent, running audited code, making decisions that are technically valid but strategically catastrophic.

Why AI agents break the old model

AI agents are fundamentally different from static smart contracts. They make dynamic decisions based on context, training, and real-time data. This means they can be manipulated in ways that code audits will never catch. An agent can be socially engineered through crafted market conditions. It can be fed poisoned data that shifts its decision-making. It can be prompted into taking actions that individually look reasonable but collectively drain a protocol. The attack surface isn't the code — it's the behavior.

Frozen baselines: the anti-drift defense

Behavioral profiling addresses this gap directly. By establishing a frozen baseline of an agent's normal operating patterns — what contracts it interacts with, what value ranges it operates in, how frequently it transacts, what functions it calls — we create a behavioral fingerprint that cannot be gradually shifted. Unlike reputation systems that update over time (and can therefore be gamed through slow drift), a frozen baseline means the attacker cannot "train" the system to accept increasingly abnormal behavior. Any significant deviation from the established profile triggers intervention, regardless of whether the transaction is technically valid.

Dual-AI consensus: making attackers fight two minds

Dual-AI consensus adds another dimension of resilience. When two independent AI models evaluate the same proposed action and must agree before it proceeds, the attack surface becomes adversarial in the attacker's disfavor. Compromising one model's judgment isn't enough. The attacker would need to simultaneously fool two different architectures, trained on different data, using different reasoning approaches. This is fundamentally harder than compromising a single point of validation, and it mirrors the adversarial robustness principles used in other high-stakes domains like nuclear launch authorization.

The threats we're already seeing

The threat landscape is evolving faster than traditional security can adapt. Our adversarial sandbox has surfaced frontier AI-agent attack classes that don't appear in any public security playbook — we acknowledge their existence here but withhold specific names and mechanics for responsible disclosure. Prompt injection techniques are being adapted for on-chain contexts. These are AI-agent-specific threats that didn't exist two years ago and won't be caught by any code audit. The protocols that survive the next wave of exploits will be the ones that defend behavior, not just code.

Technical

Our Adversarial Sandbox Discovered Attacks That Don't Exist Yet

Red team vs blue team: 51 scenarios, 12 dimensions, honest results

·6 min read

A harder question than "can we stop known attacks?"

Most security testing asks a simple question: can we stop known attacks? Our adversarial sandbox asks a harder one: can we discover attacks that haven't happened yet? The sandbox pits red team attack bots — each running different strategies, from brute-force drains to sophisticated social engineering simulations — against our behavioral defense engine. The red team's job is to get malicious transactions approved. The blue team's job is to stop them without blocking legitimate activity. Over thousands of simulated transactions across 51 scenarios, the results tell us not just how good our defense is, but where the frontier of on-chain threats is heading.

Replaying history, then going beyond it

The sandbox replays real-world incidents with full fidelity. The Drift hack, the Bybit breach, the Ronin bridge exploit — each is reconstructed as a multi-step attack sequence with realistic timing, value patterns, and social engineering phases. But replay testing is table stakes. The more valuable scenarios are the novel AI-agent attacks that our red team bots invented during adversarial training. These are attack patterns that don't exist in any incident database because they haven't been executed in the wild yet. They emerge from the intersection of AI agent capabilities and on-chain economics in ways that human security researchers might not anticipate.

Eight runs, 91.3% to 96.1%

The improvement trajectory tells its own story. Across eight full sandbox runs, our detection rate moved from 91.3% to 96.1%. Each run exposed specific blind spots, which were addressed by expanding the behavioral analysis from 7 dimensions to 12. The methodology is deliberately iterative: run the sandbox, identify what got through, strengthen the defense, run it again. No security system is perfect on day one. What matters is the feedback loop and the honesty about what doesn't work.

Three attacks that don't exist yet — but will

Three novel attack categories emerged from sandbox testing that we believe represent genuine future threats. Behavioral mimicry attacks study an agent's historical patterns and attempt to replicate them exactly while gradually introducing malicious actions. Prompt evolution attacks adapt their approach based on which actions get blocked, effectively "learning" the defense boundary. Context flooding attacks overwhelm the behavioral engine with high volumes of legitimate-looking transactions to mask a single malicious one. None of these have been documented in real-world incidents, but our sandbox proved they're feasible against naive defenses.

What we still can't catch

We believe in honest reporting, which means acknowledging what we can't catch. Two remaining gaps exist in our defense, both involving scenarios where an attacker has compromised administrative access to the protocol itself — not just agent keys, but governance-level control. These are genuinely hard problems that no behavioral system can fully solve, because when the attacker controls the rules, behavioral baselines can be reset. We're actively researching mitigation strategies, but we won't claim 100% coverage we don't have. Full sandbox results, including the failure cases, are available on our sandbox page.