🕑 5 min read
$285 million. Gone in eleven minutes.
Drift Protocol, the largest perpetual futures exchange on Solana, lost nearly everything on April 1 when an attacker drained its vaults in a coordinated exploit that ranks as the biggest DeFi hack of 2026. The DRIFT token crashed 42% within hours. Solana’s total value locked took a hit that rippled across a dozen protocols. And the worst part? The attack was weeks in the making – and arguably preventable.
Blockchain analytics firm Elliptic flagged the incident as likely linked to North Korea’s Lazarus Group, marking it as the 18th DPRK-attributed crypto operation this year alone.
A Fake Token, a Stolen Key, and Eleven Minutes
The attacker didn’t find a bug in Drift’s smart contracts. That would’ve been almost forgivable. Instead, they went after something far more dangerous – the admin keys.
Three weeks before April 1, someone created a worthless token called CarbonVote Token ($CVT) on Solana. They minted 750 million units, seeded a liquidity pool on Raydium with just $500, and spent the next 21 days wash-trading it. The goal wasn’t profit. It was manufacturing a fake – but stable – oracle price history that on-chain systems would treat as legitimate.
Then came the kill shot. The attacker compromised Drift’s Security Council multisig, likely by stealing enough private keys from individual signers to meet the threshold. Using Solana’s “durable nonces,” a feature designed to let users pre-sign transactions for later execution, they queued up administrative transfers days in advance.
On April 1, everything fired at once. The attacker listed the worthless CVT token on Drift’s spot market, switched its price oracle to one they fully controlled, pumped CVT’s value to absurd levels, and removed circuit breakers on major assets like USDC and eETH. Eleven coordinated transactions later, Drift’s vault TVL collapsed from $309 million to $41 million – an 87% wipeout in minutes.
That’s not a software vulnerability. That’s a heist with weeks of prep, executed through a Solana convenience feature.
Circle Could Have Frozen $60M – It Didn’t
What happened after the drain is almost as damning as the exploit itself.
The attacker consolidated stolen assets and began swapping them into USDC and SOL. Then they started bridging funds from Solana to Ethereum using Circle’s own Cross-Chain Transfer Protocol (CCTP) – more than 100 transactions over approximately six hours. During U.S. business hours.
Circle didn’t freeze a single dollar.
“Millions in stolen USDC bridged from Solana to Ethereum via CCTP while Circle sat on their hands,” on-chain investigator ZachXBT said, pointing out the selective enforcement.
The timing stings. Just weeks earlier, Circle had frozen 16 unrelated corporate hot wallets in a sealed U.S. civil case – a move ZachXBT had already criticized as overreach. So Circle demonstrated it absolutely can act fast when it wants to. It just didn’t act fast enough when $60 million in confirmed stolen USDC flowed through its own infrastructure for six straight hours.
On the Ethereum side, portions of the stolen funds were swapped into ETH, while others moved through centralized exchanges – a laundering path designed to fragment the trail.
Elliptic Points to Pyongyang – For the 18th Time This Year
“This looks like Bybit all over again,” Ledger CTO Charles Guillemet said, comparing the exploit to the $1.4 billion Bybit hack of February 2025 – the largest crypto theft in history, also attributed to North Korea’s Lazarus Group.
Elliptic’s analysis found multiple DPRK fingerprints: the attacker’s wallet was created eight days before the exploit, received a small test transfer from a Drift vault during that window, then used a structured multi-chain laundering flow designed to obscure origin. Pre-positioned wallets, early test transactions, staged execution. We’ve seen this playbook before.
If the attribution holds, Drift becomes the 18th DPRK-linked crypto operation Elliptic has tracked in 2026 alone. Combined, North Korean hackers have stolen over $300 million this year – and it’s only April. That money, according to the U.S. government, funds Pyongyang’s weapons programs.
For context, North Korea stole roughly $1.7 billion in crypto during all of 2024. They’re on pace to beat that by summer.
Solana’s Ecosystem Absorbs the Shockwave
Twelve Solana protocols reported some level of exposure to the Drift exploit. Most scrambled to reassure users. Jupiter Exchange, Solana’s largest DEX aggregator, confirmed zero exposure – a statement that likely prevented broader contagion. PiggyBank_fi disclosed $106,000 in exposure through delta-neutral strategies and covered users from team funds.
SOL dropped 6% to $79.01 on April 2 – the steepest loss among top-10 cryptocurrencies – dragging its market cap to $45.3 billion. The token now sits 73% below its all-time high of $293.31. But the hack isn’t SOL’s only headwind. Active addresses had already fallen 13% over the past 30 days, and Solana DEX volume slid to $57 billion in March, its lowest in months.
The DRIFT token itself cratered to roughly $0.05 – a 98% decline from its November 2024 all-time high of $2.60. Market cap shrank to around $30 million. Trading volume, ironically, exploded to $93.6 million as traders either panic-sold or tried to catch what’s left of the knife.
Drift’s team says they’re working with law enforcement and security partners. Some stolen USDC on Ethereum may technically be recoverable. But the bulk of the $285 million? Already scattered across chains, wallets, and mixers – the same laundering infrastructure North Korea has spent years perfecting.
The broader market didn’t help. Bitcoin slipped 1.7% to $67,002 as Trump escalated rhetoric on Iran, pushing total crypto market cap down 2.6% to $2.37 trillion. Over $251 million in long positions were liquidated in 24 hours.
Drift’s exploit doesn’t just expose one protocol’s security failure. It exposes a systemic gap: admin key management remains DeFi’s weakest link. Not the code. Not the oracles. The humans holding the keys.
If Solana’s DeFi ecosystem proved resilient during the broader market sell-off, this hack tests that resilience from a different angle entirely. And for a network that processes $650B in stablecoins monthly, trust infrastructure matters as much as transaction speed.
Until the industry moves to hardware-backed key management and real-time bridge monitoring, the question isn’t whether the next $285 million exploit will happen. It’s when – and whether Circle will answer the phone this time.
This is not financial advice. DYOR. Data as of April 2, 2026.
Sources:
- Elliptic: Drift Protocol exploited for $286M in suspected DPRK-linked attack
- CoinDesk: How a Solana feature let an attacker drain $270M from Drift
- CoinDesk: Elliptic flags $285M Drift exploit as likely North Korea-linked
- CryptoTimes: Circle had 6 hours to freeze stolen Drift funds – it did nothing
- CryptoTimes: Drift hack looks like Bybit all over again – Ledger CTO
- Bloomberg: Drift DeFi project on Solana suffers $285M crypto exploit
- CoinGecko API, CryptoQuant API (on-chain data)
Leave a Reply