A massive security breach at the Solana-based decentralized exchange Drift Protocol resulted in the loss of an estimated $285 million on April 1, 2026. The attack, which unfolded over roughly 12 minutes, was not due to a smart-contract bug but rather a sophisticated social engineering exploit targeting the protocol's governance and operational security.
According to blockchain intelligence firm TRM Labs, the attackers used a combination of social-engineered multisig approvals, a zero-timelock Security Council migration, and fake CarbonVote Token collateral to drain the protocol's funds. DeFiLlama classified the technique as "Compromised Admin + Fake Token Price Manipulation," highlighting a critical failure in governance structures rather than on-chain logic.
Drift Protocol suspended all deposits and withdrawals upon confirming the attack. TRM Labs' preliminary on-chain analysis indicates that most of the stolen funds were quickly bridged to Ethereum, and the laundering pattern resembles techniques previously associated with North Korean-linked groups, though no law enforcement agency has publicly confirmed this attribution.
The financial fallout was immediate and severe. The DRIFT token plunged 14.3% to $0.0486 with $35.15 million in trading volume. The exploit triggered a Solana-specific selloff, pushing SOL down roughly 4-5% while the broader crypto market remained flat. Drift's total value locked (TVL) collapsed to $232.01 million in the aftermath.
Drift has initiated direct on-chain communication with four Ethereum wallets believed to hold the stolen funds, urging the attackers to establish contact via Blockscan chat to negotiate a potential return. However, the situation was complicated by an unverified message from an ENS name 'readnow.eth,' which claimed to know the attacker's identity and demanded 1,000 ETH to withhold the information.
The impact has rippled across the Solana ecosystem, with reports indicating that at least 20 other protocols were exposed. The DeFi platform Gauntlet recorded estimated losses of approximately $6.4 million. Blockchain security firm Cyvers reported that no funds had been recovered within 48 hours and suggested the attack involved a carefully staged process using durable nonces to pre-sign transactions weeks in advance.
