On April 1, 2026, attackers drained about $285 million from Drift Protocol on Solana. It was the second-largest exploit in Solana's history, and the post-mortem is the most important security reading of the year, because there was no exploit in the code. It was six months of patient social engineering against the people who held the admin keys. Here is the timeline and the uncomfortable lesson for everyone who builds in this space.
What happened, in order
Drift confirmed the drain on April 1. TVL collapsed from $550 million to under $300 million within an hour. The laundering was aggressive, each bridging transaction moving hundreds of thousands or millions in USDC, faster and more aggressive than even the Bybit laundering of 2025.
But the drain on April 1 was the end of the operation, not the beginning. The post-mortem revealed it was a six-month campaign targeting the humans who controlled the admin keys. The attackers, linked to the Lazarus Group, did not find a bug in the Solana programs. They found a path to the keys, and they took six months to walk it.
This is the pattern, not an exception








