Drift Protocol, the largest decentralized perpetual futures exchange on Solana, suffered a devastating $286 million exploit on April 1, 2026, marking the biggest DeFi hack of the year. The attack drained over 50% of the protocol's Total Value Locked (TVL) in just 12 minutes, causing the TVL to collapse from $550 million to under $250 million. Security firm Elliptic has attributed the attack to North Korean hackers, specifically DPRK-linked actors who used sophisticated social engineering and a fake token called CVT to manipulate price oracles.
The attack began weeks earlier when hackers compromised Drift's multisig governance by removing crucial timelock protections on March 27. Using a legitimate Solana feature called 'durable nonces,' attackers pre-signed administrative transactions that remained valid for over a week, then executed them rapidly to drain core vaults including JLP Delta Neutral, SOL Super Staking, and BTC Super Staking vaults. The stolen assets were quickly converted to USDC through Jupiter DEX aggregator and bridged to Ethereum.
This incident represents the 18th DPRK-attributed crypto theft tracked in 2026, with North Korean hackers stealing over $300 million in Q1 2026 alone. The DRIFT token plummeted 37-42% following the news. Multiple Solana protocols with exposure to Drift have paused operations, and the protocol has suspended all deposits and withdrawals while coordinating with security firms and exchanges to contain the damage. The attack highlights critical vulnerabilities in DeFi governance structures and the dangers of removing security safeguards.
