On April 1, 2026, Solana’s largest DeFi perpetuals exchange, Drift Protocol, lost $285 million in 12 minutes. The team posted on X to confirm it was real, not an April Fool’s joke. By the time most users saw the warning, the money was gone. TRM Labs and Elliptic have since attributed the attack to North Korea’s Lazarus Group, making it the second confirmed state-sponsored DeFi exploit of 2026 after the Bybit hack in February 2025.
What makes this Solana DeFi hack worth examining in detail is that it did not work the way most DeFi exploits do. There was no bug in Drift’s smart contracts. No seed phrase was compromised. Two separate security audits, one by Trail of Bits in 2022 and one by ClawSecure in February 2026, had cleared the protocol. The attack worked by exploiting three things that audits rarely catch: trust in price oracles, governance without timelocks, and the willingness of legitimate signers to approve transactions they did not fully understand. Each step enabled the next. The total cost of the setup was approximately $500.
| $285M Stolen, Largest DeFi Hack of 2026 | 12 min Execution Time After Weeks of Preparation | $500 Total Cost to Set Up the Attack |
Step 1: A Fake Token Built Over Three Weeks With $500
The attack began on approximately March 10, 2026, three weeks before the exploit executed. The attacker created a token called CarbonVote Token, or CVT, on Solana. CVT had no underlying value, no protocol, no product. The attacker minted 750 million units and seeded a liquidity pool on the Raydium decentralised exchange with approximately $500 in real capital.
From that point, the attacker began wash trading: buying and selling CVT between their own wallets to simulate organic trading activity. Because on-chain price oracles derive prices from actual on-chain transactions rather than verified fundamentals, the wash trading progressively moved CVT’s oracle-reported price toward $1.00 per token. After three weeks of this, on-chain price feeds were reporting CVT as a legitimate asset worth approximately $1 per token. The attacker now held 750 million CVT tokens with an oracle-stated value of roughly $750 million, built at a total cost of $500 in seeded liquidity. (Unchained, April 2, 2026)
How a $500 Token Became $285M in Stolen Assets, Attack Flow
Source: Unchained, TRM Labs, Drift Protocol incident report | @CryptoNewsBytes
Vector 1, Mar 10-31
Fake Token (CVT)
$500 seeded on Raydium. 750M tokens minted. 3 weeks of wash trading inflates oracle price to ~$1.00
Vector 2, Oct 2025-Mar 2026
Social Engineering
6 months posing as quant firm. Council members tricked into pre-signing durable nonce transactions
Vector 3, Mar 27
Governance Takeover
Pre-signed txns executed. Multisig reduced 2/5. Timelocks removed. Full admin control obtained
Apr 1, 2026, 00:00 UTC, Execution (12 minutes)
Apr 1, 2026, 00:12 UTC, Laundering
Step 2: Compromising the Admin Key Through Social Engineering
While the CVT price history was being built, a parallel operation was underway. According to Drift’s post-incident preliminary report, the attacker had spent approximately six months posing as a quantitative trading firm to gain the trust of members of Drift’s security council, the multisig group responsible for approving administrative changes to the protocol. The social engineering campaign involved establishing a credible firm identity, building a relationship over time, and ultimately obtaining pre-signatures on durable nonce transactions.
A durable nonce is a legitimate Solana feature that allows a transaction to be signed in advance and executed later, without the normal short expiry window that prevents delayed execution. The attacker obtained these pre-signed transactions from security council members who believed they were approving routine administrative actions. Because the transactions used durable nonces, the attacker could hold them and execute at any chosen moment. The governance change that mattered most was the removal of timelocks from admin functions and the reduction of the multisig threshold from a more distributed structure to 2 of 5 signers. That change happened on March 27, five days before the exploit, and was itself pushed through using pre-signed transactions. At no point did Drift’s auditors flag this change because it fell within the governance system’s normal parameters.
The Drift Attack Timeline: Six Months to $285M in 12 Minutes
Source: Drift Protocol preliminary incident report; Unchained technical breakdown; TRM Labs attribution report.
| Date | Action | What it achieved |
|---|---|---|
| Oct 2025 | Social engineering begins | Attacker poses as quant trading firm, builds council trust over months |
| Mar 10, 2026 | CarbonVote Token (CVT) created | $500 seeded on Raydium; wash trading begins to build fake price history |
| Mar 27, 2026 | Multisig changed to 2/5, timelocks removed | Admin threshold reduced using pre-signed durable nonce transactions |
| Mar 31, 2026 | Final pre-signatures obtained | Admin transfer transactions pre-staged and ready for execution |
| Apr 1, 00:00 | Exploit executes | CVT listed as collateral, withdrawal limits raised to 500 trillion, 31 withdrawals in 12 minutes |
| Apr 1, 00:12 | Funds bridged to Ethereum | Stolen assets converted to USDC and SOL, bridged via Circle CCTP to Ethereum |
Step 3: The Execution, 31 Withdrawals, 12 Minutes, $285 Million
With admin control secured and CVT’s oracle price established, the attacker executed the final phase in rapid sequence on April 1. Using the compromised admin key, CVT was listed as a valid collateral market on Drift. Withdrawal limits for USDC and four other major markets were raised to 500 trillion, effectively unlimited, removing the throttles that would normally cap outflows. The attacker then deposited hundreds of millions of CVT tokens as collateral. Because oracles reported CVT at approximately $1.00, the protocol treated this worthless collateral as worth hundreds of millions of dollars in real assets.
