Drift Protocol Hack: $285 Million Stolen from Solana in 12 Minutes
📋 En bref (TL;DR)
- Drift Protocol hacked: the Solana DeFi protocol lost $285 million on April 1, 2026
- Novel technique: hackers exploited Solana’s “durable nonces” to pre-sign fraudulent transactions weeks in advance
- North Korea suspected: Elliptic and TRM Labs attribute the attack to the Lazarus Group, linked to the DPRK regime
- Circle criticized: the USDC issuer had 6 hours to freeze stolen funds during US business hours and did nothing
- Solana impact: SOL dropped 4.5% and Solana’s DeFi TVL lost 14.5% within 24 hours
- 2nd largest hack in Solana’s history, after Wormhole ($326M in 2022)
On April 1, 2026, while the crypto world was bracing for April Fools’ jokes, hackers pulled off the biggest DeFi heist of the year. Drift Protocol, one of the largest decentralized perpetual futures platforms on Solana, was drained of $285 million in just 12 minutes. The attack combined social engineering, oracle manipulation, and a little-known Solana feature: durable nonces.
Here’s how the hack unfolded—and what it means for DeFi security going forward.
Drift Protocol: A Solana DeFi Pillar
Founded in 2021 by Cindy Leow and David Lu, Drift Protocol is a decentralized exchange specializing in perpetual contracts with up to 10x leverage. Before the attack, the protocol managed roughly $550 million in TVL (Total Value Locked) and was one of the cornerstones of Solana’s DeFi ecosystem.
The protocol used a hybrid model combining an order book and virtual AMM, with a Security Council operating as a multisig (2 of 5 signatures required) for administrative operations.
Anatomy of a $285 Million Hack
Unlike most DeFi exploits, this attack didn’t target a flaw in the smart contract code. It targeted the governance layer—the humans who control the protocol.
Phase 1: Preparation (March 11–30)
Three weeks before the attack, the hacker withdrew 10 ETH via Tornado Cash (a sanctioned mixer) to fund the operation. They then created a fake token called “CarbonVote Token” (CVT), injected $500 of liquidity on Raydium, and used wash trading to build an artificial price history around $1. On-chain oracles eventually registered this price as legitimate.
Between March 23 and 30, the attacker created 4 durable nonce accounts linked to Drift’s multisig members. Durable nonces are a legitimate Solana feature that allows pre-signing transactions without expiration—normally, a Solana transaction expires within 60 to 90 seconds. This feature enabled the hackers to separate the signing moment from execution by over a week.
Phase 2: Multisig Compromise (March 27)
On March 27, Drift migrated to a new Security Council configuration: a 2/5 multisig with no timelock. The attacker obtained signatures from 2 of the 5 members, likely through social engineering. As Ledger CTO Charles Guillemet noted: “The signers may have believed they were signing a legitimate operation while unknowingly authorizing the fund drainage.”
Phase 3: Execution (April 1, 4:05 PM UTC)
In under 12 minutes, the attacker:
- Executed pre-signed transactions to seize administrative control
- Listed the fake CVT token as a valid market on Drift
- Raised withdrawal limits to extreme levels
- Disabled safety circuit breakers
- Deposited hundreds of millions in CVT as collateral (valued at the manipulated price)
- Executed 31 withdrawals in 12 minutes, draining $285M in real assets
The stolen funds broke down as follows: $155.6M in JLP tokens (Jupiter LP), $60.4M in USDC, $11.3M in cbBTC, $10.5M in wSOL, and the remainder in USDT, WETH, and other tokens.
North Korea Behind the Attack
Blockchain analytics firms Elliptic and TRM Labs independently attributed the attack to North Korean hackers linked to the Lazarus Group. According to TRM Labs, this was the 18th crypto theft attributed to North Korea in 2026, bringing the annual total to over $300 million.
Charles Guillemet directly compared this exploit to the Bybit hack in February 2025 ($1.4 billion), also attributed to North Korea: “A sophisticated, patient supply chain compromise targeting the human operational layer rather than smart contract vulnerabilities.”
Circle: 6 Hours to Act, and Nothing
On-chain investigator ZachXBT harshly criticized Circle, the USDC issuer. After the theft, the attacker converted stolen funds to USDC and bridged them from Solana to Ethereum via Circle’s own protocol (CCTP). Over $230 million in USDC was bridged across 100+ transactions over approximately 6 hours—during US business hours.
