On April 1, the DeFi platform Drift Protocol on Solana was hacked. The attacker drained at least $280m.
We are observing unusual activity on the protocol. We are currently investigating. Please do not deposit funds into the protocol while we investigate. This is not an April Fools joke. Proceed with caution until further notice. We’ll provide additional updates from this account.
— Drift (@DriftProtocol) April 1, 2026
“We are observing unusual activity and are currently investigating. Please do not deposit any funds into the platform. This is not an April Fools joke. Proceed with caution until further notice,” the team wrote.
Timeline
According to the developers, the hacker prepared the operation for several days. As early as March 23, they created four wallets with a delayed-transaction mechanism (durable nonces). Two were associated with members of Drift’s Security Council, and two were under the attacker’s control.
Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
This was a highly sophisticated operation that appears to have involved…
— Drift (@DriftProtocol) April 2, 2026
At least two of five signers approved transfers from these wallets. The developers suggested the attacker used sophisticated social-engineering techniques.
A few days later, the project conducted a scheduled rotation of the Council. In response, on March 30 the hacker created a new wallet for the updated multisig.
The attack took place on April 1. First, the Drift team carried out a legitimate test withdrawal from the insurance fund. About a minute later, the attacker activated two pre-signed transactions. One created and approved a malicious transfer of powers; the second executed it.
Aftermath
The attack affected all deposit types—lending, trading and vaults. DSOL tokens outside the Drift ecosystem and the Insurance Fund’s assets were untouched. For safety, the protocol froze remaining functions, updated the multisig and removed the compromised wallet.
The project is currently working with cybersecurity specialists, cross-chain bridges, exchanges and law enforcement to trace and block the stolen funds.
Among the stolen assets were wrapped versions of bitcoin, Jito tokens, the memecoin Fartcoin, other altcoins, as well as stablecoins pegged to the US dollar, euro and Japanese yen. After the theft the hacker distributed the funds across several wallets.
Assets stolen in dollars:
$5.3M USDS
$60.4M USDC
$5.65M USDT
$430K JUP
$540K USDY
$590K ZBTC
$680K EURC
$1M BSOL
$2.5M INF
$2M MSOL
$3.3M SYRUPUSDC
$4.1M FARTCOIN
$4.4M WBTC
$3.6M JITOSOL
$4.7M WETH
$4.5M DSOL
$11.3M CBBTC
$155.6M JPL— Vladimir S. | Officer’s Notes (@officer_secret) April 1, 2026
Following the incident, the protocol’s native coin DRIFT fell by almost 37%—from $0.07 to $0.04. Market capitalisation almost halved—from $41m to $25m.
TVL for Drift remains around $245m.
Users doubt the project’s prospects for recovery after the hack. The statistics hint at the same: major attacks are considered a “death sentence” for 80% of protocols. The Drift incident will rank among the industry’s largest.
I think Drift just… dies here?
ByBit was able to get a billion dollar loan immediately after their hack because their yearly revenue numbers justified it
Drift doesn’t make nearly enough money for a company/bank to comfortably underwrite a loan to fill the hole here.
rip :/ pic.twitter.com/RsKoGYRZlU
— Eddie (@DancingEddie_) April 1, 2026
“I think Drift just… dies here? Bybit was able to get a billion-dollar loan immediately after the hack because their yearly revenue justified such sums. Drift doesn’t make enough for any company or bank to comfortably issue a loan to plug a hole like this,” wrote a community member under the nickname Eddie.
Backlash against Circle
Participants in the crypto industry criticised the company behind USDC, Circle, for a slow response to the Drift hack. Delphi Digital co-founder Tommy Shaughnessy said the issuer did not promptly freeze funds linked to the attack.
Circle not freezing the USDC is hilarious because we know it’s centralized but they’re like nah, we’ll let the money freely flow to North Korea
I like USDC since it’s a programmable stablecoin for all of DeFi and enables innovation
But we can freeze the money flowing to NK
— Tommy (@Shaughnessy119) April 2, 2026
“Circle not freezing USDC looks absurd. Everyone knows the stablecoin is centralised, but the company seems not to impede the free flow of funds—even to North Korea,” he wrote.
On-chain sleuth ZachXBT voiced a similar view. He stressed that the hacker moved hundreds of millions of dollars from Solana to Ethereum during US business hours and Circle did nothing to stop it.
Circle was asleep while many millions of USDC was swapped via CCTP from Solana to Ethereum for hours from the 9 figure Drift hack during US hours.
Value was moved and nothing was done yet again.
Comes days after you froze 16+ business hot wallets incompetently which is still… pic.twitter.com/T0Xwg1HIfO
— ZachXBT (@zachxbt) April 2, 2026
At the time of writing, the company had still taken no action.
In late March, ZachXBT accused Circle of mistakenly freezing 16 wallets.