Drift Protocol Exploited for $285M in Largest Crypto Hack of 2026 — Perp DEX News

On April 1, 2026 — April Fool's Day — Drift Protocol, one of Solana's largest perpetual DEXes, was exploited for $285 million in what became the biggest crypto hack of the year and the second-largest in Solana's history.

Attack Details

The attacker executed a sophisticated multi-stage attack:

Preparation (March 11): Withdrew 10 ETH from Tornado Cash to fund the operation
Fake token creation: Minted 750 million CarbonVote Token (CVT) units, seeded liquidity on Raydium, and used wash trading to build a $1 price history
Exploit execution: Used a compromised admin key to list CVT as valid collateral on Drift, raised withdrawal limits to extreme levels
Drainage: 31 withdrawal transactions executed in approximately 12 minutes, draining USDC, SOL, JLP, WBTC, and other assets

Financial Impact

$285M drained from Drift's vaults
TVL dropped from ~$550M to under $300M in less than an hour
Assets consolidated and swapped into USDC and SOL, partially bridged to Ethereum via Circle's CCTP

Attribution

TRM Labs and Elliptic's investigations suggest the hack was perpetrated by North Korean state-sponsored hackers (DPRK), following a pattern consistent with the Lazarus Group's previous DeFi exploits.

Containment

Critically, Jupiter Exchange's JLP pool — which integrates with Drift — remained fully backed, helping contain wider fallout across the Solana DeFi ecosystem.

Security Implications

The exploit raises critical questions about admin key management in DeFi:

Single point of failure — one compromised key enabled the entire attack
Collateral listing controls — insufficient safeguards on adding new collateral types
Withdrawal limits — the ability to modify limits without timelocks or multisig approval

This incident serves as a stark reminder that even battle-tested protocols remain vulnerable to sophisticated, well-funded attackers targeting operational security rather than smart contract code.

Attack Details

The attacker executed a sophisticated multi-stage attack:

Preparation (March 11): Withdrew 10 ETH from Tornado Cash to fund the operation

Fake token creation: Minted 750 million CarbonVote Token (CVT) units, seeded liquidity on Raydium, and used wash trading to build a $1 price history

Exploit execution: Used a compromised admin key to list CVT as valid collateral on Drift, raised withdrawal limits to extreme levels

Drainage: 31 withdrawal transactions executed in approximately 12 minutes, draining USDC, SOL, JLP, WBTC, and other assets

Security Implications

The exploit raises critical questions about admin key management in DeFi:

Single point of failure — one compromised key enabled the entire attack

Collateral listing controls — insufficient safeguards on adding new collateral types

Withdrawal limits — the ability to modify limits without timelocks or multisig approval

This incident serves as a stark reminder that even battle-tested protocols remain vulnerable to sophisticated, well-funded attackers targeting operational security rather than smart contract code.