Drift Protocol Hack — April 1, 2026 Post-Mortem (Aggregated)
Overview
On April 1, 2026, Solana's Drift Protocol was drained of $285 million (over 50% of its TVL) in a highly coordinated attack likely linked to North Korean (DPRK) actors. The attackers drained approximately USD 285 million in user assets in roughly 12 minutes, with most stolen funds bridged to Ethereum within hours.
Attack Method
Social Engineering & Durable Nonces
The attackers spent months posing as a quantitative trading firm to build trust with Drift contributors, then exploited Solana's "durable nonces" system — a feature allowing transactions to be signed for later execution — to trick legitimate Security Council members into blindly pre-signing dormant transactions.
Fake Token Collateral
• CVT (CarbonVote Token) was a fake asset created by the attackers on March 12, 2026, with a total supply of 750 million tokens.
• They seeded a small Raydium liquidity pool and wash-traded CVT to anchor its price at ~$1.
• They also deployed a price oracle they controlled to feed that artificial price to Drift.
Attribution
Blockchain analytics firms Elliptic and TRM Labs independently attributed the attack to North Korean hackers linked to the Lazarus Group.
Impact & Response
• Multiple protocols with exposure to Drift liquidity or strategies paused operations or assessed losses.
• A dozen Solana protocols were affected by the Drift protocol hack.
• Assets were consolidated and swapped into USDC and SOL, then partially bridged to Ethereum using Circle's Cross-Chain Transfer Protocol (CCTP).