Drift April Fools' Day theft exceeds $280 million: hacker intrusion or inside job?

Shaw, Golden Finance

April 2, a security incident occurred on the derivatives trading platform Drift Protocol; on-chain data shows losses exceeding $285 million. The project team said it has identified abnormal activity and is investigating. It urges users not to deposit funds into the protocol for the time being, and emphasizes, “This is not an April Fools’ joke.”

The attack involved multiple liquidity pools, including JLP Delta Neutral, SOL Super Staking, BTC Super Staking, and more. A single transfer of about 41.7 million JLP tokens was worth approximately $155 million. In addition, assets such as SOL, USDC, cbBTC, and wBTC were also withdrawn.

According to statistics, this incident may become one of the largest DeFi attacks in the Solana ecosystem after the Wormhole bridge exploit.

I. Latest developments in the Drift Protocol being attacked

On April 1, 2026, Eastern Time, the Solana-based decentralized derivatives protocol Drift Protocol suffered a major hacker attack. The stolen assets were about $285 million. The primary stolen assets were: about 41.7 million JLP tokens, worth $155.6 million; as well as various assets including USDC, SOL, cbBTC, and wBTC. The stolen incident became one of the second-largest attacks in Solana’s history and the largest in terms of scale among DeFi attacks.

Drift Protocol’s official account later posted on a social platform to confirm: “Drift Protocol is under attack. The deposit and withdrawal functions have been paused. We are working with multiple security organizations, cross-chain bridges, and exchanges to control the situation with full force. This is not an April Fools’ joke. More information will be released through this account as soon as possible.”

The attack began in the early hours of April 2. On-chain monitoring platform PeckShield issued an alert: the Drift main vault address started sending large transfers to a newly created wallet, HkGz4K. The first assets sent out were mainly JLP (Jito Liquidity Provider) tokens, worth about $155 million; then followed USDC, SOL, cbBTC, wBTC, WETH, and some meme coins. PeckShield data shows that within a short time, a total of $285 million worth of assets flowed out.

According to Yan Jin monitoring, the $285 million stolen assets from Drift have already been swapped into 129,000 ETH (2.78 billion USD). Over the past few hours, the hackers sold these assets through multiple methods and bridged them to the Ethereum chain, and then bought ETH on the Ethereum chain. Now, the $285 million worth of assets stolen on Solana has already been used to buy 129,066 ETH on the Ethereum chain.

In addition, the SlowMist security team said in a social media post that, at present, the stolen funds have basically been consolidated to the following Ethereum addresses: 0x0fe3b6908318b1f630daa5b31b49a15fc5f6b674、0xd3feed5da83d8e8c449d6cb96ff1eb06ed1cf6c7、0xaa843ed65c1f061f111b5289169731351c5e57c1, for a total of: 105,969 ETH (approximately $226 million).

Hacker address cluster:

II. Interpretation of the Drift Protocol attack—did the project team “rob its own house”?

This attack was a carefully planned combination of an authorization intrusion + price manipulation. The core was that after the hacker stole the administrator privileges, by forging tokens and manipulating oracles, it instantly broke through the fund limits and looted the protocol’s treasury. By obtaining the administrator private key, the hacker disabled the protocol’s core risk controls (withdrawal limits). It then used fake collateral to batch-withdraw from the fund pool, and completed money laundering by transferring assets across chains.

Regarding the incident in which assets were stolen due to the Drift Protocol being attacked, SlowMist founder Yu Xian published an analysis of the Drift stolen incident, pointing out that one week before the attack, Drift changed the multisig mechanism to “2/5” (1 old signer + 4 new signers), and did not set a timelock. After that, the attacker obtained administrator privileges, forged CVT tokens, manipulated the oracle, shut down security mechanisms, and transferred high-value assets out of the fund pool.

Chaos Labs co-founder Omer Goldberg also posted on social media, saying that a week ago, Drift migrated to a new multisig wallet created by one of the signers from the original multisig. However, this signer did not add themselves to the new signer list. The attacker also initiated a proposal in the old multisig to transfer administrator privileges to this new wallet. The new multisig has 5 signers in total: only 1 comes from the original team, and the other 4 are all entirely new addresses. This wallet is set with a 2/5 multisig threshold and has no timelock (0-second delay). About 5 hours ago, this sole original signer initiated a proposal via the new multisig to change the Drift administrator privileges. A new signer co-signed within one second, instantly satisfying the 2/5 threshold. Because there was no timelock, the transaction executed immediately.

