1 hour ago
A Solana-based perpetual futures speech mislaid $286 cardinal successful 12 minutes connected April 1, 2026, aft attackers spent 3 weeks softly manufacturing fake collateral and socially engineering the protocol’s signers. The incidental has been the astir topical treatment successful crypto circles implicit the past fewer days.
DPRK Lazarus Group Suspected successful Drift Protocol $286 Million Solana Theft
Drift Protocol, the largest decentralized perpetual futures speech connected the Solana network, confirmed the exploit aft watching its full worth locked (TVL) illness from astir $550 cardinal to nether $250 cardinal successful a azygous morning, present lasting astatine $232 million. Bitcoin.com News was the archetypal to report connected the issue. The DRIFT token dropped arsenic overmuch arsenic 45% successful the hours that followed, bottoming adjacent $0.04 to $0.05.
Reports enactment that the attack began not with a codification bug but with a Tornado Cash withdrawal. On March 11, the attacker pulled ETH from the Ethereum-based privateness protocol and utilized those funds to deploy the carbonvote token, oregon CVT, connected March 12. Blockchain analysts noted the deployment timestamp corresponded to astir 09:00 Pyongyang time, a item that raised contiguous flags.
DRIFT token connected April 3, 2026.Several reports item that implicit the pursuing 3 weeks, the attacker seeded minimal liquidity for CVT connected the Raydium decentralized exchange and utilized lavation trading to support a terms adjacent $1.00. Drift’s oracles work that terms arsenic legitimate. The attacker had built fake collateral that looked existent to each automated strategy watching it.
“Earlier today, a malicious histrion gained unauthorized entree to Drift Protocol done a caller onslaught involving durable nonces, resulting successful a accelerated takeover of Drift’s Security Council administrative powers,” the Drift squad wrote.
The project’s X relationship added:
“This was a highly blase cognition that appears to person progressive multi-week mentation and staged execution, including the usage of durable nonce accounts to pre-sign transactions that delayed execution.”
Ostensibly, betwixt March 23 and March 30, the Drift attacker moved to the quality layer. Using a morganatic Solana diagnostic called durable nonces, the attacker reportedly induced members of Drift’s Security Council multisig to pre-sign transactions that appeared routine. Those signatures became pre-approved entree keys, held successful reserve until the attacker was ready.
The opening closed connected March 27, erstwhile Drift migrated its Security Council to a 2-of-5 signature threshold and removed its timelock entirely. A timelock typically forces a 24-to-72-hour hold connected administrative actions, giving the assemblage clip to drawback and reverse thing suspicious. Without it, the attacker had zero-delay execution authority. The pre-signed transactions were unrecorded the infinitesimal the timelock was gone.
On April 1, the attacker activated those transactions, listed CVT arsenic valid collateral, raised withdrawal limits, and deposited hundreds of millions successful CVT tokens against which Drift’s hazard motor issued existent assets. The protocol handed implicit millions successful JLP tokens, millions successful USDC, millions successful SOL, and smaller amounts of wrapped bitcoin and ethereum. Thirty-one withdrawal transactions cleared successful astir 12 minutes.
The attacker converted the stolen tokens to USDC utilizing Jupiter, bridged to Ethereum, and swapped into tens of thousands of ETH. Some funds were routed done Hyperliquid, and a information moved straight to Binance. On April 3, Drift sent an onchain connection from an Ethereum code to 4 hacker-controlled wallets. The connection read:
“We are acceptable to talk.”
Security firms Elliptic and TRM Labs person attributed the onslaught to DPRK-linked menace actors, citing the Tornado Cash origin, the Pyongyang-time deployment signature, the societal engineering focus, and the post-hack laundering speed. The Lazarus Group utilized the aforesaid patience and human-targeting attack successful the 2022 Ronin span hack. The U.S. authorities has tied these thefts to North Korea‘s weapons programme funding, and Elliptic has tracked implicit $300 cardinal stolen successful the archetypal 4th of 2026 alone.
The contagion dispersed to much than 20 protocols. Prime Numbers Fi reported losses successful the millions. Carrot Protocol paused mint and redeem functions aft 50% of its TVL was affected. Pyra Protocol disabled withdrawals entirely, leaving each idiosyncratic funds inaccessible. Piggybank mislaid $106,000 and reimbursed users from its ain squad treasury.
DeFi Development Corp., a Nasdaq-listed institution with a Solana treasury strategy, confirmed connected April 1 that it had nary Drift exposure. Its hazard model excluded the protocol entirely. That information drew much attraction than the institution apt intended.
The Drift incidental produced 1 wide acquisition that astir of the manufacture already knew but had not afloat applied: a timelock is not optional. The removal of that azygous safeguard connected March 27 converted a complex, multi-week onslaught into a 12-minute cash-out. Protocol governance without a hold mechanics is governance with an unfastened door.
The adjacent 48 hours pursuing the DeFi onslaught were described arsenic captious for Drift’s quality to clasp idiosyncratic spot and representation a betterment path. As of April 3, nary broad reimbursement program had been announced.
FAQ 🔎
- What happened to Drift Protocol? Attackers drained $286 cardinal from Drift Protocol connected April 1, 2026, utilizing fake collateral and pre-signed administrative transactions to bare the protocol’s halfway vaults successful 12 minutes.
- Who is liable for the Drift Protocol hack? Security firms, including Elliptic and TRM Labs, person attributed the onslaught to DPRK-linked menace actors, citing laundering patterns and onchain timestamps accordant with Lazarus Group tradecraft.
- Is my wealth harmless connected Drift Protocol? Drift suspended each deposits and withdrawals pursuing the attack; users successful affected protocols similar Pyra and Carrot stay incapable to entree funds arsenic of April 3, 2026.
- What is simply a durable nonce onslaught successful Solana DeFi? A durable nonce onslaught uses a morganatic Solana diagnostic to pre-sign transactions that look routine, holding them arsenic unrecorded authorization keys until the attacker chooses to execute them.
English (US) 