Written by: @Merkle3s Capital
Introduction: On April Fool's Day, some couldn't laugh
On April 1, 2026, at 1:30 PM ET, the on-chain monitoring tool Lookonchain issued an alert. Minutes later, PeckShield confirmed the same set of abnormal data: assets were being drained en masse from the Drift Protocol on the Solana chain.
The Drift team posted a tweet on X.
"This is not an April Fool's joke."
Four hours later, the amount of digital assets flowing out on-chain was frozen at a range that silenced the entire industry: $200 million to $285 million. This is the largest cryptocurrency theft incident in 2026 so far, exceeding the total losses of all previous DeFi attack events that year.
The absurdity of the situation lies in the multiple reports that say the principal used by the attackers to initiate this plunder may have been only $500.
How was this money lost? Where did it go? Who did it? And—why did this happen right when institutional capital was accelerating into DeFi?
1. Four-Hour Timeline: A Precise On-Chain Plunder
The attack did not happen in an instant. It had rhythm, steps, and premeditation.
On-chain data shows that the attackers had created wallets and conducted tests a full week before the attack occurred. This was not an impulsive crime. It was a carefully planned precise strike.
Reconstructing those 4 hours:
1:30 PM ET— Lookonchain and PeckShield simultaneously detected large abnormal outflows from the Drift Protocol. Funds were flowing out from the protocol's treasury.
1:45 PM ET— The Drift team confirmed the abnormality on X. They requested users to pause all deposit operations. At the end of the tweet, they added intentionally: This is not an April Fool's joke.
2:00 PM ET— Drift officially suspended all deposit and withdrawal functions. At this point, a large amount of assets had already flowed out on-chain.
2:17 PM ET— The attackers quickly exchanged assets on the Solana chain through the Jupiter Aggregator. Jupiter is the largest DEX aggregator in the Solana ecosystem, and the attackers chose it because it provides optimal instant liquidity.
~3:00 PM ET— The protocol's TVL dropped from about $550 million before the attack to about $280 million. In one hour, it was halved.
Core Insight: The attackers created and tested wallets a week prior. This was not an impulsive act; it was a premeditated precise strike. The attackers knew exactly what they were doing and how to do it.
2. Not a Code Vulnerability, but a Governance Failure
The Drift team has yet to release an official postmortem. However, the founder of Slow Mist, Yuxian (evilcos), provided the closest analytical framework to the truth on X. His conclusion was surprising: This was not a smart contract code vulnerability, but a systemic failure at the multi-signature governance level.
About a week before the attack, Drift conducted a multi-signature migration—switching from an old multi-signature scheme to a new 2/5 multi-signature structure (1 old signer + 4 new signers). The problem was that this migration set a 0 second time lock. This meant that any multi-signature operation could be executed instantly, without any buffer window.
The attacker controlled the old signer (carryover signer), most likely through Solana's Durable Nonce mechanism, obtaining pre-signed transactions. This is an offline pre-signing technique—attackers fish for valid signatures and then broadcast them to execute at any moment. Yuxian described it as "well-prepared, professional, and experienced."
About 5 hours before the attack, the attacker initiated a proposal to transfer admin rights using the old signer. A new signer almost immediately co-signed. The 0-second time lock meant that the transaction took effect instantly. The admin rights were thus "legally" transferred.
Once the admin rights were obtained, the attackers did four things:
Minting fake CVT tokens—creating tokens with no value
Manipulating oracle prices—making the protocol misjudge the value of these fake tokens
Disabling security mechanisms—lifting the risk control circuit breakers of the protocol
Draining liquidity pools—using fake tokens as collateral to withdraw real USDC, wETH, dSOL, JLP, cbBTC from the unified liquidity pool
The funds that were drained ultimately consolidated to about 129,000 ETH, distributed across 4 Ethereum addresses. Yuxian has marked and tracked these addresses using the Slow Mist MistTrack tool.
The fatal flaw of this attack was not the sophistication of the technology but rather its exploitation of the "legitimate" governance process. Multi-signature migration + 0 second time lock + pre-signed phishing = admin rights were "legally" transferred to the attacker. The most dangerous enemy in DeFi is not the bugs in the code, but the blind spots in the processes.
3. Fund Flow: Solana → Jupiter → Ethereum → Mixer
On-chain data clearly outlines the destination of the funds.
The attacker's Solana wallet address is HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES. Arkham Intelligence has marked this address as suspected to be under attacker control. Solscan and SolanaFM are also tracking it synchronously.
The composition of the stolen assets:
Approximately $103 million USDC—the largest single stolen asset, USD stablecoin issued by Circle
Approximately 59,100 SOL and derivatives—including SOL, JitoSOL, and other Solana ecosystem assets
Approximately $12 million WETH—cross-chain wrapped Ethereum
cbBTC / WBTC—approximately $19 million to $30 million worth of wrapped Bitcoin
Other tokens—various assets on the Solana chain
The path of fund transfers is very clear:
Solana chain → Quickly exchanged via Jupiter Aggregator → Bridged to Ethereum → Exchanged for 19,913 ETH (about $42.6 million)
Circle has been notified to monitor the related addresses. Some USDC may be frozen. However, for native assets like SOL, JitoSOL, and ETH, the likelihood of recovery is nearly zero.
