A massive exploit targeting Drift Protocol has resulted in over $285 million in stolen assets, marking the biggest crypto hack of 2026 so far.
Quick Summary – TLDR:
- $285M to $286M stolen from Drift Protocol in a highly coordinated attack.
- Attack linked to North Korean threat actors, based on multiple forensic indicators.
- Hack executed in seconds using fake tokens, admin key compromise, and pre signed transactions.
- Funds rapidly laundered across Solana and Ethereum, complicating recovery efforts.
What Happened?
Drift Protocol, a major decentralized exchange on Solana, was hit by a fast moving exploit on April 1, 2026. Within minutes, attackers drained hundreds of millions in crypto assets after gaining privileged access to the system. The protocol quickly paused deposits and withdrawals as investigations began.
Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.
— Drift (@DriftProtocol) April 2, 2026
This was a highly sophisticated operation that appears to have involved…
How the Attack Was Carefully Planned?
Security researchers say this was not a random breach but a deeply planned and staged operation. Evidence shows the attackers began preparing at least eight days before the exploit.
They created a fresh wallet and ran small test transactions to ensure it could handle multiple token types. At the same time, they built infrastructure to execute the attack with precision.
The attackers used a durable nonce mechanism to pre-sign transactions on the blockchain. This allowed them to execute multiple actions instantly without delays. Once the attack began, everything unfolded in seconds.
Admin Key Compromise Opened the Door
The turning point came when attackers gained control of a critical admin key tied to Drift Protocol.
Reports suggest the protocol’s multisignature setup allowed changes with just two approvals out of five. This weakness enabled attackers to quickly transfer control and modify key system parameters.
Within hours, they had full administrative access. That access allowed them to:
- Disable safety protections like withdrawal circuit breakers.
- Modify system settings without delay.
- Create new markets and manipulate internal controls.
Fake Token Strategy Enabled Massive Drain
One of the most striking aspects of the attack was the use of a fake token called CarbonVote Token or CVT.
The attackers minted hundreds of millions of CVT tokens weeks in advance. They then created a fake market inside Drift and used manipulated oracle pricing to inflate the token’s value artificially.
Key steps included:
- Assigning CVT the highest collateral tier.
- Setting fake price feeds to boost valuation into hundreds of millions.
- Removing penalties for large deposits.
Within seconds of depositing CVT, the attackers gained massive borrowing power and drained real assets from multiple vaults.
Vaults impacted included:
- JLP Delta Neutral vault
- SOL Super Staking vault
- BTC Super Staking vault
The largest single transfer alone involved about $155 million worth of JLP tokens.
Funds Drained and Rapidly Laundered
Once the vaults were emptied, the attackers moved quickly to hide their tracks.
They swapped assets into stablecoins and then bridged funds to Ethereum. From there, funds were converted into ETH and spread across thousands of wallets.
Investigators observed:
- Over 57,000 wallet addresses used.
- Around 860,000 transactions in just 34 hours.
- Automated bots executing hundreds of transactions per minute.
According to Elliptic, the laundering patterns strongly match previous operations linked to North Korea.
Impact Across the Crypto Ecosystem
The fallout was immediate and widespread.
Drift’s total value locked dropped from roughly $550 million to under $250 million within hours. Its native token also saw a sharp decline, losing over 40 percent of its value during the incident.
Several connected platforms took emergency actions:
- Some paused deposits and withdrawals.
- Others assessed exposure or reimbursed users.
- Risk management systems were activated across the ecosystem.
Despite the chaos, certain liquidity pools remained stable, helping limit broader damage.
Growing Concerns Over State Backed Crypto Attacks
If confirmed, this attack would be one of many linked to North Korean actors this year alone. Analysts estimate such groups have stolen over $6.5 billion in crypto assets in recent years.
These operations are often tied to funding state programs, making them a major concern for global regulators and security firms.
The Drift incident highlights how attackers are evolving, combining technical exploits, economic manipulation, and cross-chain laundering into a single operation.
SQ Magazine’s Takeaway
I think this attack is a wake up call for the entire DeFi space. This was not just a hack, it was a masterclass in exploiting weak governance, poor key management, and oracle manipulation all at once. If protocols continue to prioritize speed over security, we will keep seeing incidents like this. The level of precision here shows that attackers are getting smarter faster than the defenses being built.