Against that inflated collateral position, the attacker executed 31 rapid withdrawals across 12 minutes, draining real assets from Drift’s vaults: approximately 42.7 million JLP tokens worth roughly $159 million, wrapped Bitcoin totalling over $16 million, plus tens of millions in USDC, SOL, Jito and other tokens. Drift’s TVL collapsed from approximately $550 million to under $250 million before the team could respond. The DRIFT token fell more than 38 percent within 24 hours. Once assets were out, the attacker routed them through the Jupiter aggregator to consolidate into USDC and SOL, then bridged the full amount from Solana to Ethereum using Circle’s Cross-Chain Transfer Protocol. ZachXBT publicly criticised Circle for failing to freeze the USDC in transit despite having both the ability and precedent to do so from previous interventions.
What Was Stolen: $285M Breakdown by Asset
Source: PeckShield on-chain forensics, Drift Protocol incident report | @CryptoNewsBytes
| JLP (Jupiter Perps) ~42.7M tokens | ~$159M | |
| USDC + USDT Stablecoins | ~$54M | |
| cbBTC + wBTC Wrapped Bitcoin | ~$16M | |
| SOL + Jito (JTO) Native Solana assets | ~$36M | |
| Other tokens FARTCOIN, misc | ~$20M |
JLP (Jupiter Liquidity Provider token) was the primary target, representing 56% of total theft. After draining, funds were routed through Jupiter aggregator to USDC/SOL, then bridged via Circle CCTP from Solana to Ethereum. ZachXBT criticised Circle for not freezing the USDC in transit despite having the mechanism to do so.
North Korea Attribution and the Bigger Picture
TRM Labs and Elliptic both attributed the Drift exploit to North Korea’s Lazarus Group within days of the attack. The attribution rests on on-chain behavioural patterns that match documented Lazarus fingerprints: specific wallet clustering, cross-chain bridge selection preferences, and laundering sequencing that mirrors prior DPRK-linked operations. The social engineering approach, posing as a legitimate trading firm to embed trust over months before executing, also matches the Contagious Interview campaign that the FBI documented in 2025 and which preceded the Bybit Safe Wallet compromise.
The pattern is consistent across both attacks. Bybit: six-month supply chain compromise of a Safe Wallet developer leading to a $1.5 billion theft in February 2025. Drift: six-month social engineering campaign targeting security council members leading to $285 million in April 2026. In both cases the blockchain infrastructure worked correctly. The exploit happened entirely in the human and governance layer above it. North Korean cyber units have now stolen over $7 billion in cryptocurrency since 2017, per Chainalysis. The Drift exploit adds meaningfully to that total. For the full context on state-sponsored crypto theft, see our deep-dive on the Bybit hack and DPRK weapons financing.
Largest DeFi and Crypto Exploits: 2025-2026 in Context
Source: Chainalysis, TRM Labs, PeckShield. State-sponsored attribution indicated where confirmed.
| Bybit (Feb 2025) North Korea confirmed | $1.5B | |
| Drift (Apr 1, 2026) North Korea attributed | $285M | |
| Radiant Capital (Oct 2024) North Korea confirmed | $50M | |
| Euler Finance (Mar 2023) | $197M |
Drift ranks as the second-largest exploit in Solana’s history, behind only the $326 million Wormhole bridge hack in 2022. Both Bybit and the Solana DeFi hack on Drift targeted the governance and human layer, not smart contract code.
What the Drift Hack Means for Every DeFi Protocol
Three structural lessons emerge from the Drift exploit that apply across every DeFi protocol with similar architecture. The first is timelocks. Admin functions and governance changes should require mandatory delays between proposal and execution, typically 24 to 72 hours for high-impact changes. The removal of Drift’s timelock on March 27 was itself the critical enabler, without it, the attacker had no window in which detection and intervention were possible. Timelocks exist precisely because they create a reaction window.
The second is oracle design. Accepting any asset as collateral based solely on a price feed derived from on-chain trading is insufficient. Protocols should require minimum liquidity thresholds before an asset can be used as collateral, time-weighted average prices rather than spot prices, and circuit breakers that halt activity if collateral values move unusually quickly. CVT’s price history was built over three weeks of wash trading on a pool with $500 in liquidity. Any of these three safeguards would have blocked it.
The third is multisig hygiene. The social engineering campaign worked because security council members signed transactions they did not fully verify. Every signer should independently verify the full content of any transaction before signing, not just the summary presented in a UI, using raw transaction inspection tools or hardware devices with clear signing capabilities. This is the same lesson from the Bybit exploit, where signers approved a malicious transaction that looked legitimate on screen. The attack surface in both cases was the gap between what a screen shows and what a transaction actually does. For related security coverage, see our analysis of the DAO governance attack model and the cyber insurance implications for DeFi protocols.
FAQs: The Solana DeFi Hack on Drift Protocol
Related Security Coverage on CryptoNewsBytes
The defining state-sponsored crypto theft before Drift. Same attacker profile, same social engineering methodology, different target architecture. The Bybit analysis explains why the $7 billion DPRK total matters for every DeFi protocol.
Governance is the attack surface in 2026. The Drift hack used social engineering to compromise governance. Flash loan governance attacks use economics to do the same thing. Two different vectors, one shared lesson.
Whether a $285 million social engineering exploit is covered by a DeFi protocol’s insurance depends entirely on policy language. Most policies exclude governance failures. This analysis explains why.
Oracle manipulation and MEV attacks are related threats, both exploit the gap between what a transaction appears to do and what it actually does. The full DeFi attack surface in 2026.
Hyperliquid’s 70 percent market share in DeFi perps exists partly because it built its own L1 with full control over the execution layer, specifically to avoid the third-party oracle and governance dependencies that Drift relied on. The security contrast matters.
Primary sources: Unchained technical breakdown, April 2, 2026 | TRM Labs attribution report, April 4, 2026 | PeckShield on-chain forensics | Drift Protocol official incident statement | Arkham Intelligence on-chain data. Published April 6, 2026. This article is for informational purposes only.