The path of fund transfers aligns closely with the common tactics of North Korean (DPRK) hacker organizations: instant on-chain exchange → cross-chain transfer → waiting for mixer processing. This is not a white hat action, nor is it an internal dispute. This is an organized financial plunder.
4. The Security Paradox of DeFi: The Cost of Irreversible Trust
The core selling point of DeFi is irreversibility. No intermediaries, no undo buttons. Once a transaction is on-chain, it is the final outcome.
This is both the cornerstone of trust and the breeding ground for theft.
Drift is one of the most core perpetual contract protocols in the Solana ecosystem. Before the attack, its TVL was about $550 million, with an average daily perpetual trading volume of about $70 million. This scale means it is not a fringe protocol—it is the infrastructure of the entire Solana DeFi ecosystem.
When the infrastructure is compromised, the consequences are not "a certain protocol lost money," but rather "the credibility of the entire ecosystem is shaken."
Another comparison is worth considering: $500 principal, $285 million loss. The leverage multiple is 570,000 times. This number is more extreme than any leverage that DeFi trading protocols can offer.
The DeFi security audit industry has spent years establishing a standardized inspection process. However, attackers do not act according to the audit report's checklist. Audits check "whether the code complies with specifications," but attackers exploit "whether the specifications themselves have blind spots."
DeFi’s security audits are about "compliance," not "safety." Compliance means you have checked according to the rules, while safety means you can fend off attacks that do not follow the rules. The gap between the two is precisely the space where $285 million disappeared.
5. Chain Reaction: Who Pays the Bill?
The impact of the attack is far beyond Drift itself.
Drift Protocol—TVL halved. Deposits and withdrawals paused. Rebuilding trust is not something that can be done in a few weeks. Whether users will return depends on the quality of the postmortem and compensation plans.
Solana Ecosystem—The Phantom wallet has actively blocked Drift. Other DeFi protocols on Solana also face pressure on user trust. When a core protocol is compromised, users will become skeptical about the entire ecosystem.
DRIFT Token holders—The token dropped from about 0.072 to 0.048. The drop was about 30-35%. Prior to this, DRIFT had already fallen about 98% from its historical peak. For the community members still holding, this is yet another severe blow.
Stablecoin Ecosystem—Circle has stated that some of the stolen USDC has been frozen. However, the $285 million was transferred in 6 hours through Circle's network without triggering any risk control, directly criticized by influencer ZachXBT.
The systemic risk of DeFi is not a single point of failure, but rather the rupture of the trust chain. When a protocol is compromised, the impact is not just its own TVL—but all users' confidence in "Can DeFi safeguard my money."
6. The Timing Tragedy: Institutional Entry Window vs. Security Reality
The timing of this event is unsettling.
Franklin Templeton just established a dedicated cryptocurrency asset management business last quarter. Several mainstream custody institutions are building DeFi integration solutions. Regulatory frameworks have just begun to take shape. Institutional capital has spent years observing, finally transitioning from "let's wait and see" to "let's start laying out plans."
And then Drift got hacked.
This did not happen during a market downturn. This occurred during the window when institutional capital was shifting from observation to action. Every compliance officer evaluating DeFi risk exposure will have written this incident into their reports this morning.
This is not an ordinary security incident. It has put a brake on the institutionalization process of the entire DeFi industry. Not because the technology failed, but because the security narrative was interrupted at a critical juncture.
7. Trend Judgment: DeFi Security Entering "War State"
The largest crypto theft of 2026. Exceeding the total losses of all previous incidents that year.
The fund transfer model suggests that the attackers possess organized resources and national-level operational capabilities. If ultimately confirmed to be related to North Korean hacker organizations, this attack's nature is not merely "hacking for money," but "a systematic strike by a state-level actor on financial infrastructure."
The industry's response direction has three main aspects:
Insurance Mechanism—DeFi insurance is still extremely immature. This incident may accelerate the development of on-chain insurance protocols.
Multi-signature and Permission Upgrades—From 2/3 to higher thresholds. From manual audits to automated permission monitoring.
Oracle Redundancy—Single oracle sources are no longer sufficient. Multi-source aggregation + anomaly detection will become standard configuration.
The Drift incident is not an endpoint; it is a starting point. DeFi security is shifting from "post-event remediation" to "pre-emptive confrontation." This transformation will not be quick, but it is irreversible.
Conclusion: The $500 Lesson
When a principal of supposedly only $500 can leverage $285 million, the issue is not how strong the attacker is, but how thin the defenses are.
The postmortem of Drift will serve as a mirror. It reflects not just Drift's own vulnerabilities but the systemic欠账 of the entire DeFi industry in security infrastructure.
Will institutional capital delay entering because of this? The answer to that question does not depend on what Drift does but rather on what the entire industry does in the next 90 days.
If the postmortem is merely a technical report, then trust rebuilding will be slow.
If it becomes a starting point for industry-wide security upgrades, then the $285 million tuition will not be paid in vain.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
