On April 1, 2026, Drift Protocol — one of SOL biggest decentralized perpetual futures exchanges was drained of 285 million in user assets. The largest DeFi hack of 2026, second only to the $326M Wormhole exploit in 2022.
How They Did It: This wasn't a code bug. It was pure social engineering — weeks in the making.
March 11: Attackers pulled 10 $ETH from Tornado Cash to fund ops. No red flags yet.
March 11–30: They deployed a fake token CarbonVote Token (CVT) — with almost zero real liquidity. Through wash trading, they pumped it to ~$1, tricking Drift's price oracles into treating it as legitimate high-value collateral. Hundreds of millions in fake value, created from almost nothing.
March 27: The real damage was set up. Attackers socially engineered Drift's Security Council multisig signers into pre-signing hidden "durable nonce" transactions — a $SOL feature that allows delayed execution. These txs quietly contained admin-level authorizations. That same day, a zero-timelock migration dropped the multisig threshold to 2/5, killing any detection window.
April 1 — Execution: Pre-signed transactions went live. CVT was listed as collateral. Withdrawal limits were maxed. Then 31 withdrawals fired in ~12 minutes, hitting every major vault:
JLP Delta Neutral: ~$155M (41.7M $JLP tokens), $SOL Super Staking vault, $BTC Super Staking vault, USDC,cbBTC, $wBTC vaults Gone. Done. 12 minutes.
DPRK Fingerprints: Both TRM Labs and Elliptic attributed the attack to North Korean hackers — their 18th known crypto incident in 2026 alone, part of a cumulative $6.5B+ theft campaign.
The laundering route was textbook DPRK: Swapped ~15 stolen token types to USDC via SOL DEX aggregators.
Bridged to $ETH on Ethereum: Converting and dispersing further. The attacker wallet was created just 8 days before the exploit. Infrastructure, token manipulation tactics, and the social engineering approach all matched prior DPRK operations.
Aftermath: DRIFT token crashed over 40% immediately. Protocol TVL fell from ~550M to under $250M. Deposits and withdrawals were suspended. Around 20 downstream projects were impacted. No funds recovered. Investigations ongoing with blockchain security firms, bridges, and centralized exchanges all coordinating.
The Real Lesson: This had nothing to do with $SOL's security or smart contract vulnerabilities. This was an ops security failure — multisig signers tricked into signing transactions they didn't fully understand, combined with a governance setup that had no timelock protection.
Oracle manipulation + social engineering + key compromise = $285M wiped.
In DeFi, the weakest link is almost always the humans behind the keys. $DRIFT learned that the hard way.