Drift Protocol hack for $286 million: causes of the attack and fund movements

Drift Protocol — the largest decentralized futures trading platform on the Solana blockchain — was hit by a major attack on April 1, 2026.

According to estimates, total losses amounted to approximately $286 million. The attackers’ behavior, obfuscation methods, and technical indicators are consistent with patterns seen in previous operations linked to North Korea. GetBlock AML Research presents all currently known details of the attack.

If the involvement of North Korean hackers is confirmed, this would mark the eighteenth such attack linked to the country this year. The total amount stolen would exceed $300 million. In recent years, these groups are estimated to have stolen more than $6.5 billion in cryptocurrency. U.S. authorities believe these funds may be used to finance military programs.

This incident comes amid a broader increase in crypto-related attacks linked to North Korea. Earlier, a supply chain attack involving a third-party software component was also reported, highlighting a systemic approach to compromising infrastructure.

FBI exposes global crypto scheme involving wash trading

Defendants allegedly inflated prices artificially and sold assets at a profit.

Читать дальше

How the Drift Protocol hack happened

Within the first hour, the attacker began массово withdrawing funds from the system. Nearly all liquidity (i.e., user funds held in the protocol) was drained through multiple vaults.

Preliminary findings suggest the root cause was access to an administrator’s private keys — effectively a “master password” that grants full control over the system. With this access, the attacker was able to manage funds and modify platform settings.

What assets were stolen

The attack targeted three main vaults:

• JLP Delta Neutral
• SOL Super Staking
• BTC Super Staking

The largest transaction involved the withdrawal of approximately 41.7 million JLP tokens, worth around $155 million.

Other assets were also stolen, including USDC, SOL, Bitcoin in various forms, and additional tokens.

Following the attack, the platform’s total value locked (TVL) dropped sharply — from around $550 million to below $250 million. This makes the incident the largest DeFi hack of 2026 and the second-largest in the Solana ecosystem after the Wormhole bridge exploit in 2022.

The Drift team confirmed the attack and stated that deposits and withdrawals were temporarily suspended. They also reported working with external partners to mitigate the impact.

Where the funds were moved

Analysis shows that the attacker’s wallet was created approximately 8 days before the attack. During that time, a test transaction was carried out, indicating premeditation.

Flow of stolen funds from Drift Protocol. Visualization: Elliptic

After the theft, the attacker quickly swapped tokens into more stable assets (USDC) using exchange services. The funds were then bridged to another blockchain (Ethereum), where they were converted into ETH.

This follows a standard pattern: steal → swap → bridge → obfuscate.

Why such attacks are dangerous for the crypto market

The purpose of this attack goes beyond stealing funds — it demonstrates that even large and established platforms can be compromised through critical control points.

The main vulnerability is access to “admin keys.” If such keys are compromised, the attacker gains full control over the system, effectively acting as its owner.

This creates several risks:

• users cannot be fully confident in the safety of their funds;
• attacks are becoming more sophisticated and заранее подготовленными;
• stolen funds may be used not only for profit but also to finance state-level programs.

Moreover, such incidents undermine trust in the entire crypto industry and can trigger a chain reaction — project failures, user outflows, and increased regulatory pressure.