Circle had previously demonstrated its ability to freeze funds: on March 23, the company froze USDC in 16 wallets as part of a civil case. This selective inaction reignited the debate over stablecoin issuer accountability.
Impact on Solana and DeFi
The consequences were immediate:
- Drift’s TVL collapsed from $550M to under $250M
- The DRIFT token lost between 38% and 47% of its value
- SOL dropped 4.5% while the broader market held steady
- Solana’s overall DeFi TVL fell 14.5% within 24 hours
- Several protocols connected to Drift (PiggyBank, Ranger Finance, Reflect Money) suspended operations
Drift immediately halted all deposits, withdrawals, and trading. The team is working to regain administrative control and develop a compensation plan for affected users.
Lessons for DeFi
This hack highlights a fundamental DeFi paradox: many “decentralized” protocols remain controlled by centralized admin keys. Uniswap founder Hayden Adams reacted: “Protocols with admin keys controlling all funds should stop calling themselves DeFi.”
Security experts now recommend:
- Minimum multisig thresholds of 3/5 or 4/7 with mandatory 24–48 hour timelocks
- Disabling durable nonces for governance pathways
- Immutable circuit breakers that cannot be modified by administrators
- Regular signer rotation with hardware isolation
The Drift hack serves as a stark reminder: DeFi security isn’t just about code audits. The most dangerous threats target humans, not smart contracts.
📚 Glossary
- Drift Protocol: a decentralized exchange on Solana specializing in perpetual contracts (futures with no expiration date).
- Durable nonces: a Solana feature allowing transactions that never expire, unlike standard transactions (valid 60–90 seconds).
- Multisig: a wallet requiring multiple signatures (e.g., 2 of 5) to authorize a transaction, used to secure protocol funds.
- TVL (Total Value Locked): the total value of assets deposited in a DeFi protocol, the primary indicator of its size.
- Perpetuals: futures contracts with no expiration date, allowing leveraged speculation on price movements.
- Solana: a layer-1 blockchain known for its speed and low transaction costs, popular in DeFi.
- Stablecoin: a cryptocurrency pegged to a fiat currency (e.g., USDC = $1), used as a safe haven and medium of exchange.
Frequently Asked Questions
How much was stolen in the Drift Protocol hack?
Hackers drained approximately $285 million in 12 minutes, primarily in JLP tokens ($155.6M), USDC ($60.4M), and various crypto tokens. It’s the largest DeFi hack of 2026 and the second-largest in Solana’s history.
Who is behind the Drift hack?
Elliptic and TRM Labs, two blockchain analytics firms, attribute the attack to North Korean hackers linked to the Lazarus Group. This would be the 18th crypto theft attributed to North Korea in 2026.
Will Drift users be reimbursed?
Drift Protocol has suspended all operations and is working on a compensation plan, but no details have been shared yet. Staked assets at the Drift validator and the insurance fund were not affected.
What is a durable nonce on Solana?
It’s a feature that creates transactions without an expiration date. Normally, a Solana transaction expires in 60–90 seconds. Durable nonces allowed the hackers to have transactions signed in advance and execute them over a week later.
Why didn't Circle freeze the stolen funds?
Despite 6 hours of availability during US business hours, Circle didn’t freeze the $230M in stolen USDC flowing through its own CCTP protocol. The company hasn’t explained this inaction, despite having demonstrated this capability just 9 days earlier in another case.
📰 Sources
This article is based on the following sources:
- Elliptic — Drift Protocol Exploited for $286M in Suspected DPRK Attack – Attribution analysis, April 2026
- CoinDesk — How a Solana Feature Let an Attacker Drain $270M – Detailed technical analysis
- Bloomberg — Drift DeFi Project on Solana Suffers $285M Exploit – Bloomberg coverage
- CryptoTimes — Circle Had 6 Hours to Freeze Stolen Drift Funds – ZachXBT investigation
- TRM Labs — North Korean Hackers Attack Drift Protocol – Independent attribution analysis
How to cite this article: Fibo Crypto. (2026). Drift Protocol Hack: $285 Million Stolen from Solana in 12 Minutes. Retrieved April 3, 2026, from https://fibo-crypto.fr
The simplest way to buy, swap and manage your crypto
Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.
Get early access →
