Drift Protocol Hack: How Privileged Access Led to a $285M Loss

TL;DR

On April 1, 2026, Solana’s Drift Protocol was drained of $285 million (over 50% of its TVL) in a highly coordinated attack likely linked to North Korean (DPRK) actors. Preliminary on-chain indicators are consistent with previously attributed DPRK operations, though formal attribution remains pending.

According to Drift’s post-mortem, which has not yet been independently verified by a completed third-party investigation, attackers spent months building relationships with the Drift team. The attackers then used Solana’s “durable nonces” feature to get Drift Security Council members to unknowingly pre-sign transactions that eventually handed over admin control.

Once in control, the attackers whitelisted a worthless, artificially priced fake token (CVT) as collateral. They deposited 500 million CVT and used it to withdraw $285 million in real assets like USDC, SOL, and ETH.

Because the transactions used valid admin signatures, standard security didn’t flag them. The incident highlights the need for pre-execution evaluation tools, like Hexagate’s GateSigner, which evaluate the intent of transactions to block abnormal activity in real-time.

Drift Protocol Hack: How Privileged Access Led to a $285M Loss

Related reading

AI-powered crypto hacks drain $600M from DeFi as North Korea exploits surge

Drift Protocol's Insurance Fund remains intact after risk pause

Drift Protocol Insurance Fund opens for withdrawals ahead of relaunch

Hackers steal $280mn from decentralised finance crypto exchange Drift

KelpDAO hack highlights DeFi's shift from coding flaws to operational risks

North Korean hackers tied to $290M crypto heist, firm says - UPI.com