#DriftProtocolHacked Drift Protocol $285 Million Lock – What Happened and What Should You Do?

Dear friends,
On April 1, 2026, a major attack occurred on the Solana blockchain. The DeFi platform named Drift Protocol had assets stolen worth $285 2.85 billion dollars(.
This is the largest DeFi hack of 2026 and the second-largest attack in Solana’s history.
Let’s explore the details – what happened, how it happened, and what you should do now.
What happened? )What Happened?(
When did it happen? April 1, 2026 )April Fool’s Day( – Drift confirmed clearly that this was not a joke.
How much damage? Approximately )12.9 million ETH$285 worth.
What was stolen?
· JLP tokens – (Million)
· USDC – $155 Million+$51
· SOL – thousands of SOL
· cbBTC, wBTC, WETH, and several other meme coins
What happened to Drift Protocol?
· TVL (Total Value Locked) decreased from $550 Million$300 to below (Million)
· DRIFT tokens dropped over 50% – from $0.07 to $0.037
· Deposits and withdrawals were temporarily halted
How did the attack happen? (Attack Method – Step-by-step Details)
This was not a simple smart contract hack. It was an extremely sophisticated attack planned over several weeks.
Step 1: Create Fake Token (CVT)
The hacker created a fake token called "CarbonVote Token" (CVT). A total of 750 million units of this token were minted.
Step 2: Manipulate the price
The hacker provided liquidity only on Raydium and performed "wash trading" to make CVT’s price appear to be rising near the fake price. Oracles trusted this fake price.
Step 3: Gain admin access
Most importantly,
Drift’s configuration was weak from the start:
· One week prior, Drift changed its multisig wallet
· New setup: 2/5 multisig – only 2 approvals needed to sign
· No timelock – no delay, 0 seconds
· Among the 5 signers, only 1 was an original member, the other 4 were new
The hacker managed to compromise two of the signers – possibly through leaked private keys, social engineering, or insider cooperation.
Step 4: Remove withdrawal limits
After gaining admin rights, the hacker raised withdrawal limits to an extremely high level. No limits remained.
Step 5: Send fake collateral
The hacker deposited 750 million CVT tokens at fake value – approximately $500 Million$1 Drift assets as collateral.
Step 6: Withdraw real assets
Using this fake collateral, the hacker executed 31 quick withdrawals – pulling out real assets like USDC, SOL, JLP, etc., within 12 minutes.
Step 7: Transfer the funds
The stolen assets were transferred by the hacker:
· First to USDC and SOL
· Then via the (CCTP) bridge on the Ethereum blockchain to transfer further
· Finally, purchased ETH – totaling around 129,000 ETH
Who was affected? (Who Was Affected?)
Platform/protocol status:
Jupiter Exchange Safe – JLP pool fully insured, platform unaffected
Meteora Safe – no interaction with Drift
Perena Safe – USD* products unaffected
PiggyBank_fi (exposure$750 – compensated by group funds
Ranger Finance RGUSD paused – over $900k) exposure(
Reflect Money USDC+/USDT+ paused – insured
And more – Unitas Protocol is also safe.
What are the big questions? )The Big Questions(
Q1: Was this an external or internal hack? )Inside Job(?
There is strong suspicion within the community of an "inside job." Why?
1. Timing of suspicion – just a week before, the multisig wallet was changed
2. Too easy for an external hacker – admin access shouldn’t be that easy
3. The team’s reaction was very normal – too calm in the face of major damage
4. Funds were fully transferred out – moved to ETH, no risk of being locked on CEX
However, note that the rumor "team members resigned a month ago" is just on Twitter – no official confirmation yet.
Q2: Will the funds be recovered?
Unlikely. The funds have been transferred to ETH and dispersed across multiple wallets. Circle )USDC issuer$106k is accused of not locking funds.
ZachXBT (famous on-chain investigator) wrote:
“The stolen USDC millions were bridged while Circle remained stationary.”
Q3: Is North Korea involved?
Elliptic and some security firms suggest North Korean hackers (Lazarus Group) may be responsible. If true, recovery of funds is nearly impossible.
Quick summary table
Factor Details
Funds lost (Million) 2.85 billion dollars
Date April 1, 2026
Blockchain Solana (transferred to Ethereum)
Type of attack Admin takeover + Oracle manipulation
Main targets JLP, USDC, SOL, cbBTC
Token DRIFT price drop Over 50% (0.07 to 0.037)
Current status Deposit/withdrawal halted, under investigation
What should you do? $285 Action Plan for You(
If you are a Drift user:
1. Revoke all approvals from Drift
2. Follow official Drift channels for updates
3. Do not make new transactions until clear communication is provided
If you are a general crypto user:
1. Check your funds – on any protocol linked with Drift
2. Reduce leverage – markets are highly volatile
3. Follow news – this incident is a turning point in DeFi security
If you are a trader:
· Expect short-term volatility in DRIFT tokens
· Negative sentiment in the Solana ecosystem – be cautious
· Do not "buy the dip" until the investigation concludes
Final words )Final Word(
This hack serves as a warning to the DeFi industry:
"Access security > Source code security"
Meaning – no matter how strong your code is, if admin keys are compromised, everything ends. Multisig, timelocks, and proper signing practices are mandatory and non-negotiable.
The future of Drift Protocol remains uncertain. If funds are not recovered, it could lead to bankruptcy, lawsuits, or closure.
What do you think now?
Do you believe this was an external or internal hack?
And have you ever held funds on DeFi protocols?
Share your comments!
Like!
Share!