Attackers drained $285 million from Drift Protocol, Solana's largest perpetual futures exchange, on April 1, 2026. TRM Labs estimates the drain took roughly 12 minutes. The exploit targeted governance, not smart contract code.
TRM Labs assessed the hack was "likely perpetrated by North Korean hackers" based on on-chain staging patterns. Elliptic independently assessed the behaviour as consistent with previous DPRK-backed operations.
A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers.
— Drift Protocol, via X
The preparation began on March 11 with a 10 ETH withdrawal from Tornado Cash. The funds were used to deploy CarbonVote Token (CVT), a completely fictitious asset with approximately 750 million units minted. The attacker seeded a small liquidity pool on Raydium with a few thousand dollars. Wash trading built an artificial price history near $1.
Drift's oracles picked up the manufactured price. CVT began to look like legitimate collateral.
Between March 23 and March 30, the attacker created multiple "durable nonce" accounts. Durable nonces are a legitimate Solana feature that allows transactions to be pre-signed and executed later without expiring. The attacker used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorisations.
Drift migrated its Security Council on March 27 to a new 2-of-5 threshold with zero timelock. That eliminated the delay that would have allowed detection before admin actions took effect.
April 1 was execution day. The attacker listed CVT as a valid market on Drift, raised withdrawal limits to extreme levels, and drained funds from nearly 20 vaults.
This is not an April Fools joke.
— Drift Protocol, via X
Stolen assets were converted to USDC and SOL. The attacker bridged them from Solana to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP), converted to ETH, and accumulated approximately 129,066 ETH. SOL deposits went into HyperLiquid and Binance.
ZachXBT publicly criticised Circle for not freezing the stolen USDC during the bridge. The funds moved during US business hours over several hours without intervention.
The exploit wiped out more than half of Drift's total value locked. TVL fell from roughly $550 million to $252 million. The DRIFT token dropped approximately 40%.
Nearly 20 interconnected DeFi protocols reported knock-on effects. PiggyBank_fi reported approximately $106,000 in exposure and covered users from team funds. Ranger Finance paused deposits with estimated exposure over $900,000. Jupiter Exchange confirmed its JLP pool remains fully backed.
Drift sent on-chain messages on April 3 to four wallets holding the stolen ETH. The protocol urged the holders to open a dialogue.
At $285 million, this is the largest DeFi hack of 2026. It is the second-largest exploit in Solana's history, behind only the $326 million Wormhole bridge hack in 2022. TRM Labs noted the post-hack laundering exceeded the pace of the Bybit exploit in 2025 in both speed and transaction size. North Korean crypto operations have followed similar playbooks since at least the 2022 Ronin Bridge hack.
On-chain staging began March 11 with the Tornado Cash withdrawal. The funds began moving the following day at approximately 12:00 AM GMT, around 9:00 AM Pyongyang time. Ledger CTO Charles Guillemet drew parallels to the $1.4 billion Bybit hack, also attributed to North Korean actors. He assessed that attackers likely compromised multisig signer machines through long-term infiltration.
Smart contracts held up. The real targets now are humans: social engineering and opsec weaknesses more than code exploits.
— Lily Liu, President, Solana Foundation
North Korea stole approximately $2 billion in cryptocurrency in 2025, according to Chainalysis. That was roughly 60% of all digital assets stolen that year. The Bybit hack used the same pattern. Patient, multi-week preparation targeting governance and signers, not code.
Trail of Bits audited Drift in 2022. ClawSecure audited it in February 2026. Neither review identified the governance weaknesses that made the attack possible. The CVT market introduction and the zero-timelock Security Council migration fell outside the scope of code-focused audits.
A few thousand dollars in fake liquidity turned into $285 million in stolen assets. The attacker did not find a bug. They built a token, manufactured a price, tricked signers into pre-approving transactions, removed the timelock, and executed. Every step targeted humans and governance, not code. DeFi audits that review only smart contracts leave the most exploitable surface unchecked.
— Artem Safonov, Threat Analyst at AnonHaven
Cindy Leow and David Lu founded Drift Protocol in 2021. The exchange held over $400 million in total deposits before the attack. Drift committed to releasing more information once forensic reviews are complete.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
