On April 1, 2026, attackers drained approximately $285 million in user assets from Drift Protocol, the largest decentralized perpetual futures exchange on Solana, making this the largest DeFi hack of 2026 and the second-largest exploit in Solana's history. TRM Labs and blockchain analytics firm Elliptic have attributed the attack to North Korean hackers, pointing to cross-chain laundering patterns and Solana-specific tracing challenges that mirror prior North Korean state-linked operations.
On-chain staging began on March 11, nearly three weeks before the April 1 execution, with attacker infrastructure, token manufacturing, and social engineering all running in parallel. The critical vulnerability was not a smart contract bug but a combination of social engineering multisig signers into pre-signing hidden authorizations and a zero-timelock Security Council migration that eliminated the protocol's last line of defense. The removal of the timelock safeguard on March 27 converted a complex, multi-week attack into a 12-minute cash-out, with protocol governance without a delay mechanism essentially becoming governance with an open door.
The contagion spread to more than 20 protocols, with Prime Numbers Fi reporting losses in the millions, Carrot Protocol pausing mint and redeem functions after 50% of its TVL was affected, and Pyra Protocol disabling withdrawals entirely, leaving all user funds inaccessible. As of April 3, no comprehensive reimbursement plan had been announced, with users in affected protocols like Pyra and Carrot remaining unable to access funds.