Combining factors such as current on-chain evidence, team behavior, and fund flow direction, the possibility of “robbing its own house” is indeed the most discussed and most suspicious direction in the current crypto circle, even more so than “an external hacker intrusion.” Previously, the official adjusted the multisig mechanism, making the permission structure too “convenient for attack,” which doesn’t look like an accident. The attack method is “too familiar with internal logic,” completely unlike the style of an external hacker. And the official response to such a huge amount stolen was unusually calm. After the assets were stolen, the fund flow was very clean and clear: quickly swapped into ETH and bridged, with no inflow into a centralized exchange that would be easy to freeze. All of this process and operational logic. It has made the community’s suspicion that Drift’s officials “robbed its own house” grow louder.

III. Reactions from relevant parties and the crypto community

After the Drift Protocol asset theft incident, the involved parties and the crypto community reacted differently:

• In the DeFi protocol Drift incident, the JLP position loss was about $155.6 million. In response, Jupiter’s official statement said the platform was not affected by the incident. Its lending product Jupiter Lend did not involve the Drift market, and the JLP assets are “fully supported by underlying assets.” Jupiter also said the incident was a “difficult day” for the Solana DeFi ecosystem and expressed concern to the Drift team and affected users.

• Yield generation protocol Unitas Protocol tweeted that it was not affected by the Drift Protocol attack incident. Unitas has no exposure on Drift. All collateral is secure, and all strategies (including the JLP delta-neutral strategy) are running normally. User funds are safe. Collateral can be verified in real time through the reserve proof dashboards of Accountable and Primus Labs.

• Solana liquidity protocol Meteora tweeted that all funds on Meteora are safe. All functions and the treasury have not interacted with the Drift protocol.

• Stablecoin infrastructure Perena founder Anna tweeted that its Perena USD*, USD*-J, and USD*-P were not affected by the Drift attack incident. However, the JLP treasury managed by Neutral Trade, a quantitative strategy sharing platform within the Solana ecosystem, was impacted because it runs on Drift Protocol. The team is staying in communication with partners and will continue to update progress.

• X user @hzkj99: The asset protocol Drift Protocol in the SOL ecosystem was hacked and suffered losses in the hundreds of millions. For anything involving funds, safety is the first priority at any time. Especially in a bear market, there will definitely be new protocols hacked. This world is truly a massive ad-hoc operation—some protocols can even be hacked multiple times, and Drift is definitely not the last one to be hacked

• X user @lanhubiji: Drift Protocol suffered a major vulnerability exploit, with losses around the $270 million range—one of the largest DeFi attack incidents so far in 2026. Some posts, in a straight-faced tone, say, “The Solana Foundation is coordinating a rollback with the servers in Toly’s (co-founder) basement.” Even though it’s a meme, it’s a bit too much to say it like that.

• X user @EnHeng456: In a bear market, you really need to be extra careful about saving money. The current environment is getting less and less safe, and there are theft reports everywhere. Some older protocols even specifically have problems in bear markets, and you can hardly tell whether it’s a hacker attack or “robbing its own house.” I’ve also been very conservative lately—I just put everything in USD1 and didn’t dare to store it all over the place. In this kind of market, the more you tinker, the easier it is to run into problems. Sometimes doing nothing is actually the best choice. Drift was stolen two hundred million dollars and ended up in the general’s pocket.

IV. Impact of the Drift Protocol theft incident

The $285 million Drift Protocol theft incident is the second-largest DeFi attack in Solana ecosystem history. Its impact goes far beyond the protocol itself, dealing a severe blow to confidence in the Solana ecosystem and accelerating changes in DeFi security.

This attack exposed fatal flaws in DeFi projects regarding multisig permission management and oracle security. Permissions are the treasury. Once an administrator key is compromised—and without emergency shutdown mechanisms such as timelocks—any complex code logic could instantly fail. For Drift Protocol, unless the stolen money is recovered or a big buyer steps in, it will head toward liquidation, bankruptcy, and lawsuits. For Solana and its ecosystem, the ecosystem’s reputation is severely damaged; in the short term there will be capital outflows and slowed growth; in the long term it will force security upgrades. And for the entire DeFi industry, this can be said to be a watershed moment for the industry: “permission security is more important than code security” becomes an iron rule, trust costs rise sharply, and DeFi will enter a new phase of more compliant, more transparent, more centralized (secure governance) development.